Do Not Complicate Routing Security with Voodoo Economics
owen at delong.com
Mon Sep 5 13:34:44 CDT 2011
On Sep 5, 2011, at 8:36 AM, Joe Maimon wrote:
> Owen DeLong wrote:
>> On Sep 5, 2011, at 7:24 AM, Jennifer Rexford wrote:
>>>> One could argue that rejecting routes which you previously had no way to
>>>> know you should reject will inherently alter the routing system and that this
>>>> is probably a good thing.
>>> Good point. Also, "tie breaking" in favor of signed-and-verified routes over not-signed-and-verified routes does not necessarily affect your traffic "positively or negatively" -- rather, if you are letting an arbitrary final tie break make the decision anyway, you are arguably *neutral* about the outcome...
>>> -- Jen
>> This is true in terms of whether you care or not, but, if one just looks at whether it changes the content of the FIB or not, changing which arbitrary tie breaker you use likely changes the contents of the FIB in at least some cases.
>> The key point is that if you are to secure a previously unsecured database such as the routing table, you will inherently be changing the contents of said database, or, your security isn't actually accomplishing anything.
> Except if you believe we have been lucky until now and security is all about the future where we may be less lucky.
I'm pretty sure that there is actually a fair amount of pollution in the routing table today and that it will only get worse until we have some form of security.
I believe that most spammers operate by advertising hijacked prefixes for short periods of time and then going away before people can react.
Since there have been multiple instances of proof of my above belief, I would find it very hard to believe we have been lucky until now.
> What I would be interested in seeing is a discussion on whether any anti-competitive market distortion incentives exist for large providers in adopting secured BGP. We might be lucky there too.
Of course they do. We probably won't get particularly lucky there, either.
> Perhaps this will finally help solve the routing slot scalability problem. Might also jumpstart LISP. Which may put some more steam into v6. Welcome to the brave new internet.
Probably not. I really doubt it will do much to help LISP.
Contrary to many people's opinions, I think that IPv4 address shortage and the coming costs of attempting to maintain IPv4 on life support will put more steam into IPv6 than any artificial move we could make in this area.
> Good for everyone, right?
IPv6 is good for everyone whether they realize it or not.
LISP I'm not as convinced.
> Are you feeling lucky?
No, not really.
More information about the NANOG