|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BGP to doom us all
In message <[email protected]>, Bruce Pinsky writes: > >Jim Deleskie wrote: >> >> http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed >> >> Seems the BGP will be the down fall of the internet, the sky is falling the >> sky is falling > > >What a crock of crap. Knowing who someone is doesn't stop them from causing >intentional or unintentional problems. In fact, authentication is more likely > The problem that sBGP is trying to solve is *authorization*, not identification. Briefly -- and please read the papers and the specs before flaming -- every originating AS would have a certificate chain rooted at their local RIR stating that they own a certain address block. If an ISP SWIPs a block to some customer, that ISP (which owns a certificate from the RIR for the parent block) would sign a certificate granting the subblock to the customer. The customer could then announce it via sBGP. The other part sBGP is that it provides a chain of signatures of the entire ASpath back to the originator. Now -- there are clearly lots of issues here, including the fact that the the authoritative address ownership data for old allocations is, shall we say, a bit dubious. And the code itself is expensive to run, since it involves a lot of digital signatures and verifications, especially when things are thrashing because of a major backhoe hit. But -- given things like the AS7007 incident, and given the possibility -- probability? -- that it can happen again, can we afford to not do sBGP? My own opinion is that sophisticated routing attacks are the single biggest threat to the Internet. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book)
|