ietf-asrg
[Top] [All Lists]

Re: [Asrg] My Opinion regarding ietf asrg session (it went badly! )

2003-03-21 09:37:22
On Fri, 21 Mar 2003 00:35:15 PST, william(_at_)elan(_dot_)net said:

All transit providers amd large networks employ filtering at bgp advertisment
level and you would only be able to send them routes that you have previously
told them about and where they were able to confirm you're the owner of 
the ip block.

Ah yes.  Wander over to NANOG and hear the complaints about swamp /24's
being filtered, and 69/8 issues, and... ;)

(For the non-NANOG crew - BGP filtering is something that *should* be done,
and everybody *claims* they do, but I'd estimate that less than 5% of
the routers actually do it right).

For bonus points - did the BGP announcement come in over an MD5-auth'ed
BGP session? (Another fine idea that doesn't work in practice when you need
to have a separate shared-secret for each AS that you're peering with).

The only way I could see how somebody would advertise false route is if 
they tell their upstream that they have such as and such customer as 
downstream and their upstream is stupid enough not to verify it - at 
some size level upstream would trust its downstream ISP, i.e. if I 

AS7007.  How far did THAT propagate?  (for the non-NANOG people, AS7007 was
one of the more famous/spectacular routing meltdowns, where basically ALL
the routes got accidentally misrouted).

This morning's CIDR-Report shows AS701 (UUNET) advertises 1,555 routes. AS7018
(ATT Worldnet) has 1,353. AS1221 (Telstra) has 1,104. I'm willing to bet that
if you could inject a route to one of those, the rest of the net would bite.
And you don't even need to advertise it everywhere - you pick (say) a /20 at an
AS that looks vulnerable, inject a /24 for your spam-net, let the victim route
that /24 internally, the rest of the net never sees anything more than the /20.


Attachment: pgpQpRDD8Xwfn.pgp
Description: PGP signature