Re: YouTube IP Hijacking

["Scott Francis" <darkuncle () gmail com>]

On Sun, Feb 24, 2008 at 10:49 PM, Sean Donelan <sean () donelan com> wrote:
>  On Mon, 25 Feb 2008, Steven M. Bellovin wrote:
>  > How about state-of-the-art routing security?
>
>  The problem is what is the actual trust model?
>
>  Are you trusting some authority to not be malicious or never make a
>  mistake?
>
>  There are several answers to the malicious problem.
>
>  There are fewer answers to never making a mistake problem.
[snip]

+5, Insightful.

The focus thus far seems to have been on establishing security on the
basis of trusted senders (SPF for BGP, if you'll pardon my rather
crude analogy). The impact of a mistake-based failure in a trusted
scenario could actually be quite a bit higher than what we've seen
thus far:

1) if data (e.g. routes) from a "trusted" source is allowed into a
network (or used as a basis for decision-making) with minimal
screening, attackers will immediately shift focus to spoofing trusted
sources, just as they currently do in other scenarios;

2) the impact of a typo or other operator error when operating in
"trusted mode" is much higher than that of mistakes from non-trusted
sources (if 17557's upstream had trusted a little less - by not
automatically propagating any new routes that showed up at the front
door - the current incident could very well have amounted to little
more than a log entry somewhere, and perhaps an email).

 I think what you and Steve Bellovin had to say about anti-mistake
protocol and belt-and-suspenders should be garnering at least as much
consideration as prevention of malicious attacks/forgeries/etc.,
considering the percentage of outages caused by operator error vs
those caused by malice ...
-- 
darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
  http://darkuncle.net/pubkey.asc for public key