nanog mailing list archives

Re: "Is BGP safe yet?" test

From: Randy Bush <randy () psg com>
Date: Mon, 20 Apr 2020 12:08:47 -0700

From a practical standpoint, this doesn't actually tell the whole truth


indeed.  route origin validation, while a good thing, does not make
bgp safe from attack.  this marketing fantasy is being propagated;
but is BS.

origin validation was designed to reduce the massive number of problems
cause by fat figured configuration errors by operators.  it will not
even get all of those; but it will greatly improve things.

but it provides almost zero protection against malicious attack.  the
attacker merely has to prepend (in the formal, not cisco display) the
'correct' origin AS to their malicious announcement.

randy

Current thread:

"Is BGP safe yet?" test Andrey Kostin (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
  - Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
  - Re: "Is BGP safe yet?" test Randy Bush (Apr 20)
    - Re: "Is BGP safe yet?" test Amir Herzberg (Apr 20)
    - Re: "Is BGP safe yet?" test Job Snijders (Apr 20)
    - Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
    - Re: "Is BGP safe yet?" test Saku Ytti (Apr 20)
    - Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
    - Re: "Is BGP safe yet?" test Andrey Kostin (Apr 21)
    - Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
    - Re: "Is BGP safe yet?" test Mark Tinka (Apr 21)
    - Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
- Re: "Is BGP safe yet?" test Tom Beecher (Apr 20)

(Thread continues...)