[6bone] (OT but Relevant) Recent spammer tactics - BGP Hijacking

John Fraizer tvo@EnterZone.Net
Mon, 12 May 2003 15:17:36 -0400 (EDT)


On Mon, 12 May 2003, Andy Furnell wrote:

> On Sat, May 10, 2003 at 12:43:38PM +0200, Marc Hultquist wrote:
> > 
> > 
> > I have to Agree with John on this Matter. IF the providers would be 
> > good enough to Filter the customers responsability, then there would
> > not be a problem now would there?
> > 
> 
> This is a nice idea, but given that there's no IPv6 routing registry,
> the administrative overhead of manually generating filters can get
> seriously cumbersome (especially given that IPv6 efforts for most
> providers still seem to be done on a part-time basis). Granted any AS
> transiting another should apply suitable filters, but filtering peering
> routes and/or those heard from transit upstreams with suitable
> granularity to prevent BGP hijacking is a problem when the
> infrastructure is not in place do automate the process.
> 
> Just my 2c :)
> 
> A

Andy,

Filtering on the transitAS<->transitAS side of things will always be
painful and for most decent sized networks, it is not something that
happens, even in the v4 world.

Filtering "customer" or "customer-like" peering sessions is a different
story though.  If someone "doesn't have time" to implement responsible
filtering on their customer sessions, they shouldn't IMNSHO be speaking
BGP to begin with.

With appropriate "customer" filters in place on the customer-facing edge,
border filters on the peering border are something that in most cases are
not needed.  

If someone "leaks" something to us once, we will help them establish
appropriate policy to prevent future "leaks."  If they do it twice, they
face the wrath of "neighbor [x.x.x.x|xx:xx:xx:xx] shutdown" on our
side.  It tends to get them thinking in a more responsible manner and if
NOT, they're not the kind of peer we wish to interact with.


---
John Fraizer              | High-Security Datacenter Services |
President                 | Dedicated circuits 64k - 155M OC3 |
EnterZone, Inc            | Virtual, Dedicated, Colocation    |
http://www.enterzone.net/ | Network Consulting Services       |