[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"Is BGP safe yet?" test

Baldur Norddahl пиÑ?ал 2020-04-21 02:49:

> My company is in Europe. Lets say an attacker joins the IX in Seattle
> a long way from here and a place we definitely are not present at. We
> do however use Hurricane Electric as transit and they are peering
> freely at Seattle. Everyone there thus sees our prefix with an as path
> length of two. The attacker can originate the prefixes himself and
> that way his fake announcements win at Seattle by having the length 1.
> With RPKI he needs to use our ASN to originate and have his own ASN in
> between to facilitate peering.  Thus the fake path also has the length
> of two. The real announcement wins by virtue of being the oldest
> announcement and the attack fails.
> The situation is even worse for the attacker if he needs an IP transit
> company to pick up the fake announcement. We have Telia, which filters
> invalids, and if the attacker tries to get his fake prefix picked up
> by them, his path will end up being one longer than ours, so he can
> never succeed.
> There are of course plenty of situations where the attack still
> succeeds. I am not claiming this is a magical bullet. Just saying it
> might do more than some thinks it will. Definitely better than
> nothing.

I think that for peering sessions regular filters can do their job more 
directly and effectively. But I see that discussion moved away from 
initial topic to general dispute about RPKI usefullness. The initial 
topic though initially was about public web page that claimes your 
network secure or insecure based on evaluation of only one technology 
checking one particular specially crafted prefix.

Kind regards,