Routing Insecurity (Re: BGP in the Washington Post)

Roland Dobbins rdobbins at
Tue Jun 2 08:05:13 UTC 2015

On 2 Jun 2015, at 11:07, Mark Andrews wrote:

> If you have secure BGP deployed then you could extend the 
> authenication
> to securely authenticate source addresses you emit and automate
> BCP38 filter generation and then you wouldn't have to worry about
> DNS, NTP, CHARGEN etc. reflecting spoofed traffic

This can be and is done by networks which originate routes and which 
practice good network hygiene, no PKI required.

But then we get into the customer of my customer (of my customer, of my 
customer . . .) problem, and this aren't quite so clear.

There are also potentially significant drawbacks to incorporating PKI 
into the routing space, including new potential DoS vectors against 
PKI-enabled routing elements, the potential for enumeration of routing 
elements, and the possibility of building a true 'Internet kill switch' 
with effects far beyond what various governmental bodies have managed to 
do so far in the DNS space.

Once governments figured out what the DNS was, they started to use it as 
a ban-hammer - what happens in a PKIed routing system once they figure 
out what BGP is?

But nobody seems to be discussing these potential drawbacks, very much.

Roland Dobbins <rdobbins at>

More information about the NANOG mailing list