Bellovin sez...

They could, that is, unless everyone to whom the hacker attached was
doing ingress BGP filtering for all peers/downstreams. I'm sure my
Merit RA comrades would be glad to jump in with a plug that IRR and
route servers could help facilitate this, as would the varied groups
that are working on authenticating network allocations of incoming
routes. But that of course was your point. :slight_smile:

--eric <ducking in case he started a religious war>

jumping in with a plug that the IRR and the route servers could help
facilitate this.... *grin*

-abha <ducking behind eric so he gets hit first..>

Forgive my directness, but there was no _new_ data at all
in what the referenced URL quoted Steve/Matt as saying.

Much of this goes (in the public literature) at least
back to Steve's paper in ACM CCR in the late 80s. Others of
it has been documented elsewhere in the public literature
since then.

Also note that clever operators _are_ taking steps like:
  - pushing vendors towards SNMPv3 with real security
  - deploying OSPF MD5 authentication/RIP MD5 authentication
  - deploying the TCP MD5 option to protect BGP sessions
  - using route servers
  - deploying Kerberos/SSH/IPsec to secure login connections
    to servers & disallowing unprotected connections
  - deploying IETF OTP or Bellcore S/Key on routers
  - ...