do not filter your customers
Steven Bellovin
smb at cs.columbia.edu
Fri Feb 24 22:04:43 UTC 2012
On Feb 24, 2012, at 2:26 14PM, Danny McPherson wrote:
>
> On Feb 24, 2012, at 1:10 PM, Steven Bellovin wrote:
>
>> But just because we can't solve the whole problem, does that
>> mean we shouldn't solve any of it?
>
> Nope, we most certainly should decompose the problem into
> addressable elements, that's core to engineering and operations.
>
> However, simply because the currently envisaged solution
> doesn't solve this problem doesn't mean we shouldn't
> acknowledge it exists.
>
> The IETF's BGP security threats document [1] "describes a threat
> model for BGP path security", which constrains itself to the
> carefully worded SIDR WG charter, which addresses route origin
> authorization and AS_PATH "semantics" -- i.e., this "leak"
> problem is expressly out of scope of a threats document
> discussing BGP path security - eh?
>
> How the heck we can talk about BGP path security and not
> consider this incident a threat is beyond me, particularly when it
> happens by accident all the time. How we can justify putting all
> that BGPSEC and RPKI machinery in place and not address this
> "leak" issue somewhere in the mix is, err.., telling.
I repeat -- we're in violent agreement that route leaks are
a serious problem. No one involved in BGPSEC -- not me, not Randy,
not anyone -- disagrees. Give us an actionable definition and
we'll try to build a defense. Right now, we have nothing better
than what Justice Potter Stewart once said in an opinion: "I shall
not today attempt further to define the kinds of material I
understand to be embraced within that shorthand description
["hard-core pornography"]; and perhaps I could never succeed
in intelligibly doing so. But I know it when I see it..."
Again -- *please* give us a definition.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
P.S. It was routing problems, including leaks between RIP and either
EIGRP or OSPF (it's been >20 years; I just don't remember), that got
me involved in Internet security in the first place. I really do
understand the issue.
More information about the NANOG
mailing list