soBGP deployment

• Previous message (by thread): soBGP deployment
• Next message (by thread): soBGP deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 26 May 2005, Jeroen Massar wrote:

> In short, you mean setting up, eg a Quagga box behind the existing core
> infra that one has, feeding it a full feed, which matches the current
> best paths one has in it's RIB and verifying the paths.
>
> This is somewhat similar how the detection of GRH (*1) works already for
> IPv6 tables, that is it nightly fetches the route6 objects from various
> registries(*1) and checks if a AS is registered to be allowed to
> announce a certain prefix, if not it marks it in the looking glass as
> being a bad route which is supposed to be routed from the registered AS.
>
> Now, if BGP would have some signature over the the path, one could
> verify this in the same method and have the exact thing happening above.
> GRH sends out mailings every day, though one could of course implement
> the above in realtime. If one would mirror the full table, one could
> even analyze the alternative paths to see if those are valid.
>
> What you mention, does indeed not break current operations and would be
> quite transparent.

If I understand it right soBGP is kind of like that. In short different
between SBGP and soBGP is that SBGP sends AS Path as signed data where
as soBGP AS Path is separate and security is in a detached signatures
which can optionally be sent along in bgp session as well. There also 
seem to be policy differences on how it is determined if path is good
or bad, but overall the concept is not as bad as I originally thought.

-- 
William Leibzon
Elan Networks
william at elan.net

• Previous message (by thread): soBGP deployment
• Next message (by thread): soBGP deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]