After I published the Telstra's hijack effecting many networks post on Linkedin, one of my students asked couple good questions under that post. I thought sharing that post here would be beneficial for those who follow "Orhan Ergun Blog", as I explained couple important frequently asked questions about BGP Global routing security.
John Ojo sent the below question/comment:
Orhan Ergun thanks for the insights.
Hence the need for IRR & #RPKI. I attended your BGP Zero to Hero training now this makes more sense to me haven seen flowspec a few weeks ago previously from #Centurylink to this /24 prefix highjack.
But my questions are;
- Why do all these companies not implement these path validation controls?
- Is it lack of competent BGP Engineers or Peering Coordinators can BGPSec not be automated to avoid human errors? BGP Security controls seem to overwhelm a lot of companies and not all the Security approaches are full proof anyway. Should they just wait until it happens? The need for continuous training and retraining cannot be overemphasized on BGP in-depth. I recommend them to train at Orhan Ergun LLC.
My answer to his question was below:
- Many Tier1 ISPs started to implement, though its hard to deploy it towards customer than peer, but main reason why not all companies do that now? Because they have other priorities, securing the Internet is not the top one, even that security will save their networks as well.
- When it comes to BGPSEC, which is BGP's Path Validation IETF Standard technology, not because lack of competent engineers, but due to its resource consumption, people cannot deploy it at the moment.
There are two IETF drafts though, for the BGP Path Validation, Alexander Azimov's ASPA and Melchior Aelmans's AS Cones. I have videos with each of these smart guys to discuss their solutions on my Youtube channel which I am sure you are subscriber of !