nanog mailing list archives
Re: "Is BGP safe yet?" test
From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Mon, 20 Apr 2020 23:59:16 +0200
On Mon, Apr 20, 2020 at 9:09 PM Randy Bush <randy () psg com> wrote:
but it provides almost zero protection against malicious attack. the attacker merely has to prepend (in the formal, not cisco display) the 'correct' origin AS to their malicious announcement.
Yes but that makes the hijacked AS path length at least 1 longer which makes it less likely that it can win over the true announcement. It is definitely better than nothing. Also AS number filtering might be more prevalent than prefix filtering. If I know which origin ASNs I can accept from a peer and filter on that, then RPKI will prevent them from faking protected prefixes. Regards, Baldur
Current thread:
- "Is BGP safe yet?" test Andrey Kostin (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 20)
- Re: "Is BGP safe yet?" test Amir Herzberg (Apr 20)
- Re: "Is BGP safe yet?" test Job Snijders (Apr 20)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
- Re: "Is BGP safe yet?" test Saku Ytti (Apr 20)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 21)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 21)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Cummings, Chris (Apr 20)
- Re: "Is BGP safe yet?" test Tom Beecher (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)