Securing the BGP or controlling it?

Danny McPherson danny at
Tue May 11 14:13:27 UTC 2010

On May 11, 2010, at 7:32 AM, Nick Hilliard wrote:

> Risk analysis is ass covering without the theatre.  You collect data, make
> a judgement based on that data, and if it turns out that the judgement says
> that signed bgp updates constitute more of a stability risk to network
> operations than the occasional shock problem

So apply the risk management analogy here.  We all know that 
pretty much anyone can assert reachability for anyone else's 
address space inter-domain on the Internet, in particular the 
closer you get to 'the core' the easier this gets.  We also
know that route "leaks" commonly occur that result in outages
and the potential for intercept or other nefarious activity.  
Additionally, we know that deaggregation, and similar events 
result in wide-scale systemic effects.  We also know that 
topologically localized events occur that can impact our reachability, 
whether we're party to the actual fault or not.  We have a slew of 
empirical data to support all of these things, some more high profile 
than others, with route leaks likely occurring at the highest 
frequency (every single day).

I would suspect that the probability of fire effecting your
network availability is very low, as you can fail over to a 
new facility.  OTOH, if you have a route hijack (intentional 
or not) failover to a new facility with that address space 
isn't going to help, and hijacks can be topologically localized 
- the same applies for DDoS.  Yet I suspect your organization
has invested reasonably in fire suppression systems, but the 
asset that matters most that enables the substrate of some 
applications and services that you care about - the availability 
of your address space within the global routing system, has no 
safeguards whatsoever, and can be impacted from anywhere in the 

I'd also venture a guess that we've had more routing issues that 
have resulted in network downtime of critical sites than we have had 
fires (if someone disproves that _nice dinner on me!).

We've got empirical data, we understand the vulnerability and the 
risk (probability of a threat being used).  Put that in your risk 
management equation and consider what assets are most vulnerable
to your organization - I'd venture it's something to do with network, 
and if routing ain't working, network ain't working...


More information about the NANOG mailing list