nanog mailing list archives

Re: do not filter your customers

From: Steven Bellovin <smb () cs columbia edu>
Date: Fri, 24 Feb 2012 17:04:43 -0500


On Feb 24, 2012, at 2:26 14PM, Danny McPherson wrote:


On Feb 24, 2012, at 1:10 PM, Steven Bellovin wrote:

But just because we can't solve the whole problem, does that
mean we shouldn't solve any of it?


Nope, we most certainly should decompose the problem into 
addressable elements, that's core to engineering and operations.

However, simply because the currently envisaged solution 
doesn't solve this problem doesn't mean we shouldn't 
acknowledge it exists.

The IETF's BGP security threats document [1]  "describes a threat 
model for BGP path security", which constrains itself to the 
carefully worded SIDR WG charter, which addresses route origin 
authorization and AS_PATH "semantics" -- i.e., this "leak" 
problem is expressly out of scope of a threats document
discussing BGP path security - eh? 

How the heck we can talk about BGP path security and not 
consider this incident a threat is beyond me, particularly when it 
happens by accident all the time.  How we can justify putting all 
that BGPSEC and RPKI machinery in place and not address this 
"leak" issue somewhere in the mix is, err.., telling.



I repeat -- we're in violent agreement that route leaks are
a serious problem.  No one involved in BGPSEC -- not me, not Randy,
not anyone -- disagrees.  Give us an actionable definition and
we'll try to build a defense.  Right now, we have nothing better
than what Justice Potter Stewart once said in an opinion: "I shall 
not today attempt further to define the kinds of material I 
understand to be embraced within that shorthand description 
["hard-core pornography"]; and perhaps I could never succeed 
in intelligibly doing so. But I know it when I see it..."

Again -- *please* give us a definition.

                --Steve Bellovin, https://www.cs.columbia.edu/~smb

P.S. It was routing problems, including leaks between RIP and either
EIGRP or OSPF (it's been >20 years; I just don't remember), that got
me involved in Internet security in the first place.  I really do
understand the issue.

Current thread:

Re: do not filter your customers, (continued)
- - - Re: do not filter your customers Randy Bush (Feb 23)
    - Re: do not filter your customers Danny McPherson (Feb 24)
    - Re: do not filter your customers Steven Bellovin (Feb 24)
    - Re: do not filter your customers goemon (Feb 24)
    - Re: do not filter your customers Joe Maimon (Feb 24)
    - Re: do not filter your customers Danny McPherson (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Danny McPherson (Feb 24)
    - Re: do not filter your customers Richard Barnes (Feb 24)
    - Re: do not filter your customers Danny McPherson (Feb 24)
    - Re: do not filter your customers Steven Bellovin (Feb 24)
    - Re: do not filter your customers Jeffrey S. Young (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Dobbins, Roland (Feb 24)
    - Re: do not filter your customers Julien Goodwin (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Dobbins, Roland (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Dobbins, Roland (Feb 24)
    - Re: do not filter your customers Valdis . Kletnieks (Feb 25)
    - Re: do not filter your customers Tom Hill (Feb 25)

(Thread continues...)