Re: Routing Protocol Security
I know of several incidents where invalid routing announcements were maliciously employed in order to cause reachability problems to the destination prefix network. It still bugs me that router vendors don't provide the capability to support inter-provider filters (read: 10s or 100s of thousands of instances). But heck, some providers still don't even filter routing announcements for customer prefixes explicitly. This is a HUGE vulnerability. Likewise, employing the same set of inter-provider filters at the data plane as ingress source filters would suppress the bulk of these cheesy spoofed-source address attacks. This is another HUGE vulnerability (providing a solution in hardware is a bit more difficult -- though not impossible!). But heck, some providers still don't employ customer ingress filtering. Of course, then the vulnerability would be the registries, and subsequent components therein. The again, at least the former was done many moons ago, though wasn't real successful given the network, 24 hour turnarounds, etc.. However, things like BGP Route Refresh and the like could alleviate most of the offshoots of the time. Now, back to the router vendor support issue, if that's what you were soliciting input on...? -danny
participants (1)
-
Danny McPherson