[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: How secure is BGP? was Re: Two ISP's to one DMZ -
From:       Paul Ferguson <pferguso () cisco ! com>
Date:       1997-07-11 8:37:56
[Download RAW message or body]

At 03:07 AM 07/11/97 -0500, mikech@avana.net wrote:

>All of this discussion of the mechanics of BGP made me think. What if I 
>decided to grab Cisco's block of addresses and announce them as being routed 
>through my ISP with BGP? As long as my ISP's are peering with me, will they 
>accept *any* route update? If I announced the Cisco update to my ISP (let's 
>say MCI), would all of the MCI clients trying to access www.cisco.com come
to 
>my web server instead? What would happen on with other ISP's? Would they 
>accept this exception route?
>
>Has this happened in the real world?
>

Well, unfortunately yes. At least the part about someone hijacking someone
else's address space and trying to advertise it in the global Internet.

In many cases, it *is* a good idea to configure route filters to
only accept routes which a neighboring AS originates, but as pointed
out, if the neighboring AS originates a bogus route (or set of routes),
then this doesn't help very much. This is why its a generally considered
to be a Good Thing (tm) to configure route filters for each peer so that
you only accept routes for what you know the peer is announcing. Of course,
this is virtually impossible with provider-provider peering, but is indeed
possible, and even encouraged, for provider-customer peering.

Generally, when a duplicate prefix is found to be advertised
elsewhere in the global routing system, the legitimate user
of the prefix will contact the upstream of the rogue and
attempt to have them block the bogus announcement, or something
similar in nature to this scenario. The upstream may be alerted
to the problem by someone else, or may notice it himself, and
may shut down the offender. In any event, it's more of a human
issue and less of a technical one.

Or, you can use the Routing Arbiter or IRR.

Another related option is to use MD5 authentication for BGP
peering. Of course, this doesn't prevent an authenticated peer
from announcing a bogus route to you, but it does protect from
an unauthenticated peer who may attempt to inject bogus routing
data into the routing system.


>Is there any mechanism to prevent this?
>

Someone could hunt you down and break your legs. of course,
this is punitive, not preventative :-)

- paul

>Mike
>--
>03:07:53
>07/11/97
>_______________________________________________________________________
>Michael W. Chalkley                                Tel: +1.770.772.4567
>ZapNet! Inc.                                       Fax: +1.770.475.7640
>Suite 400-120                                E-mail: mikech@iproute.com
>10945 State Bridge Road                                mikech@avana.net
>Alpharetta, GA 30202                             http://www.iproute.com
>


--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
e-mail: pferguso@cisco.com                         c i s c o S y s t e m s

[prev in list] [next in list] [prev in thread] [next in thread]