nanog mailing list archives
Re: Routing Insecurity (Re: BGP in the Washington Post)
From: Mark Andrews <marka () isc org>
Date: Wed, 03 Jun 2015 12:18:07 +1000
In message <20150602151233.GA29050 () DOIT-2NW1MRFY-X doit wisc edu>, "Dale W. Car der" writes:
Thus spake Roland Dobbins (rdobbins () arbor net) on Tue, Jun 02, 2015 at 03:05: 13PM +0700:On 2 Jun 2015, at 11:07, Mark Andrews wrote:If you have secure BGP deployed then you could extend the authenication to securely authenticate source addresses you emit and automate BCP38 filter generation and then you wouldn't have to worry about DNS, NTP, CHARGEN etc. reflecting spoofed trafficThis can be and is done by networks which originate routes and which practice good network hygiene, no PKI required.
But it is a manual process or trust the information added to this database is correct. Automating the process even if it is only at the customer/isp edge were customer == isp is tagged as a exception would be a big win.
But then we get into the customer of my customer (of my customer, of my customer . . .) problem, and this aren't quite so clear. There are also potentially significant drawbacks to incorporating PKI into the routing space, including new potential DoS vectors against PKI-enabled routing elements, the potential for enumeration of routing elements, and thepossibility of building a true 'Internet kill switch' with effects far beyond what various governmental bodies have managed to do so far in the DNSspace.
Yes, there are trade offs. As for that "Internet kill switch", ISP could theoretically be ordered to block all traffic to a prefix. I know that this is theoretically possible today with Australian legistation and basically has been since the very begining as it is in the telecomunication acts.
Once governments figured out what the DNS was, they started to use it as a ban-hammer - what happens in a PKIed routing system once they figure out what BGP is? But nobody seems to be discussing these potential drawbacks, very much.Start here: https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf Dale
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- RE: Routing Insecurity (Re: BGP in the Washington Post), (continued)
- RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Randy Bush (Jun 10)
- RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
- RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
- RE: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 11)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Christopher Morrow (Jun 11)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
- RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
- Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 04)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Andrews (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Danny McPherson (Jun 03)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Tinka (Jun 01)
- Re: BGP in the Washngton Post Mark Andrews (Jun 02)
- Re: BGP in the Washngton Post Randy Bush (Jun 02)
- Re: BGP in the Washngton Post Saku Ytti (Jun 03)