Routing Insecurity (Re: BGP in the Washington Post)
Ethan Katz-Bassett
ethan at cs.washington.edu
Wed Jun 3 02:04:31 UTC 2015
The same folks also followed up that workshop paper with a longer paper on
the topic:
https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf
On Tue, Jun 2, 2015 at 8:16 AM Dale W. Carder <dwcarder at wisc.edu> wrote:
> Thus spake Roland Dobbins (rdobbins at arbor.net) on Tue, Jun 02, 2015 at
> 03:05:13PM +0700:
> >
> > On 2 Jun 2015, at 11:07, Mark Andrews wrote:
> >
> > >If you have secure BGP deployed then you could extend the authenication
> > >to securely authenticate source addresses you emit and automate
> > >BCP38 filter generation and then you wouldn't have to worry about
> > >DNS, NTP, CHARGEN etc. reflecting spoofed traffic
> >
> > This can be and is done by networks which originate routes and which
> > practice good network hygiene, no PKI required.
> >
> > But then we get into the customer of my customer (of my customer, of my
> > customer . . .) problem, and this aren't quite so clear.
> >
> > There are also potentially significant drawbacks to incorporating PKI
> into
> > the routing space, including new potential DoS vectors against
> PKI-enabled
> > routing elements, the potential for enumeration of routing elements, and
> the
> > possibility of building a true 'Internet kill switch' with effects far
> > beyond what various governmental bodies have managed to do so far in the
> DNS
> > space.
> >
> > Once governments figured out what the DNS was, they started to use it as
> a
> > ban-hammer - what happens in a PKIed routing system once they figure out
> > what BGP is?
> >
> > But nobody seems to be discussing these potential drawbacks, very much.
>
> Start here:
> https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf
>
> Dale
>
More information about the NANOG
mailing list