Re: soBGP deployment

["Steven M. Bellovin" <smb () cs columbia edu>]

In message <Pine.LNX.4.61.0505212143090.1930 () netcore fi>, Pekka Savola writes:
> On Sat, 21 May 2005, Randy Bush wrote:
> > something like it, for sure.  but i vastly prefer the s-bgp
> > approach as it maps closely to bgp operational reality, and does
> > not rely on a published policy database, which we have seen fail
> > for over a decade, etc.
>
> So, can someone point out the important operational differences 
> between the two?
>
> > From 10K feet view, the only major difference seems to be that sBGP 
> also wants to protect the BGP sessions w/ IPsec all in one solution. 
> (Personally, I don't care about that all that much, and I have some 
> doubts whether this is a good approach for deployability in mind.)

The IPsec piece is actually the least important part of the difference.
> Maybe the important operational differences are only observable 
> from 1K feet view ?

Fundamentally, the answer to this question is this: how accurate do you 
think the routing registries are?

Both do a good job preventing fraud at the putative point of origination
of the route announcement.  This is obviously the most common form of 
attack.

With SBGP, each node signs the BGP statements it's about to send out.  
The accuracy of the security statement is thus linked to the 
transmission process.  With SO-BGP, the security against in-path 
attacks (or cut-and-paste attacks; see below) relies on a secure 
version of the routing registry.  If an AS forgets to update its 
routing registry to reflect new BGP adjacencies, paths containing them 
will be dropped by SO-BGP listeners.  If old adjacencies aren't 
deleted, routes that shouldn't be accepted will be.  In other words, 
there's a lot less coupling between the transmission process and its 
security properties.  Look at it this way: do you think that (a) most 
sites will publish their policies in the registry, and (b) they'll 
remember to update them?  As Randy has noted, we have a decade of 
experience suggesting that neither is true.  

Let me add a word about cut-and-paste attacks.  A signed origin 
statement asserts that some AS owns some prefix.  That statement will 
be readily available.  A nefarious site could cut that statement from 
some actual BGP session and prepend it to its own path announcement.  
That would add a hop, but many ASs will still prefer it and route 
towards the apparent owner through the nefarious site.  The nefarious 
site wouldn't forward such packets, of course; it would treat the 
packets as its own.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb