YouTube IP Hijacking
Scott Francis
darkuncle at gmail.com
Mon Feb 25 11:26:57 UTC 2008
On Sun, Feb 24, 2008 at 10:49 PM, Sean Donelan <sean at donelan.com> wrote:
>
> On Mon, 25 Feb 2008, Steven M. Bellovin wrote:
> > How about state-of-the-art routing security?
>
> The problem is what is the actual trust model?
>
> Are you trusting some authority to not be malicious or never make a
> mistake?
>
> There are several answers to the malicious problem.
>
> There are fewer answers to never making a mistake problem.
[snip]
+5, Insightful.
The focus thus far seems to have been on establishing security on the
basis of trusted senders (SPF for BGP, if you'll pardon my rather
crude analogy). The impact of a mistake-based failure in a trusted
scenario could actually be quite a bit higher than what we've seen
thus far:
1) if data (e.g. routes) from a "trusted" source is allowed into a
network (or used as a basis for decision-making) with minimal
screening, attackers will immediately shift focus to spoofing trusted
sources, just as they currently do in other scenarios;
2) the impact of a typo or other operator error when operating in
"trusted mode" is much higher than that of mistakes from non-trusted
sources (if 17557's upstream had trusted a little less - by not
automatically propagating any new routes that showed up at the front
door - the current incident could very well have amounted to little
more than a log entry somewhere, and perhaps an email).
I think what you and Steve Bellovin had to say about anti-mistake
protocol and belt-and-suspenders should be garnering at least as much
consideration as prevention of malicious attacks/forgeries/etc.,
considering the percentage of outages caused by operator error vs
those caused by malice ...
--
darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
http://darkuncle.net/pubkey.asc for public key
More information about the NANOG
mailing list