From firewalls-gc Fri Jul 11 08:37:56 1997 From: Paul Ferguson Date: Fri, 11 Jul 1997 08:37:56 +0000 To: firewalls-gc Subject: Re: How secure is BGP? was Re: Two ISP's to one DMZ - X-MARC-Message: https://marc.info/?l=firewalls-gc&m=87619474410506 At 03:07 AM 07/11/97 -0500, mikech@avana.net wrote: >All of this discussion of the mechanics of BGP made me think. What if I >decided to grab Cisco's block of addresses and announce them as being routed >through my ISP with BGP? As long as my ISP's are peering with me, will they >accept *any* route update? If I announced the Cisco update to my ISP (let's >say MCI), would all of the MCI clients trying to access www.cisco.com come to >my web server instead? What would happen on with other ISP's? Would they >accept this exception route? > >Has this happened in the real world? > Well, unfortunately yes. At least the part about someone hijacking someone else's address space and trying to advertise it in the global Internet. In many cases, it *is* a good idea to configure route filters to only accept routes which a neighboring AS originates, but as pointed out, if the neighboring AS originates a bogus route (or set of routes), then this doesn't help very much. This is why its a generally considered to be a Good Thing (tm) to configure route filters for each peer so that you only accept routes for what you know the peer is announcing. Of course, this is virtually impossible with provider-provider peering, but is indeed possible, and even encouraged, for provider-customer peering. Generally, when a duplicate prefix is found to be advertised elsewhere in the global routing system, the legitimate user of the prefix will contact the upstream of the rogue and attempt to have them block the bogus announcement, or something similar in nature to this scenario. The upstream may be alerted to the problem by someone else, or may notice it himself, and may shut down the offender. In any event, it's more of a human issue and less of a technical one. Or, you can use the Routing Arbiter or IRR. Another related option is to use MD5 authentication for BGP peering. Of course, this doesn't prevent an authenticated peer from announcing a bogus route to you, but it does protect from an unauthenticated peer who may attempt to inject bogus routing data into the routing system. >Is there any mechanism to prevent this? > Someone could hunt you down and break your legs. of course, this is punitive, not preventative :-) - paul >Mike >-- >03:07:53 >07/11/97 >_______________________________________________________________________ >Michael W. Chalkley Tel: +1.770.772.4567 >ZapNet! Inc. Fax: +1.770.475.7640 >Suite 400-120 E-mail: mikech@iproute.com >10945 State Bridge Road mikech@avana.net >Alpharetta, GA 30202 http://www.iproute.com > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s