Steven M. Bellovin wrote:
In other words, a legitimate prefix hijacking service...
Absolutely, NOT. The origin AS will still be the AS that controls the IP space. In fact, I think SBGP would be great for a layout like this to secure down the injections. That being said, prefix lists with md5 auth are probably the best we can hope for. Routing registry macro support or a hashed authorization link sent to whois contacts to automate modification of the prefix lists would be ideal (not much different that a provider is *supposed* to do with their BGP customers). Once the peers is established and limited in scope, they can then start advertising /32 networks into the blockhole server who will pass it on to others.
As Randy and Valdis have pointed out, if this isn't done very carefully it's an open invitation to a new, very effective DoS technique. You can't do this without authoritative knowledge of exactly who owns any prefix; you also have to be able to authenticate the request to blackhole it. Those two points are *hard*. I also note that the scheme as described here is incompatible with more or less any possible secured BGP, since by definition it involves an AS that doesn't own a prefix advertising a route to it.
I would presume that md5 BGP peering with prefix lists developed based on public information (whois/routing registry) is about as good as any of us have it now. Granted, there are places that don't do that, and that is where we see route hijacking. A service like this would have to mandate it, to insure any /32 injected into it came from the peer that is authorized for the network the /32 belongs to. Since the AS_PATH can be maintained, I don't see an issue with secure BGP. Granted, the packets themselves won't be taking any path. Jack Bates