![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: "Is BGP safe yet?" test
From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Tue, 21 Apr 2020 08:49:20 +0200
tir. 21. apr. 2020 07.38 skrev Saku Ytti <saku () ytti fi>:
On Tue, 21 Apr 2020 at 01:02, Baldur Norddahl <baldur.norddahl () gmail com> wrote:Yes but that makes the hijacked AS path length at least 1 longer whichmakes it less likely that it can win over the true announcement. It is definitely better than nothing. Attacker has no incentive to honor existing AS path, attacker can rewrite it as they wish.
My company is in Europe. Lets say an attacker joins the IX in Seattle a long way from here and a place we definitely are not present at. We do however use Hurricane Electric as transit and they are peering freely at Seattle. Everyone there thus sees our prefix with an as path length of two. The attacker can originate the prefixes himself and that way his fake announcements win at Seattle by having the length 1. With RPKI he needs to use our ASN to originate and have his own ASN in between to facilitate peering. Thus the fake path also has the length of two. The real announcement wins by virtue of being the oldest announcement and the attack fails. The situation is even worse for the attacker if he needs an IP transit company to pick up the fake announcement. We have Telia, which filters invalids, and if the attacker tries to get his fake prefix picked up by them, his path will end up being one longer than ours, so he can never succeed. There are of course plenty of situations where the attack still succeeds. I am not claiming this is a magical bullet. Just saying it might do more than some thinks it will. Definitely better than nothing. Regards Baldur
Current thread:
- "Is BGP safe yet?" test Andrey Kostin (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 20)
- Re: "Is BGP safe yet?" test Amir Herzberg (Apr 20)
- Re: "Is BGP safe yet?" test Job Snijders (Apr 20)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
- Re: "Is BGP safe yet?" test Saku Ytti (Apr 20)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 21)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 21)
- Re: "Is BGP safe yet?" test Randy Bush (Apr 21)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Cummings, Chris (Apr 20)
- Re: "Is BGP safe yet?" test Tom Beecher (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Tom Beecher (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)