Text only | Text with Images

Networking-Forums.com

Professional Discussions => Routing and Switching => Topic started by: deanwebb on July 12, 2017, 08:55:00 AM

Title: BGP Just Got Fun For Me
Post by: deanwebb on July 12, 2017, 08:55:00 AM
https://www.schneier.com/blog/archives/2017/07/more_on_the_nsa_2.html

Bruce Schneier on forcing traffic out and then back in on particular routes for data exfiltration purposes. As I read it, all of a sudden all of the other stuff I read about BGP started to make way more sense than ever before.

While the article links a leaked NSA document about exfiltration, the logic in the methods used could apply to any government or criminal agency with access to a particular line. If one can force data to use a particular route, then the data goes to the collector and gets harvested.

Very interesting stuff, with thanks to Mr. Schneier.
Title: Re: BGP Just Got Fun For Me
Post by: that1guy15 on July 12, 2017, 09:23:39 AM
Sounds similar to BGP FlowSpec for DDoS mitigation. Sure the same concept and technology could be used here
https://supportforums.cisco.com/document/12226726/asr9000xr-understanding-bgp-flowspec-bgp-fs
Title: Re: BGP Just Got Fun For Me
Post by: deanwebb on July 12, 2017, 10:32:41 AM
Quote from: that1guy15 on July 12, 2017, 09:23:39 AM
Sounds similar to BGP FlowSpec for DDoS mitigation. Sure the same concept and technology could be used here
https://supportforums.cisco.com/document/12226726/asr9000xr-understanding-bgp-flowspec-bgp-fs

Damn that was some tasty code in there! And now I'm getting PBR, as well. I never really understood the use cases for it until I see it in the context of security and, suddenly, I'm getting why one would want to do stuff like that.
Title: Re: BGP Just Got Fun For Me
Post by: icecream-guy on July 12, 2017, 11:53:06 AM
Quote from: deanwebb on July 12, 2017, 10:32:41 AM
Quote from: that1guy15 on July 12, 2017, 09:23:39 AM
Sounds similar to BGP FlowSpec for DDoS mitigation. Sure the same concept and technology could be used here
https://supportforums.cisco.com/document/12226726/asr9000xr-understanding-bgp-flowspec-bgp-fs

Damn that was some tasty code in there! And now I'm getting PBR, as well. I never really understood the use cases for it until I see it in the context of security and, suddenly, I'm getting why one would want to do stuff like that.

Wait until you have to perform SNAT and DNAT on packets to get them out of the way of other flows on the same network so you can policy route them, talk about a troubleshooting nightmare...
:zomgwtfbbq:  :ivan:
Title: Re: BGP Just Got Fun For Me
Post by: deanwebb on July 12, 2017, 12:27:11 PM
SNAT or DNAT to do PBR?  :twitch:

OK, it's un-fun again.
Title: Re: BGP Just Got Fun For Me
Post by: that1guy15 on July 12, 2017, 03:20:56 PM
PBR is never fun. Dumpster fire!
Title: Re: BGP Just Got Fun For Me
Post by: LynK on July 12, 2017, 03:58:04 PM
Quote from: ristau5741 on July 12, 2017, 11:53:06 AM

Wait until you have to perform SNAT and DNAT on packets to get them out of the way of other flows on the same network so you can policy route them, talk about a troubleshooting nightmare...


Or Load-balance them. Take solace in knowing you are not the only one :)



:badass: :haha2: :printer:
Text only | Text with Images