On Tue, Jun 6, 2017 at 2:25 AM, Hank Nussbacher <hank@efes.iucc.ac.il> wrote: (I think this is really Ron and Bill chatting, but some of the linkage got lost on the tubes)
I've read article after article after article bemoanging the fact that
"BGP isn't secure",
They're talking about a different problem: ISPs are supposed to configure end-user BGP sessions per BCP38 which limits which BGP announcements the customer can make. Some ISPs are sloppy and incompetent and don't do
this.
Unfortunately, once you're a level or two upstream the backbone ISP actually can't do much to limit the BGP announcements because it's often impractical to determine whether a block of IP addresses can legitimately be announced from a given peer.
just a clarifying note: I don't think bcp38 talks about BGP at all, actually... I think bill is actually saying: "ISPs are supposed to configure bcp38 to filter TRAFFIC from their customers/peers and BGP filters to limit the scope of the customer routes sent/received" I don't think the filtering of customer prefixes/announcements is actually covered in a BCP though.