netsec-sig - [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing
Subject: Internet2 Network Security SIG
List archive
- From: David Farmer <>
- To: "" <>
- Cc: "Spears, Christopher M." <>, Grover Browning <>, "" <>, "" <>, "" <>
- Subject: [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing
- Date: Tue, 26 Jul 2016 10:29:57 -0500
Bill,
This is discussed in the Security Considerations Section of the draft, basically RPKI or BGPSec don't protect the communities from modification. So, it helps but doesn't really solve that problem.
On Tue, Jul 26, 2016 at 9:31 AM, Bill Jensen <> wrote:
Would implementing RPKI help with this or would its value, in the case of blackholing, be limited to only whom you peer with?
-wej
On 7/26/16 9:19 AM, Spears, Christopher M. wrote:
On Jul 26, 2016, at 9:44 AM, Grover Browning <> wrote:
David,
Do you see a downside to transiting?
(Answering for myself, not David :)
IMHO, it’s an issue of trust/verification. At a fixed point in time, you may trust a certain peer network; however you cannot control who they peer with, or what they accept from those peers, or their peers, etc. That said, the route will be propagated, so you can always limit the origin-as you’ll accept this from. Of course, you’re then back to a per-peer blackhole policy, just using a well-known BGP community.
For BLACKHOLE, everything I can think of begins with: "First, hijack the route …”Blackholing is the ultimate DOS - you get your target /32s blackholed, and you’ve won. Again, trust. This is all destination-based hinting, not source-specific ingress filtering for DDOS, and has nothing to do with route hijacking. BCP38, anti-virus/malware, anti-botnet efforts, and bleach are the only solutions for DDOS at the moment. Route hijacking has a mixed bag of arguably effective tools, as well.
-Chris
-Grover
On Jul 25, 2016, at 7:55 PM, David Farmer <> wrote:
if experiments show it's useful I'd support it, but right now I'm skeptical how useful transiting this would be for us.
--
Bill Jensen, Network Engineer
UW-Madison DoIT Network Services
Rm B116 CSSC, 1210 W. Dayton St., Madison, WI 53706
voice: 608-263-9325 efax: 413-208-1297
email: cell: 608-576-8345
sms:
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, (continued)
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Paul Howell, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Brad Fleming, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Christian Wheeler, 07/26/2016
- Re: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Michael H Lambert, 07/26/2016
- Re: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Jeff Bartig, 07/26/2016
- RE: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Michael Hare, 07/26/2016
- Re: [Security-WG] [NTAC] New Well-Known BGP Community for Blackholing, Jeff Bartig, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Brad Fleming, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Grover Browning, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Spears, Christopher M., 07/26/2016
- [Security-WG] RE: [NTAC] New Well-Known BGP Community for Blackholing, Michael Hare, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Bill Jensen, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Spears, Christopher M., 07/26/2016
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, John Kristoff, 07/26/2016
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, Paul Howell, 07/27/2016
- RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Michael Hare, 07/27/2016
- Re: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Matthew J Zekauskas, 07/27/2016
- RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Michael Hare, 07/27/2016
- RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Spurling, Shannon, 07/27/2016
- RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Michael Hare, 07/27/2016
- Re: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Matthew J Zekauskas, 07/27/2016
- RE: [Qt-security] [Security-WG] New Well-Known BGP Community for Blackholing, Michael Hare, 07/27/2016
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, John Kristoff, 07/27/2016
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, Paul Howell, 07/27/2016
- Re: [Security-WG] New Well-Known BGP Community for Blackholing, David Farmer, 07/26/2016
- [Security-WG] Re: [NTAC] New Well-Known BGP Community for Blackholing, Paul Howell, 07/26/2016
Archive powered by MHonArc 2.6.19.