Incrementally deployable secure Internet routing: operator survey

• Previous message (by thread): Incrementally deployable secure Internet routing: operator survey
• Next message (by thread): Incrementally deployable secure Internet routing: operator survey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

On Fri, 17 Dec 2021 at 19:50, Adrian Perrig <perrig at gmail.com> wrote:

> other proposed approaches such as RPKI that only protects a route’s origin
> first AS, or BGPsec that requires widespread adoption and significant
> infrastructure upgrades.
>


For both RPKI-based BGP Route Origin Validation and RPKI-based BGPsec -
that meme “widespread adoption is a prerequisite to benefit” is somewhat
annoying in getting widespread adoption going. Plz Stop It! :-)

In my opinion, global scale BGP routing security does *not* depend on
concepts like “herd immunity”. Rather, I would frame “BGP routing security”
as a problem requiring selfish acts, not collective action. The benefits
become immediately available to you and your EBGP peer (who agreed to
participate in the effort). Commercial incentives align with upgrading
(both transport capacity and security) one peer at a time.

All of RPKI ROV, BGPsec, ASPA/peerlock, and even older plain-text stuff
like “IRR” are incrementally deployable technologies; because how else
would one ever get anything deployed in fast-and-wide growing
multiple-operator networks such as the Internet? Nothing happens at the
same time. But when it happens, it progresses at the pace of decades, at
times so slow one might think the paint isn’t drying on the wall.

BGP sessions “worth protecting” usually are the revenue generating/cost
reduction sessions, and as such usually are assigned highest LOCAL_PREF. I
think this property has interesting implications on how routing security
features become available and are demanded from others throughout the
ecosystem. For most networks at the edge, the private peering sessions also
are the BGP sessions with the least BGP state on either side, compared to
say upstream.

The “significant upgrades” aspect is just part of the job and happen no
matter what. Every network replaces all their kit at some point in time;
but sometimes it takes as long as ten to fifteen years! The good news is
that every replacement also comes with improved cryptographic op
accelerators in the CPU and more memory; and it all seems to be converging
towards commonly available general purpose computing systems on which
people can run any BGP stack they want.

I’m bullish on BGP routing security tech already specified and published
through the IETF process :-)

Kind regards,

Job

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20211218/db3a3f02/attachment.html>

• Previous message (by thread): Incrementally deployable secure Internet routing: operator survey
• Next message (by thread): Incrementally deployable secure Internet routing: operator survey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]