On Sat, 2005-05-21 at 16:03 -0400, Steven M. Bellovin wrote: <SNIP>
Let me add a word about cut-and-paste attacks. A signed origin statement asserts that some AS owns some prefix. That statement will be readily available. A nefarious site could cut that statement from some actual BGP session and prepend it to its own path announcement. That would add a hop, but many ASs will still prefer it and route towards the apparent owner through the nefarious site. The nefarious site wouldn't forward such packets, of course; it would treat the packets as its own.
At least in that case you can quite easily identify the culprit when one find out who it is, as the AS the path is going over is really the culprit announcing it. And as one can identify the culprit one can easily exclude this culprit from ever doing any business with you again, which is also a great thing for protection against spamruns, announcing some prefix for a few moments, spamming and removing it again as they will have to get a new ASN to do it from. ASNBL anyone? :) Of course one can also nicely blacklist the ASN's who allow those hostile ASN's to be connected and so on. IMHO s(o)BGP is a good step forward and I hope that it will get deployed, the sooner the better. Greets, Jeroen