On 15/12/2011 16:28, Drew Weaver wrote:
-----Original Message-----
From: Justin M. Streiner [mailto:strei...@cluebyfour.org]
Sent: Thursday, December 15, 2011 9:45 AM
To: nanog@nanog.org
Subject: Re: Is AS information useful for security?
origin-AS could be another story. If you know of an AS that is being used by the
bad guys for bad purposes, you can write a routing policy to dump all traffic
to/from that AS into the bit bucket or take some other action that could be
dictated by your security policy. In that case, a routing policy could
be>considered an extension of a security policy.
I could be wrong here but I believe origin-AS uses a lookup from the routing
table to figure out what the originAS for the source IP should be (and not what
it explicitly IS) which means the information is unreliable.
For example if someone is sending spoofed packets towards you the origin AS
will always show up as the originator of the real route instead of the origin
AS of the actual traffic.
This is why it would be useful to have the originAS (from the actual origin) in
the packet header.
How would you determine and enforce this?
Ok so a packet leaves my network that I know originated from my network
based on some factor (IGP route existing or matched prefix list) and the
origin AS is put into a new field in the packet header...
Whats to stop the spoofer putting that origin AS into their spoofed
packet headers?
This means that another level of checking then needs to be put into
inter AS BGP sessions to make sure that all traffic passing across the
link would need to be checked to make sure origin ASs are matched.
Couldn't most of the same protection be solved by more people running
BCP38 and RPKI?
Thanks,
-Drew