[j-nsp] Bandwidth aware using BGP on ISP transit
Alexander Arseniev
arseniev at btinternet.com
Mon Jan 25 03:19:31 EST 2016
Hello,
Please see below inline marked with [AA].
Thx
Alex
On 25/01/2016 07:08, Nathan Ward wrote:
> Hi,
>
>> On 25/01/2016, at 19:48, Alexander Arseniev <arseniev at btinternet.com> wrote:
>>
>> On 24/01/2016 23:01, Nathan Ward wrote:
>>> This sort of works, except there’s a strong chance that the attacker only gets advertised poisoned paths, and you’d drop all traffic.
>> Do You mean attacker's ASN is non-existent? Or attacker's src IP is from RFC 1918/6598 space? Or attacker's src.IP are spoofed?
> No.
>
> BGP typically[1] advertises only one route (and AS path) per prefix. Consider an attacker with two peers/transit providers. If both of those transit providers have selected a poisoned path (i.e. one with the attackers AS in the path) as the best path, then the attacker’s AS won’t accept any routes to your network.
>
> Tim mentioned that he has 10 transit providers, so there’s a good chance that 9 paths that he poisons will be selected over the 1 that he doesn’t, and then he’ll see no traffic from the attacker, especially if the link in question doesn’t already traffic from the remote AS - which one assumes is true, or this whole solution wouldn’t be needed.
[AA]. Sorry, I don't get it. The Tim's prefixes announced out of
attacked link does not change, the Tim's prefixes announced out of all
OTHER link will have a longer AS_PATH. Why attacker's neighboring ASN
select the new announce with longer AS_PATH over existing one?
I expect that ALL ASNs on the way to attacker's source ASN will retain
the old announce as best path.
Yes, this will affect traffic from these ASNs along with attack traffic.
But it also helps if attacker ASN has a 0/0 route pointing to the
neighboring ASN which happened to be on the old best path to Tim's ASN.
Thx
Alex
More information about the juniper-nsp
mailing list