On Wed, May 02, 2018 at 09:18:50PM +0200, Matthias Waehlisch wrote:
> > > *scratch head*
> >
> > If your DDoS mitigator depends on BGP hijacking to deliver their
> > scrubbing services to you ... indeed you'll have challenges. I have
> > no good answer, this is an architectural flaw where one has to make
> > a trade-off between wanting to protect against hijacks and having
> > the ability to insert more-specifics for legitimate purposes.
>
> RPKI origin validation does not protect against path manipulation.
>
> Even if you announcing the /24, someone else could hijack with a faked
> origin A. It just gets more difficult because there are competing
> announcements.
For path validation there are other tricks! It is a bit of a poor man's
solution, but so much better than nothing. It only protects a subset of
all ASNs, but combined with RPKI Origin Validation this would be
extremely effective.
https://www.nanog.org/sites/default/files/Snijders_Everyday_Practical_Bgp.pdf
https://www.youtube.com/watch?v=CSLpWBrHy10
Kind regards,
Job
