Routing Insecurity (Re: BGP in the Washington Post)

Jared Mauch jared at puck.nether.net
Mon Jun 1 15:00:38 UTC 2015


> On Jun 1, 2015, at 10:08 AM, Ca By <cb.list6 at gmail.com> wrote:
> The article left me with the feeling that there was a secure version of BGP
> that is available but network operators are too short-term-focused and
> foolish to deploy it.
> 
> I believe the situation is more complicated than that, no?  There is no
> "secure version of BGP".  There are a handful of things that help, like
> RPKI ... but they are far off from hitting the mark of "securing the
> internet"... not too mention the ARIN RPKI SNAFU with various lawyers that
> make RPKI impossible for a large part of the internet.
> 
> CB
> 
> PS.  All my ipv4 and ipv6 routes are RPKI signed, but I can't validate
> because Cisco does not think validation within a VRF is an IOS-XR worthy
> features
> 
> PPS. It does blow my mind that the internet works so well given that its
> security relies on the good faith and reputation of a few network janitors
> and plumbers

The issue here is that people treat routing security the same way as
the Jennifer Anniston character in "Office Space" and her flair.  People
do the minimum to make it work and forget about it.

This can have catastrophic effects if one does that with your sewers,
septic fields, etc but we accept it in the BGP and routing universe
for some reason.  You even see that with the IRR data, people add and never
remove.  You can explore your objects here, you might be surprised how old
they are or who is injecting garbage today. http://irrexplorer.nlnog.net/

at $dayjob we try to do the right thing and as a result see complaints
from customers, prospects and even our vendors that what we do pushes
their scale limits and capabilities.  Gert asks if you enabled IPv6 on
something today, (or did you turn IPv4 off soon I think will be a fair 
question).  

What have we (You!) done to improve routing security recently?

Do we need a photo or t-shirt of randy bush saying “only you can prevent 
route hijackings?”

- Jared


More information about the NANOG mailing list