soBGP deployment

• Previous message (by thread): soBGP deployment
• Next message (by thread): soBGP deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 11:27 -0400 5/23/05, Larry J. Blunk wrote:

>    I suspect this was due to the fact that template submissions
>were not fully automated at the time and required human
>review (disclaimer: I worked for the MichNet side of Merit
>back then and was not intimately familiar with PRDB
>operations).

It could have been the tools.  (I can't argue, I wasn't there.)

Here's another thought.  Much like the comparison of SSH and DNSSEC 
in this reply of mine from last March:
     http://www.merit.edu/mail.archives/nanog/2005-03/msg00694.html

I.e., the "mythical core" needs work.  This time it's the address 
organizations and routing elements.

Yet another thought.  Skimming through this thread, and only being 
slightly aware of sBGP and soBGP in past years, some concepts remind 
me of work under DARPA's Active Nets research done in the late 90's. 
(http://www.darpa.mil/ato/programs/activenetworks/actnet.htm)

Some things I learned then:

1) Keep the security ancillary data nearby.  You might need it when 
the source of the data is unreachable (perhaps because of an incident 
like a flood).

2) Appending signatures is dicey.  It has to be all public key and 
there's never a guarantee that the latest signer hasn't stripped out 
previous entries.  (That could make a longer path seem shorter in 
order to redirect traffic.)

IMHO - the inherent problem is that a router is trying to work inside 
the plane of activity (meaning it can only talk to it's nearest 
neighbors), but it takes the view point of something with ubiquitous 
knowledge to know if every thing is cool.  How can you do this 
without a trusted third party involved somewhere, in a way that is 
not obtrusive (whether at registration time or at run time)?

Dijkstra's shortest path algorithms (an example IGP) work "in the 
plane" because it manages to mimic the ubiquitous view.  You aren't 
afraid that someone is "not playing my the rules."  When you are 
working with security (algorithms), you don't have that safety belt.

And a final thought...

Security ought to not make the system being protected brittle.  Like 
the example of routing changes being held up until the paperwork went 
through - maybe an improvement in tools will enable this.  But think 
of the long term impact - who will be paying to keep the tools and 
system up to date?

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

If you knew what I was thinking, you'd understand what I was saying.

• Previous message (by thread): soBGP deployment
• Next message (by thread): soBGP deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]