- merike
On Nov 9, 2004, at 8:56 AM, Howard C. Berkowitz wrote:
Good points, but there perhaps should be a third -- altering the routing/forwarding tables as part of a security mechanism such as blackholes, sinkhole attractors, and the effect of blackholes on uRPF.I agree with Howard that "routing" should be a major heading, but I think that it has two major categories: source validation, and information validation.
I am not yet convinced that routing should be a separate category but instead the security practices that are currently employed for authentication, filtering, logging, etc can use a sub-category for what is specific to routing. However....I'm still thinking about it.....
If security-related changes were made only on the local router that detected a potential exploit, I'd agree completely with you. My concern is that when manual or automated actions introduce new routes (blackholes, redirection of hosts or subnets to sinkholes), you are affecting the behavior of the entire routing domain.
Hypothetically, if a large number of such routes were introduced as a result of security mechanisms, it could produce a do-it-yourself DoS if some of the edge routers have limited RIB memory. There are other effects of blackhole injection in the like that oculd be misinterpreted if on too large a scale -- for example, if one had a monitoring tool that looked for changes in the number of prefixes announced by a particular router or set of routers, and a distributed exploit caused a significant number of blackholes to be created, this could look like a variation from normal behavior, and trigger a needless response.