undefined | Better HN

0 pointsj16sdiz2y ago0 comments

Before you can "announce" a prefix, you need an ISP willing to peer with you.

BGP is a very insecure protocol. Most of its "security" are enforced by money and contract.

0 comments

> BGP is a very insecure protocol.

Take a look at the state of RPKI. ROA validation is common these days, and ASPA validation will be common soon. You still need to manually validate that your peer truly represents the AS that they claim to, but if that's been done, ROA+ASPA validation prevents unauthorized announcements.

Absent RPKI, people have been filtering based on IRR for ages, which will not necessarily prevent unauthorized announcements, but will require an attacker to leave a paper trail when making one.

j / k navigate · click thread line to collapse

0 pointsj16sdiz2y ago0 comments

Before you can "announce" a prefix, you need an ISP willing to peer with you.

BGP is a very insecure protocol. Most of its "security" are enforced by money and contract.

0 comments

greyface-2y ago

> BGP is a very insecure protocol.

Absent RPKI, people have been filtering based on IRR for ages, which will not necessarily prevent unauthorized announcements, but will require an attacker to leave a paper trail when making one.

j / k navigate · click thread line to collapse