BGPMON Alert Questions

Sharon Goldberg goldbe at cs.bu.edu
Fri Apr 4 03:06:22 UTC 2014


On Thu, Apr 3, 2014 at 8:50 PM, Randy Bush <randy at psg.com> wrote:
>
> > Good point, which makes me ask: So which 5 to 10 networks,
> > implementing source validation, could result in the greatest
> > "coverage" or "protection" for the largest part of the Internet
>
> to the best of my knowledge, no one has looked at this for origin
> validation.  sharon goldberg and co-conspirators have done a lot
> of work in the area, see her pubs at https://www.cs.bu.edu/~goldbe/.
> but the concentration seems to be on bgpsec which deploys quite
> differently

Right, we (and others) have not looked at the efficacy of a partial
deployment of origin validation (using the RPKI) yet.

But, we did look at partial deployments of BGPSEC.  We found that a large
number of networks (around 50% of ASes) need to deploy BGPSEC before its
security benefits really kick in.  The reasons for this include (1) routing
policies during partial deployment might not prioritize the BGPSEC validity
over its AS path or local pref, (2) you need every node on an AS path to
deploy BGPSEC before it works.  Full paper here:
https://www.cs.bu.edu/~goldbe/papers/partialSec.pdf

We also looked at prefix filtering and found that it has better partial
deployment characteristics. Our analysis assumed that ISPs only filter
routes from their *stub* customers. (We defined a stub an AS that does not
have its own customers.)  Then we looked at the fraction of attacks that
would be eliminated, if the X largest ISPs correctly implemented prefix
filtering. ("Large" was measured in terms of the number of customers ASes
the ISP had.)  See Figure 18 on pg 15 of this paper, and the text
explaining it in the middle of the right column on pg 15:
http://research.microsoft.com/pubs/120428/BGPAttack-full.pdf

Finally, like Randy says, RPKI deploys quite different from BGPSEC. My
intuition says that (1) once the RPKI is fully populated with ROAs for all
originated prefixes, then (2) a partial deployment of origin validation at
a few large ISPs should be fairly effective. But I would have to validate
this with experiments before I can be sure, or say exactly how many ISPs,
etc.

Sharon

-- 
Sharon Goldberg
Computer Science, Boston University
http://www.cs.bu.edu/~goldbe



More information about the NANOG mailing list