Routing Insecurity (Re: BGP in the Washington Post)

David Mandelberg david at mandelberg.org
Fri Jun 5 03:56:01 UTC 2015


On 06/03/2015 04:27 AM, Roland Dobbins wrote:
> (not to mention the
> enumeration and enhanced DDoS impact of packeting routers doing crypto
> for their BGP sessions and which aren't protected via iACLs/GTSM).

Could you elaborate on your enumeration and DDoS concerns? If you're
concerned about the public finding out exactly how many routers you have
because you've published one BGPsec router key per router, you can
choose to use the same router key on multiple routers. If you're
concerned about all the crypto work overloading a router, the plan (as
far as I've heard) is for the routers to do the BGPsec crypto work in
the background as a low priority. I.e., incoming signed routes will
initially be treated like unsigned routes, and the BGPsec validation
will be kicked off in the background. Once the validation is complete,
then routing decisions can be made based on the BGPsec validity.

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150604/fb55068d/attachment.sig>


More information about the NANOG mailing list