Routing Insecurity (Re: BGP in the Washington Post)

• Previous message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Next message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <20150602151233.GA29050 at DOIT-2NW1MRFY-X.doit.wisc.edu>, "Dale W. Car
der" writes:
> Thus spake Roland Dobbins (rdobbins at arbor.net) on Tue, Jun 02, 2015 at 03:05:
> 13PM +0700:
> > 
> > On 2 Jun 2015, at 11:07, Mark Andrews wrote:
> > 
> > >If you have secure BGP deployed then you could extend the authenication
> > >to securely authenticate source addresses you emit and automate
> > >BCP38 filter generation and then you wouldn't have to worry about
> > >DNS, NTP, CHARGEN etc. reflecting spoofed traffic
> > 
> > This can be and is done by networks which originate routes and which
> > practice good network hygiene, no PKI required.

But it is a manual process or trust the information added to this
database is correct.  Automating the process even if it is only at
the customer/isp edge were customer == isp is tagged as a exception
would be a big win.

> > But then we get into the customer of my customer (of my customer, of my
> > customer . . .) problem, and this aren't quite so clear.
> > 
> > There are also potentially significant drawbacks to incorporating PKI into
> > the routing space, including new potential DoS vectors against PKI-enabled
> > routing elements, the potential for enumeration of routing elements, and th
> e
> > possibility of building a true 'Internet kill switch' with effects far
> > beyond what various governmental bodies have managed to do so far in the DN
> S
> > space.

Yes, there are trade offs.  As for that "Internet kill switch", ISP
could theoretically be ordered to block all traffic to a prefix.
I know that this is theoretically possible today with Australian
legistation and basically has been since the very begining as it
is in the telecomunication acts.

> > Once governments figured out what the DNS was, they started to use it as a
> > ban-hammer - what happens in a PKIed routing system once they figure out
> > what BGP is?
> > 
> > But nobody seems to be discussing these potential drawbacks, very much.
> 
> Start here:
>  https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf
> 
> Dale
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Next message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]