Re: BGPSEC & soBGP

["Steven M. Bellovin" <smb () cs columbia edu>]

On Sat, 17 Jan 2009 00:14:17 +0000
Naveen Nathan <naveen () calpop com> wrote:

> I came across this article on /.:
> http://www.networkworld.com/news/2009/011509-bgp.html?page=1
>
> I'm not too familiar with security of routing protocols, but it became
> immediately evident as I read this article that much of the work has
> been accomplished with soBGP. I'm wondering why there is a new
> initiative for another technology to secure BGP.
There are two parts to the answer.

First, neither SoBGP nor SBGP, the two primary secured BGP proposals,
have a consensus behind them.  Whether or not either or both do the
job in some objective sense, large segments of the community do not
perceive that they do, and it's not for lack of trying by the
proponents of either.

Second, and more serious, both proposals do have major technical
issues.  SoBGP is very good at protecting origin announcements (and
hence at preventing mistakes), but it doesn't work nearly as well
against deliberate hijacking.  SBGP protects entire path announcements,
but is very heavy-weight and requires many signature verifications,
probably too many.  We need a protocol that solves both of these issues.

-- 
                --Steve Bellovin, http://www.cs.columbia.edu/~smb