![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: Routing Insecurity (Re: BGP in the Washington Post)
From: "Roland Dobbins" <rdobbins () arbor net>
Date: Tue, 02 Jun 2015 15:05:13 +0700
On 2 Jun 2015, at 11:07, Mark Andrews wrote:
If you have secure BGP deployed then you could extend the authenicationto securely authenticate source addresses you emit and automate BCP38 filter generation and then you wouldn't have to worry about DNS, NTP, CHARGEN etc. reflecting spoofed traffic
This can be and is done by networks which originate routes and which practice good network hygiene, no PKI required.
But then we get into the customer of my customer (of my customer, of my customer . . .) problem, and this aren't quite so clear.
There are also potentially significant drawbacks to incorporating PKI into the routing space, including new potential DoS vectors against PKI-enabled routing elements, the potential for enumeration of routing elements, and the possibility of building a true 'Internet kill switch' with effects far beyond what various governmental bodies have managed to do so far in the DNS space.
Once governments figured out what the DNS was, they started to use it as a ban-hammer - what happens in a PKIed routing system once they figure out what BGP is?
But nobody seems to be discussing these potential drawbacks, very much. ----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Re: BGP in the Washngton Post, (continued)
- Re: BGP in the Washngton Post Måns Nilsson (Jun 01)
- Re: BGP in the Washngton Post Christopher Morrow (Jun 01)
- RE: BGP in the Washngton Post Jeff Masiello (Jun 01)
- Re: BGP in the Washngton Post Ca By (Jun 01)
- Routing Insecurity (Re: BGP in the Washington Post) Jared Mauch (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mike Hammett (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Tinka (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Ca By (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Andrews (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Denis Fondras (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Dale W. Carder (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Ethan Katz-Bassett (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 03)
- Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 04)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 04)
- Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 09)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Valdis . Kletnieks (Jun 09)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Valdis . Kletnieks (Jun 09)
- Routing Insecurity (Re: BGP in the Washington Post) Jared Mauch (Jun 01)
- Re: BGP in the Washngton Post Måns Nilsson (Jun 01)