Routing Insecurity (Re: BGP in the Washington Post)

• Previous message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Next message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2015-06-05 02:40, Roland Dobbins wrote:
> On 5 Jun 2015, at 10:56, David Mandelberg wrote:
>
>> Could you elaborate on your enumeration and DDoS concerns?
>
> Crypto = more overhead.  Less priority to crypto plus DDoS = routing
> update issues.

I don't think there's an update issue here. The crypto verification is 
probably going to be deferred in addition to being low priority. If I 
understand it correctly, this means that a route can be passed along 
right away without waiting for the crypto checks.

> One can infer peering relationships in a way not possible before.

How?

> What about bogus signatures?

If I understand correctly, these routes (and all newly received routes) 
will initially be treated similarly to unsigned routes. Once BGPsec 
validation completes, then local policy determines what to do with the 
validation results.

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

• Previous message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Next message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]