Re: Routing Insecurity (Re: BGP in the Washington Post)

[Mark Andrews <marka () isc org>]

In message <CAD6AjGQWs-aKD8axgiRyaYXPB564MswKZsuaOUhjUn--KJXuUg () mail gmail com>
, Ca By writes:
> On Mon, Jun 1, 2015 at 8:21 AM, Mark Tinka <mark.tinka () seacom mu> wrote:
>
> > On 1/Jun/15 17:04, Mike Hammett wrote:
> > > Actually, that's the level of attention given to all kinds of
> > infrastructure just about everywhere. ;-)
> >
> > The difference is that there are standardized (global) guidelines for
> > those infrastructures within their own industry, that lack of compliance
> > can lead to serious fines, jail time or both.
> >
> > A network operator unmaliciously screwing up their BGP configuration and
> > taking one side of a continent out is unlikely to see any punishment
> > beyond being fired by his employer, or losing his customers if
> > self-employed.
> >
> > Mark.
>
>
> Also, the internet usually works pretty good-ish and the janitors clean up
> the messes pretty quick-ish.
>
> That said, i believe the BGP situation is completely hygienic relative to
> the DDoS issues going on that could be solved by BCP38 and otherwise fixing
> poorly admin'd DNS, NTP, CHARGEN, and SSDP nodes.  The aforementioned
> janitors are pretty powerless on this front... and... various parties on
> all side are looking to cash in (booters on one side, web scrubbers on the
> other)... which is a very dangerous arms race with real money on both sides
> looking to escalate the harm / fix.
 
If you have secure BGP deployed then you could extend the authenication
to securely authenticate source addresses you emit and automate
BCP38 filter generation and then you wouldn't have to worry about
DNS, NTP, CHARGEN etc. reflecting spoofed traffic.

> CB
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org