nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Routing Insecurity (Re: BGP in the Washington Post)

From: Ethan Katz-Bassett <ethan () cs washington edu>
Date: Wed, 03 Jun 2015 02:04:31 +0000
The same folks also followed up that workshop paper with a longer paper on
the topic:
https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf

On Tue, Jun 2, 2015 at 8:16 AM Dale W. Carder <dwcarder () wisc edu> wrote:


Thus spake Roland Dobbins (rdobbins () arbor net) on Tue, Jun 02, 2015 at
03:05:13PM +0700:


On 2 Jun 2015, at 11:07, Mark Andrews wrote:


If you have secure BGP deployed then you could extend the authenication
to securely authenticate source addresses you emit and automate
BCP38 filter generation and then you wouldn't have to worry about
DNS, NTP, CHARGEN etc. reflecting spoofed traffic


This can be and is done by networks which originate routes and which
practice good network hygiene, no PKI required.

But then we get into the customer of my customer (of my customer, of my
customer . . .) problem, and this aren't quite so clear.

There are also potentially significant drawbacks to incorporating PKI

into

the routing space, including new potential DoS vectors against

PKI-enabled

routing elements, the potential for enumeration of routing elements, and

the

possibility of building a true 'Internet kill switch' with effects far
beyond what various governmental bodies have managed to do so far in the

DNS

space.

Once governments figured out what the DNS was, they started to use it as

a

ban-hammer - what happens in a PKIed routing system once they figure out
what BGP is?

But nobody seems to be discussing these potential drawbacks, very much.


Start here:
 https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf

Dale
Previous By Date Next
Previous By Thread Next

Current thread: