Do Not Complicate Routing Security with Voodoo Economics

Sun Sep 4 10:02:51 UTC 2011

[ http://archive.psg.com/110904.broadside.html ]

	Do Not Complicate Routing Security with Voodoo Economics
			      a broadside

A recent NANOG presentation and SIGCOMM paper by Gill, Schapira, and
Goldberg[1] drew a lot of 'discussion' from the floor.  But that
discussion missed significant problems with this work.  I raise this
because of fear that uncritical acceptance of this work will be used as
the basis for others' work, or worse, misguided public policy.
 o The ISP economic and incentive model is overly naive to the point of
   being misleading, 
 o The security threat model is unrealistic and misguided, and
 o The simulations are questionable.

Basic ISP economics are quite different from those described by the
authors.  Above the tail links to paying customers, the expenses of
inter-provider traffic are often higher than the income, thanks to the
telcos' race to the bottom.  In this counter-intuitive world, transit
can often be cheaper than peering.  I.e. history shows that in the rare
cases where providers have been inclined to such games, they usually
shed traffic not stole it, the opposite of what the paper presumes.  The
paper also completely ignores the rise of the content providers as
described so well in SIGCOMM 2010 by Labovitz et alia[2]

It is not clear how to ‘fix’ the economic model, especially as[3] says
you can not do so with rigor.  Once one starts, e.g. the paper may lack
Tier-N peering richness which is believed to be at the edges, we have
bought into the game for which there is no clear end.

But this is irrelevant, what will motivate deployment of BGP security is
not provider traffic-shifting.  BGP security is, as its name indicates,
about security, preventing data stealing (think banking
transactions[4]), keeping miscreants from originating address space of
others (think YouTube incident) or as attack/spam sources, etc.

The largest obstacle to deployment of BGP security is that the
technology being deployed, RPKI-based origin validation and later
BGPsec, are based on an X.509 certificate hierarchy, the RPKI.  This
radically changes the current inter-ISP web of trust model to one having
ISPs' routing at the mercy of the Regional Internet Registries (RIRs).
Will the benefits of security - no more YouTube incidents, etc. - be
perceived as worth having one's routing at the whim of an
non-operational administrative monopoly?  Perhaps this is the real
economic game here, and will cause a change in the relationship between
the operators and the RIR cartel.

The paper's simulations really should be shown not to rely on the
popular but highly problematic3 Gao-Rexford model of inter-provider
relationships, that providers prefer customers over peers (in fact, a
number of global Tier-1 providers have preferred peers for decades), and
that relationships are valley free, which also has significant
exceptions.  Yet these invalid assumptions may underpin the simulation
results.

---

Randy Bush <randy at psg.com>
Dubrovnik,  2011.9.4

[1] P. Gill, M. Schapira, and S. Goldberg, Let the Market Drive
Deployment: A Strategy for Transitioning to BGP Security, SIGCOMM 2011,
August 2011.
http://conferences.sigcomm.org/sigcomm/2011/papers/sigcomm/p14.pdf

[2] [1] C. Labovitz, S. Iekel-Johnson, D. McPherson, J. Oberheide, and
F. Jahanian, “Internet inter-domain traffic,” in SIGCOMM '10:
Proceedings of the ACM SIGCOMM 2010 conference on SIGCOMM, 2010.

[3] M. Roughan, W. Willinger, O. Maennel, D. Perouli, and R. Bush, 10
Lessons from 10 Years of Measuring and Modeling the Internet's
Autonomous Systems, IEEE Journal on Selected Areas in Communications,
Vol. 29, No. 9, pp. 1-12, Oct. 2011.
https://archive.psg.com/111000.TenLessons.pdf

[4] A. Pilosov, T. Kapela. Stealing The Internet An Internet-Scale Man
In The Middle Attack, Defcon 16, August, 2008.
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf