nanog mailing list archives

Re: "Is BGP safe yet?" test

From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Mon, 20 Apr 2020 23:59:16 +0200

On Mon, Apr 20, 2020 at 9:09 PM Randy Bush <randy () psg com> wrote:

but it provides almost zero protection against malicious attack.  the
attacker merely has to prepend (in the formal, not cisco display) the
'correct' origin AS to their malicious announcement.

Yes but that makes the hijacked AS path length at least 1 longer which
makes it less likely that it can win over the true announcement. It is
definitely better than nothing.

Also AS number filtering might be more prevalent than prefix filtering. If
I know which origin ASNs I can accept from a peer and filter on that, then
RPKI will prevent them from faking protected prefixes.

Regards,

Baldur

Current thread:

"Is BGP safe yet?" test Andrey Kostin (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
  - Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
  - Re: "Is BGP safe yet?" test Randy Bush (Apr 20)
    - Re: "Is BGP safe yet?" test Amir Herzberg (Apr 20)
    - Re: "Is BGP safe yet?" test Job Snijders (Apr 20)
    - Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
    - Re: "Is BGP safe yet?" test Saku Ytti (Apr 20)
    - Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
    - Re: "Is BGP safe yet?" test Andrey Kostin (Apr 21)
    - Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
    - Re: "Is BGP safe yet?" test Mark Tinka (Apr 21)
    - Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
- Re: "Is BGP safe yet?" test Tom Beecher (Apr 20)
  - Re: "Is BGP safe yet?" test Cummings, Chris (Apr 20)
    - Re: "Is BGP safe yet?" test Tom Beecher (Apr 20)
    - Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)

(Thread continues...)