Re: Feedback Requested: Routing Resilience Manifesto

[William Herrin <bill () herrin us>]

On Wed, Jul 2, 2014 at 2:00 PM, Jared Mauch <jared () puck nether net> wrote:
> No, but how else do you suggest we work to address these problems?
> While a naked run isn't my first choice, I am interested in practical solutions
> and responses.  I've privately and publicly documented some of my challenges
> securing my networks with BCP-38.  While perhaps not obviously related there
> is also the issue of BGP filtering and other things that create a nexus of
> interrelated items.

Hi Jared,

Have you ever known any problem to be solved with stronger awareness
of the rules of whack-a-mole?

The first level of the problem is technical: there's no efficient
protocol for propagating knowledge about acceptable sources from each
link from router to router and not nearly enough TCAM in shipping
models to implement such a protocol if it existed.  Every current
anti-spoofing approach either involves slow and mistake-prone manual
effort or is tied to trivial single-homed routing cases so often
implemented by inept junior staff at third-tier networks.

The second level of the problem is financial -- some customers will
pay you to avoid being victims of the problem but none will pay you to
avoid being facilitators. Protocols, software and TCAMs are expensive.
Far more expensive than the abject lack of penalties, lawsuits,
shutdowns and public shaming which result from the discovery of leaky
origins.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004