Routing Insecurity (Re: BGP in the Washington Post)

• Previous message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Next message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Actually, that's the level of attention given to all kinds of infrastructure just about everywhere. ;-) 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

----- Original Message -----

From: "Jared Mauch" <jared at puck.nether.net> 
To: "Ca By" <cb.list6 at gmail.com> 
Cc: nanog at nanog.org 
Sent: Monday, June 1, 2015 10:00:38 AM 
Subject: Routing Insecurity (Re: BGP in the Washington Post) 


> On Jun 1, 2015, at 10:08 AM, Ca By <cb.list6 at gmail.com> wrote: 
> The article left me with the feeling that there was a secure version of BGP 
> that is available but network operators are too short-term-focused and 
> foolish to deploy it. 
> 
> I believe the situation is more complicated than that, no? There is no 
> "secure version of BGP". There are a handful of things that help, like 
> RPKI ... but they are far off from hitting the mark of "securing the 
> internet"... not too mention the ARIN RPKI SNAFU with various lawyers that 
> make RPKI impossible for a large part of the internet. 
> 
> CB 
> 
> PS. All my ipv4 and ipv6 routes are RPKI signed, but I can't validate 
> because Cisco does not think validation within a VRF is an IOS-XR worthy 
> features 
> 
> PPS. It does blow my mind that the internet works so well given that its 
> security relies on the good faith and reputation of a few network janitors 
> and plumbers 

The issue here is that people treat routing security the same way as 
the Jennifer Anniston character in "Office Space" and her flair. People 
do the minimum to make it work and forget about it. 

This can have catastrophic effects if one does that with your sewers, 
septic fields, etc but we accept it in the BGP and routing universe 
for some reason. You even see that with the IRR data, people add and never 
remove. You can explore your objects here, you might be surprised how old 
they are or who is injecting garbage today. http://irrexplorer.nlnog.net/ 

at $dayjob we try to do the right thing and as a result see complaints 
from customers, prospects and even our vendors that what we do pushes 
their scale limits and capabilities. Gert asks if you enabled IPv6 on 
something today, (or did you turn IPv4 off soon I think will be a fair 
question). 

What have we (You!) done to improve routing security recently? 

Do we need a photo or t-shirt of randy bush saying “only you can prevent 
route hijackings?” 

- Jared 

• Previous message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Next message (by thread): Routing Insecurity (Re: BGP in the Washington Post)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]