[msumpter]

According to a post by Job on nanog they have been known to submitted false or fabricated IRR information to RADB and RIPE: http://seclists.org/nanog/2018/Jun/379

At the end of the day, BGP is a very trusting protocol and it requires keeping the neighborhood clean and clear. IMO providers should be filtering prefixes their clients shouldn't be announcing (al la BCP38) but keeping up on the various IP blocks being shifted around is a paperwork nightmare I'm sure.

[walrus01]

BGP is still very much built on trust and reputation... At a local ix level if you were to show up at an ix like the ams-ix and regularly announce prefixes you have no right to, your company name and AS# would quickly develop the reputation of a rancid turd.

[im3w1l]

The BGP authentication method doesn't seem very secure, so how do you know who you are trusting?

[walrus01]

a properly implemented IX has MAC address filtering on ports. This can of course be spoofed. But there is also a level of security at OSI layer 1 for the physical fiber cross connect from an ISP's panel to the IX's panel.

For instance: If the IX is located on the 15th floor of the building. An ISP might be colocated on the 12th floor. Fiber XC from 12.501.P4.D4 (12th floor, row 5, rack 01, fiber patch panel 4, SC duplex port D4) to 15.201.P1.D4, then a fiber cable from D4 to an SFP+ port on the IX's switch. Unless somebody physically hijacks your fiber crossconnect and moves it (which would be noticed as hard down immediately) it's pretty hard to pretend to be another ISP, from the perspective of the switch fabric operator of the IX.

[lormayna]

There is no real need for BGP authentication: if you want to create a peer relathionship, it need to be configured on both routers, then there is a native trust relationship.