nanog mailing list archives

Re: Routing Insecurity (Re: BGP in the Washington Post)

From: David Mandelberg <david () mandelberg org>
Date: Thu, 04 Jun 2015 23:56:01 -0400

On 06/03/2015 04:27 AM, Roland Dobbins wrote:

(not to mention the
enumeration and enhanced DDoS impact of packeting routers doing crypto
for their BGP sessions and which aren't protected via iACLs/GTSM).


Could you elaborate on your enumeration and DDoS concerns? If you're
concerned about the public finding out exactly how many routers you have
because you've published one BGPsec router key per router, you can
choose to use the same router key on multiple routers. If you're
concerned about all the crypto work overloading a router, the plan (as
far as I've heard) is for the routers to do the BGPsec crypto work in
the background as a low priority. I.e., incoming signed routes will
initially be treated like unsigned routes, and the BGPsec validation
will be kicked off in the background. Once the validation is complete,
then routing decisions can be made based on the BGPsec validity.

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Re: Routing Insecurity (Re: BGP in the Washington Post), (continued)
- - - Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Tinka (Jun 01)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Ca By (Jun 01)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 01)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Andrews (Jun 01)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 02)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Denis Fondras (Jun 02)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 02)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Dale W. Carder (Jun 02)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Ethan Katz-Bassett (Jun 02)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 03)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 04)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 04)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 09)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Valdis . Kletnieks (Jun 09)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Valdis . Kletnieks (Jun 09)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Randy Bush (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Randy Bush (Jun 10)
    - RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
    - Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)

(Thread continues...)