|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BGP to doom us all
In article <[email protected]> Barry wrote: : Now - show me an operational environment on the Internet were this authorization : chain is _working_ today. RIRs and RADB do not count. As you mention before, : those databases and keeping them up to date are a "pulling teeth" exercise. Well, while I don't advocate S-BGP *in particular*, I think starting with something based on in-addr, which is already delegated right down to the level of an origin AS owner (almost always), is the right idea. It wouldn't be too hard for me to trust: 4969.24.origin.0.254.200.10.in-addr.arpa returning something like "true." to check whether 4969 is allowed to originaate 10.200.254.0/24. First level use of something like that would be for detection of unauthorized routing, second could be some level of filtering - perhaps eventually in routing devices, perhaps not. Want authentication? DNSSEC perhaps - but poisoning attacks aside, I assert that if you get root on the in-addr box for a typical network, there are other problems you can cause anyway, especially at edge-y type networks. I think (as usual) we have this political problem with the idea of getting routing databases updated, either because of people who don't want others to see routing policy, or because of those who won't use anything that isn't 100% complete. All I assert about that is that building filters from the existing databases would indeed be silly. : As mentioned here and NANOGs in the past, our biggest problem are providers not : using the tools that they have to build incident resistance into today's : network. Agreed. :> My own opinion is that sophisticated routing attacks are the :> single biggest threat to the Internet. Well, I think redistribution attacks and worms that slam connected IPs with forged-source packets of various types are more worrisome than people leaking malformed BGP updates or trying mass blackholio attacks like the 7007 effect. Those may be sophisticated routing attacks (the former), but I don't really think so. Re: S-BGP in particular, I think that the analysis on S-BGP has been... limited. Ironic for a security protocol that I haven't seen any real analysis of the effect on router CPUs when *under attack*. I am not saying "oh, the authentication will drive things way too high". I'm just saying that we don't know because the simulations have used very conservative parameters. I have problems with statements from S-BGP-land like - "Networks upgrade their routers every 2 years" (paraphrase) Not the last 2 or the next 1. "Router CPUs average 50%, and S-BG adds 10%" (paraphrase) Average is somewhat less relevant than common peaks. GSRs and 7500s and 7200s all get up there at 90+% on the real Internet. And with the assumption that people will be willing to front their big iron with offboard routing CPU boxes. I just don't see these things happening. And even if they could/would, I think S-BGP needs more paranoid simulation/attack/analysis before it in particular could be the grand fix. I like the idea of people being able to START on the authentication datbase of ownership/announcement in a distributed fashion, but perhaps there are other ways (perhaps DNS-based) of getting there as well... : My opinion is that lazy operational practices are the single biggest threat to : the Internet. What's the point of building security and robustness into a system : when people choose not to turn it on? Agreed on point 1! Not on point 2... It is still worth considering what security and robustness one can build in, esp. those things that allow you to do something even if the rest of the 'net doesn't... Avi
|