[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: How secure is BGP? was Re: Two ISP's to one DMZ -
From:       "R. Todd Truitt" <ttruitt () cisco ! com>
Date:       1997-07-14 10:13:46
[Download RAW message or body]

>That said:
>>mikech@avana.net says:
>>>All of this discussion of the mechanics of BGP made me think. What if I 
>>>decided to grab Cisco's block of addresses and announce them as being
routed 
>>>through my ISP with BGP? As long as my ISP's are peering with me, will
they 
>>>accept *any* route update? If I announced the Cisco update to my ISP
(let's 
>>>say MCI), would all of the MCI clients trying to access www.cisco.com
come to 
>>>my web server instead? What would happen on with other ISP's? Would they 
>>>accept this exception route?
>Only if they are stupid.  Peer relationships between the clue-challenged
>are more likely to propagate bad routes than providers; all major
>providers have aggressive filtering on either as-path & origins,
>ip-addrs being announced, or routing objects (ip-addrs/length + origin
>as).  The smarter providers reconfigure these filters in an automated
>fashion, from databases.
>

Along with aggressive route filtering, route authentication will
become vital in the next few years.

--T
_________________________________________________________________________
R. Todd Truitt                                           ttruitt@cisco.com
Systems Engineer                      Security, Availabilty and Management
Cisco Systems, Inc.                                           303.220.6164

[prev in list] [next in list] [prev in thread] [next in thread]