North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Secure BGP (Was: YouTube IP Hijacking)

  • From: Jeroen Massar
  • Date: Mon Feb 25 06:24:26 2008
  • Openpgp: id=333E7C23

[email protected] wrote:
Pushing this task off to a server that does not have packet-forwarding
duties also allows for flexible interfaces to network management
systems including the possibility of asking for human confirmation
before announcing a new route.

There is no (direct) requirement for most of these solutions to do it in the router that forwards actual packets, just add a special BGP box for this. This box then 'verifies' if the update looks OK. When the update looks fishy, it can either, depending on what you want either notify your favourite $nocmonkey to look at it and/or at least instruct the real routers to not use that path.

You can take (S-)BGP(-S) for verification, but you can also use IRR data or whatever source you have for stating 'this prefix from there over this path is trusted', compare against that and voila, you got a report when the assumed vectors don't match and you can at least react to them.

These kind of systems already exist, see previous emails, but clearly not too many actually make use of them, now that is too bad for your customers who couldn't see their lolcats or worse who couldn't reach their stock house for quickly selling their shares before that company went down the drain completely...


Attachment: signature.asc
Description: OpenPGP digital signature