nanog mailing list archives
Re: Routing Insecurity (Re: BGP in the Washington Post)
From: Danny McPherson <danny () tcb net>
Date: Wed, 03 Jun 2015 13:41:17 -0600
On 2015-06-01 22:07, Mark Andrews wrote:
If you have secure BGP deployed then you could extend the authenicationto securely authenticate source addresses you emit and automate BCP38 filter generation and then you wouldn't have to worry about DNS, NTP, CHARGEN etc. reflecting spoofed traffic.
I don't believe this is entirely true, and BGPSEC certainly doesn't solve most of what I'm concerned about from a routing security perspective. See, e.g.:
https://tools.ietf.org/html/draft-ietf-grow-simple-leak-attack-bgpsec-no-help-04That said, a Internet number resource certification infrastructure, be it RPKI or something with s single root and scalable(!), is certainly necessary, and can be used to bootstrap policy databases (e.g., IRRs) that address both the inter-domain routing (e.g., origin "validation") and data plane anti-spoofing security problems, and perhaps not require operators (enterprises and nation states alike) to trade the autonomy and flexibility they have in routing today for what others see as their infrastructure security needs.
After all, stability, resiliency, and availability are ALSO factors in the risk management gumbo that need to be considered by organizations, and the tight coupling of RPKI and BGPSEC as designed, are quite possibly not as attractive to some operators as the designers might suggest, particularly in light of new external dependencies, competitive markets, Internet governance, geopolitical climate, etc..
Many that haven't deployed or have lost interest in having the conversation have done so deliberately, and would prefer a routing by rumor paradigm that affords autonomy and flexibility to one where new control points and exorbitant costs and complexity simply scare the heck out of them, the primitives of which surely extend to many of the luminaries quoted in those articles.
YMMV, -danny
Current thread:
- Re: Routing Insecurity (Re: BGP in the Washington Post), (continued)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Randy Bush (Jun 10)
- RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
- RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
- RE: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 11)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Christopher Morrow (Jun 11)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
- RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
- Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 04)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Andrews (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Danny McPherson (Jun 03)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Tinka (Jun 01)
- Re: BGP in the Washngton Post Mark Andrews (Jun 02)
- Re: BGP in the Washngton Post Randy Bush (Jun 02)
- Re: BGP in the Washngton Post Saku Ytti (Jun 03)