nanog mailing list archives

Re: do not filter your customers

From: Shane Amante <shane () castlepoint net>
Date: Fri, 24 Feb 2012 13:04:20 -0700

Steve,

On Feb 24, 2012, at 11:10 AM, Steven Bellovin wrote:

On Feb 24, 2012, at 7:46 40AM, Danny McPherson wrote:

On Feb 23, 2012, at 10:42 PM, Randy Bush wrote:

the problem is that you have yet to rigorously define it and how to
unambiguously and rigorously detect it.  lack of that will prevent
anyone from helping you prevent it.


You referred to this incident as a "leak" in your message:

"a customer leaked a full table"

I was simply agreeing with you -- i.e., looked like a "leak", smelled 
like a "leak" - let's call it a leak.

I'm optimistic that all the good folks focusing on this in their day
jobs, and expressly funded and resourced to do so, will eventually
recognize what I'm calling "leaks" is part of the routing security 
problem.

Sure; I don't disagree, and I don't think that Randy does.  But just
because we can't solve the whole problem, does that mean we shouldn't
solve any of it?


Solving for route leaks is /the/ "killer app" for BGPSEC.  I can't understand why people keep ignoring this.

As has been discussed in the SIDR WG, BGPSEC will _increase_ state in BGP, (more DRAM needed in PE's and RR's, crypto 
processors to verify sigs, more UPDATE traffic for beaconing).  And, at the end of the day, ISP's are going to go to 
their customers and say to them:
- BGP convergence may be slower than in the past, because we're shipping sigs around in BGP now
- we can prevent a malicious attack from a random third-party (in the right part of the topology);
- *but* I can't protect you from a 20+ year old problem of a transit customer accidentally -or- maliciously 
stealing/dropping your traffic if they leak routes from one provider to another provider?

As Randy said, we can't even try for a strong technical solution
until we have a definition that's better than "I know it when I see it".


The first step is admitting that we have a problem, then discussing it collectively to try to determine a way to 
prevent said problem from happening.

-shane

Current thread:

Re: do not filter your customers, (continued)
- - - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Dobbins, Roland (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Dobbins, Roland (Feb 24)
    - Re: do not filter your customers Valdis . Kletnieks (Feb 25)
    - Re: do not filter your customers Tom Hill (Feb 25)
    - Looking For Tinet NOC Contact Faisal Imtiaz (Feb 25)
    - Re: do not filter your customers Christopher Morrow (Feb 25)
    - Re: do not filter your customers Dobbins, Roland (Feb 25)
    - Re: do not filter your customers Jeff Young (Feb 24)
    - Re: do not filter your customers Shane Amante (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Geoff Huston (Feb 24)
    - Re: do not filter your customers Leo Bicknell (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Leo Bicknell (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - RE: do not filter your customers George Bonser (Feb 24)
    - Re: do not filter your customers Nick Hilliard (Feb 24)
    - Re: do not filter your customers Nick Hilliard (Feb 24)
    - Re: do not filter your customers Shane Amante (Feb 24)

(Thread continues...)