North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: soBGP deployment
On Mon, 23 May 2005, Edward Lewis wrote: 1) Keep the security ancillary data nearby. You might need it when the source of the data is unreachable (perhaps because of an incident like a flood).That is why in my view soBGP is something that can only be deployed as an after-filter (i.e. ones full BGP mesh is in for decisions about if the routing data is to be passed along to other peers or to IGP). 2) Appending signatures is dicey. It has to be all public key and there's never a guarantee that the latest signer hasn't stripped out previous entries. (That could make a longer path seem shorter in order to redirect traffic.) You do need "trusted third party" to act as PKI root signer. We're lucky because unlike other places, we do have hierarchy with ip addresses and ASNs and NIR is the "root" organization. -- William Leibzon Elan Networks [email protected]
|