nanog mailing list archives

Re: "Defensive" BGP hijacking?

From: Doug Montgomery <dougm.work () gmail com>
Date: Wed, 14 Sep 2016 11:21:41 -0400

Mel,

If you are speaking of RPKI based origin validation, I am not sure
"automated / global enforcement system" is a useful description.   It does
provide a consistent means for address holders to declare AS's authorized
to announce prefixes, and a means for remote ASs to compare received
updates vs such declarations.   What the receiving AS does with the
validation information is strictly a local policy matter.

Frankly, this is no more a "new automated enforcement system" than
IRR-based route filtering has been for 20 years.  The only difference is
that there is a consistent security model across all 5 RIRs as to who can
make such declarations and it is tightly tied to the address allocation
business process.

I have seen a lot of FUD about the specter of interference, but not a lot
of serious thought / discussion.  Having a serious technical discussion of
potential risks and mitigations in the system would be useful.

dougm

On Wed, Sep 14, 2016 at 10:51 AM, Mel Beckman <mel () beckman org> wrote:

Scott and Doug,

The problem with a new automated enforcement system is that it hobbles
both agility and innovation. ISPs have enjoyed simple BGP management,
entirely self-regulated, for decades. A global enforcement system, besides
being dang hard to do correctly, brings the specter of government
interference, since such a system could be overtaken by government entities
to manhandle free speech.

In my opinion, the community hasn't spent nearly enough time discussing
the danger aspect. Being engineers, we focus on technical means, ignoring
the fact that we're designing our own guillotine.

 -mel beckman

On Sep 14, 2016, at 12:10 AM, Scott Weeks <surfer () mauigateway com>

wrote:




--- dougm.work () gmail com wrote:
From: Doug Montgomery <dougm.work () gmail com>

If only there were a global system, with consistent and verifiable

security

properties, to permit address holders to declare the set of AS's

authorized

to announce their prefixes, and routers anywhere on the Internet to
independently verify the corresponding validity of received

announcements.


*cough      https://www.nanog.org/meetings/abstract?id=2846     cough*
------------------------------------------------


Yes, RPKI.  That's what I was waiting for.  Now we can get to
a real discussion... ;-)

scott




-- 
DougM at Work

Current thread:

Re: "Defensive" BGP hijacking?, (continued)
- - - Re: "Defensive" BGP hijacking? Justin Paine via NANOG (Sep 20)
    - Re: "Defensive" BGP hijacking? Tom Beecher (Sep 20)
    - Re: "Defensive" BGP hijacking? Bryant Townsend (Sep 20)
  - Re: "Defensive" BGP hijacking? Hunter Fuller (Sep 13)
- Re: "Defensive" BGP hijacking? Scott Weeks (Sep 13)
  - Re: "Defensive" BGP hijacking? Hugo Slabbert (Sep 13)
    - Re: "Defensive" BGP hijacking? Bryant Townsend (Sep 13)
- Re: "Defensive" BGP hijacking? Scott Weeks (Sep 13)
- Re: "Defensive" BGP hijacking? Scott Weeks (Sep 14)
  - Re: "Defensive" BGP hijacking? Mel Beckman (Sep 14)
    - Re: "Defensive" BGP hijacking? Doug Montgomery (Sep 15)
    - Re: "Defensive" BGP hijacking? Mel Beckman (Sep 14)
    - Re: "Defensive" BGP hijacking? Doug Montgomery (Sep 16)
    - Re: "Defensive" BGP hijacking? Mel Beckman (Sep 16)
    - Re: "Defensive" BGP hijacking? Christopher Morrow (Sep 18)
  - Re: "Defensive" BGP hijacking? Jean-Francois Mezei (Sep 14)
  - Re: "Defensive" BGP hijacking? Bryan Fields (Sep 14)
    - Re: "Defensive" BGP hijacking? Christopher Morrow (Sep 14)
    - Re: "Defensive" BGP hijacking? John Curran (Sep 19)
    - Re: "Defensive" BGP hijacking? Christopher Morrow (Sep 19)
    - Re: "Defensive" BGP hijacking? John Curran (Sep 20)

(Thread continues...)