[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: How secure is BGP? was Re: Two ISP's to one DMZ -
From:       Rusty Zickefoose <rusty () mci ! net>
Date:       1997-07-11 14:03:47
[Download RAW message or body]



mikech@avana.net said:
> All of this discussion of the mechanics of BGP made me think. What if
> I  decided to grab Cisco's block of addresses and announce them as
> being routed  through my ISP with BGP? As long as my ISP's are peering
> with me, will they  accept *any* route update?


	This is the "gory details" parts.  A proper BGP peering session should 
have access filters on both neighbors.  The filters, or access lists in 
Cisco parlance, can be based on either IP address/mask or AS path.  The 
down stream should filter his outbound traffic to announce only the 
traffic originating on or specifically permitted to transit his 
network.  The up stream should filter on the same basis.  The major 
fault is that the filters are at the "edge" systems.  Backbone, or tier 
1, provider, by default, permit almost any traffic to transit once it's 
in the network; this also means that any problem is (hopefully) quickly 
noticed and corrected.


mikech@avana.net said:
> If I announced the Cisco update to my ISP (let's  say MCI), would all
> of the MCI clients trying to access www.cisco.com come to  my web
> server instead? What would happen on with other ISP's? Would they
> accept this exception route?

	We refer to this as "black holing the traffic".


mikech@avana.net said:
> Has this happened in the real world? 

Yes, and not to long ago.

mikech@avana.net said:
> Is there any mechanism to prevent this?

	Proper implementation of the above filters would prevent most of the 
problems, but accidents happen.


mhorn@funb.com said:
> How is anyone to know whether I'm advertising a netblock allocated to
> me by MCI, or stolen out of the middle of one of MCI's CIDR's (for
> example)?

You would be unable to get any return traffic from the affected 
networks, so all TCP connections through that network would fail.  
You'ld contact your provider about the routing problem.  
Troubleshooting, then perpetrator shooting, would follow shortly there 
after.  8-).

mhorn@funb.com said:
> How can I prevent someone else from advertising a more specific route
> than we're advertising? 

	If somebody wants to do something bad enough, they'll do it.

-- Rusty

[prev in list] [next in list] [prev in thread] [next in thread]