nanog mailing list archives
Re: soBGP deployment
From: Tony Li <tony.li () tony li>
Date: Mon, 23 May 2005 22:25:54 -0700
-- You must not rely on routing to secure routing.
I would like to point out that this goal is unnecesary. First, we need to understand that for ANY solution to be deployable, it must be incrementally deployable. We do not get an Internet-wide flag day for BGP. The Internet must continue to function, regardless of the percentage of NLRI that are actually authenticated. For the forseeable future, we will need to have a path selection policy that rejects any information that clearly fails authentication, continues to use unauthenticated prefixes, and prefers authenticated vs. unauthenticated. Second, validating a certificate must be doable even if the router is using unauthenticated prefixes to do so. Remember that the crypto properties of a certificate must make it unforgeable, and that routers must have at least one reference point in the web of trust. If the route to the root of that web is spoofed, then the crypto will not be able to validate any other certificates in the web, but this is NOT an authentication failure -- the related NLRI are just unauthenticated, not unuseable. Obviously, authenticating the root certificate NLRI are our top priority, but the system MUST continue to operate even without this. This is the only way to truly address the chicken and egg problem. I think that this also highlights the need for multiple, diversely routed certificate authorities. Tony
Current thread:
- Re: soBGP deployment, (continued)
- Re: soBGP deployment Jeroen Massar (May 23)
- Re: soBGP deployment bmanning (May 23)
- Re: soBGP deployment Edward Lewis (May 23)
- Re: soBGP deployment Daniel Golding (May 23)
- Re: soBGP deployment Valdis . Kletnieks (May 23)
- Re: soBGP deployment Brad Knowles (May 23)
- Message not available
- Re: soBGP deployment Suresh Ramasubramanian (May 23)
- Re: soBGP deployment Michael . Dillon (May 24)
- Re: soBGP deployment Geoff Huston (May 23)
- Re: soBGP deployment Russ White (May 23)
- Re: soBGP deployment Tony Li (May 23)
- Re: soBGP deployment Alexei Roudnev (May 24)
- Re: soBGP deployment Randy Bush (May 23)
- Re: soBGP deployment bmanning (May 23)
- Re: soBGP deployment Tony Li (May 23)
- the problems being solved -- or not Pekka Savola (May 24)
- Re: the problems being solved -- or not Russ White (May 24)
- Re: the problems being solved -- or not Pete Templin (May 24)
- Re: the problems being solved -- or not Pekka Savola (May 24)
- Re: the problems being solved -- or not Tony Li (May 24)
- Re: soBGP deployment Randy Bush (May 24)