|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: soBGP deployment
On Wed, 25 May 2005, Tony Li wrote: No. As I said, I understand that the results of somebody doing something malicious here would be bad.I know all the issues up there are real, since I've occasionally heard about them happening. I understand the devastating consequences of somebody finding a sufficiently well connected unfiltered BGP session and using it to announce some important prefixes. I fully agree that it should be fixed. And yet, in the nine or so years I've been working on network infrastructure stuff, spoofed BGP announcements have never been a major cause of problems for me.That's what we can say so far. Do you really want to wait until we have a major problem? My point (covered in the paragraph you didn't quote) is that schemes for requiring the authentication of routing information can also cause problems (which could be major if they happen to the wrong prefixes). If we make the network more able to withstand worst case scenarios without doing damage to its ability to be stable in its every day environment, that's a clear win. If, on the other hand, we were to get the network into a situation where it was harder for terrorists to push it over but it fell over on its own with some regularity, that probably wouldn't be an improvement. I'm not saying don't secure BGP. I'm saying be very careful in doing so, if you want to convince network operators to implement it. I'll note that I'm not talking about soBGP specifically. I have read the RFC, but I'm still not sure I understand it sufficiently to pass judgement. -Steve
|