Re: soBGP deployment

[Jeroen Massar <jeroen () unfix org>]

On Sat, 2005-05-21 at 16:03 -0400, Steven M. Bellovin wrote:

<SNIP>

> Let me add a word about cut-and-paste attacks.  A signed origin 
> statement asserts that some AS owns some prefix.  That statement will 
> be readily available.  A nefarious site could cut that statement from 
> some actual BGP session and prepend it to its own path announcement.  
> That would add a hop, but many ASs will still prefer it and route 
> towards the apparent owner through the nefarious site.  The nefarious 
> site wouldn't forward such packets, of course; it would treat the 
> packets as its own.

At least in that case you can quite easily identify the culprit when one
find out who it is, as the AS the path is going over is really the
culprit announcing it. And as one can identify the culprit one can
easily exclude this culprit from ever doing any business with you again,
which is also a great thing for protection against spamruns, announcing
some prefix for a few moments, spamming and removing it again as they
will have to get a new ASN to do it from. ASNBL anyone? :)
Of course one can also nicely blacklist the ASN's who allow those
hostile ASN's to be connected and so on.

IMHO s(o)BGP is a good step forward and I hope that it will get
deployed, the sooner the better.

Greets,
 Jeroen

Attachment: signature.asc
Description: This is a digitally signed message part