[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BGP prefix filter list

Subject: BGP prefix filter list
From: alejandroacostaalamo at gmail.com (Alejandro Acosta)
Date: Sat, 18 May 2019 20:10:30 -0400
In-reply-to: <CAHBw0M8rFd4KQ8fhtQhLQskONO7E64p=gqocVnXAQn1-pF6DLQ@mail.gmail.com>
References: <[email protected]> <[email protected]> <CAHBw0M8rFd4KQ8fhtQhLQskONO7E64p=gqocVnXAQn1-pF6DLQ@mail.gmail.com>

Hello Amir,

On 5/18/19 1:08 PM, Amir Herzberg wrote:
> This discussion is very interesting, I didn't know about this problem, 
> it has implications to our work on routing security, thanks!

Your welcome..., since long time ago I wanted to expose our findings in 
English.


>
> On Sat, May 18, 2019 at 11:37 AM Alejandro Acosta 
> <alejandroacostaalamo at gmail.com 
> <mailto:alejandroacostaalamo at gmail.com>> wrote:
>
>
>     Â Â  If you learn, let's say, up to /22 (v4), and someone hijacks
>     one /21
>     you will learn the legitimate prefix and the hijacked prefix. Now,
>     the
>     owner of the legitimate prefix wants to defends their routes
>     announcing
>     /23 or /24, of course those prefixes won't be learnt if they are
>     filtered.
>
>
> I wonder if this really is a consideration to avoid filtering small 
> prefixes (e.g. /24):


My position is exactly the opposite.


>
> - attackers are quite likely toÂ  do sub-prefix hijacks (or say a 
> specific /24), so I'm not sure this `hits' defenders more than it 
> `hits' attackers


Yes, you are right, but anyhow -IMHO- this still better than not 
learning small prefixes at all.


> - I think we're talking only/mostly about small providers here, right? 
> as larger providers probably will not have such problems of tables 
> exceeding router resources.I expect such small providers normally 
> connect thru several tier-2 or so providers... if these upper-tier 
> providers get hijacked, the fact you've prevented this at the 
> stub/multihome ISP may not help much - we showed how this happens with 
> ROV in our NDSS paper on it:
> https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/are-we-there-yet-rpkis-deployment-and-security/ 
>
>
You are right here.

Thanks for the link, I will take a look.


Alejandro,


>
> Amir Herzberg
> Comcast professor for security innovation
> Dept. of Computer Science and Engineering, University of Connecticut
>
> Foundations of Cybersecurity: 
> https://www.researchgate.net/project/Lecture-notes-on-Introduction-to-Cyber-Security
>
> Homepage: https://sites.google.com/site/amirherzberg/home
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190518/d0b61bb9/attachment.html>

References:
- BGP prefix filter list
  - From: baldur.norddahl at gmail.com (Baldur Norddahl)
- BGP prefix filter list
  - From: alejandroacostaalamo at gmail.com (Alejandro Acosta)
- BGP prefix filter list
  - From: amir.lists at gmail.com (Amir Herzberg)

Prev by Date: BGP prefix filter list
Next by Date: DHCPv6-PD relay route injection - standard?
Previous by thread: BGP prefix filter list
Next by thread: BGP prefix filter list
Index(es):
- Date
- Thread