[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: Re: How secure is BGP? was Re: Two ISP's to one DMZ -
From: Rusty Zickefoose <rusty () mci ! net>
Date: 1997-07-11 14:03:47
[Download RAW message or body]
mikech@avana.net said:
> All of this discussion of the mechanics of BGP made me think. What if
> I decided to grab Cisco's block of addresses and announce them as
> being routed through my ISP with BGP? As long as my ISP's are peering
> with me, will they accept *any* route update?
This is the "gory details" parts. A proper BGP peering session should
have access filters on both neighbors. The filters, or access lists in
Cisco parlance, can be based on either IP address/mask or AS path. The
down stream should filter his outbound traffic to announce only the
traffic originating on or specifically permitted to transit his
network. The up stream should filter on the same basis. The major
fault is that the filters are at the "edge" systems. Backbone, or tier
1, provider, by default, permit almost any traffic to transit once it's
in the network; this also means that any problem is (hopefully) quickly
noticed and corrected.
mikech@avana.net said:
> If I announced the Cisco update to my ISP (let's say MCI), would all
> of the MCI clients trying to access www.cisco.com come to my web
> server instead? What would happen on with other ISP's? Would they
> accept this exception route?
We refer to this as "black holing the traffic".
mikech@avana.net said:
> Has this happened in the real world?
Yes, and not to long ago.
mikech@avana.net said:
> Is there any mechanism to prevent this?
Proper implementation of the above filters would prevent most of the
problems, but accidents happen.
mhorn@funb.com said:
> How is anyone to know whether I'm advertising a netblock allocated to
> me by MCI, or stolen out of the middle of one of MCI's CIDR's (for
> example)?
You would be unable to get any return traffic from the affected
networks, so all TCP connections through that network would fail.
You'ld contact your provider about the routing problem.
Troubleshooting, then perpetrator shooting, would follow shortly there
after. 8-).
mhorn@funb.com said:
> How can I prevent someone else from advertising a more specific route
> than we're advertising?
If somebody wants to do something bad enough, they'll do it.
-- Rusty
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic