[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"Is BGP safe yet?" test

On Mon, Apr 20, 2020 at 9:09 PM Randy Bush <randy at psg.com> wrote:

> but it provides almost zero protection against malicious attack.  the
> attacker merely has to prepend (in the formal, not cisco display) the
> 'correct' origin AS to their malicious announcement.
Yes but that makes the hijacked AS path length at least 1 longer which
makes it less likely that it can win over the true announcement. It is
definitely better than nothing.

Also AS number filtering might be more prevalent than prefix filtering. If
I know which origin ASNs I can accept from a peer and filter on that, then
RPKI will prevent them from faking protected prefixes.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200420/31de3551/attachment.html>