Jared, Fine which makes it an interesting data point and something to look at after lunch when I'm not doing something else kinda issue. Not something I'm going to treat as a P1 and drop everything work or real life related for. I'm not say it shouldn't be looked it, just that in the grand scheme of the thing its not a huge issue. Kinda like when people feel the need to tune IGP time sub second convergence but do impactful maint on routers or circuits 3-4 times a yr. If you lock the doggie door but leave the front door open the bad guys can walk right in. :)
-jim On Tue, Jan 13, 2009 at 11:06 AM, Jared Mauch <ja...@puck.nether.net> wrote: > On Tue, Jan 13, 2009 at 07:00:34AM -0800, David Barak wrote: >> If the concern was a Pilosov/Kapela style hijack, wouldn't the first thing >> you'd check be what the address range was? That would lead you straight to >> Randy, and that should have cleared up the matter straightaway. Remember: >> the owner of the IP space is the victim, not the ASN which gets prepended >> into the path... >> > > No, they are both victims. If I inject a path that purports > there is an edge between two networks which are engaged in a bitter > dispute, (i'll use cogent & sprint as an example) - _1239_174_ that may > create a situation where someone asserts that their routes are > being filtered when infact no connectivity exists. > > Does that mean that I hijacked their identiy and forged it? What > level of trust do you place in the AS_PATH for your routing, debugging and > decision making process? > > Personally, I would be upset if someone injected a route with my > ASN in the AS_PATH without my permission. > > - Jared > > -- > Jared Mauch | pgp key available via finger from ja...@puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are only mine. > >
