Routing Insecurity (Re: BGP in the Washington Post)
Danny McPherson
danny at tcb.net
Wed Jun 3 19:41:17 UTC 2015
On 2015-06-01 22:07, Mark Andrews wrote:
> If you have secure BGP deployed then you could extend the
> authenication
> to securely authenticate source addresses you emit and automate
> BCP38 filter generation and then you wouldn't have to worry about
> DNS, NTP, CHARGEN etc. reflecting spoofed traffic.
I don't believe this is entirely true, and BGPSEC certainly doesn't
solve most of what I'm concerned about from a routing security
perspective. See, e.g.:
https://tools.ietf.org/html/draft-ietf-grow-simple-leak-attack-bgpsec-no-help-04
That said, a Internet number resource certification infrastructure, be
it RPKI or something with s single root and scalable(!), is certainly
necessary, and can be used to bootstrap policy databases (e.g., IRRs)
that address both the inter-domain routing (e.g., origin "validation")
and data plane anti-spoofing security problems, and perhaps not require
operators (enterprises and nation states alike) to trade the autonomy
and flexibility they have in routing today for what others see as their
infrastructure security needs.
After all, stability, resiliency, and availability are ALSO factors in
the risk management gumbo that need to be considered by organizations,
and the tight coupling of RPKI and BGPSEC as designed, are quite
possibly not as attractive to some operators as the designers might
suggest, particularly in light of new external dependencies, competitive
markets, Internet governance, geopolitical climate, etc..
Many that haven't deployed or have lost interest in having the
conversation have done so deliberately, and would prefer a routing by
rumor paradigm that affords autonomy and flexibility to one where new
control points and exorbitant costs and complexity simply scare the heck
out of them, the primitives of which surely extend to many of the
luminaries quoted in those articles.
YMMV,
-danny
More information about the NANOG
mailing list