BGP Experiment

• Previous message (by thread): BGP Experiment
• Next message (by thread): BGP Experiment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 9 Jan 2019 at 19:54, Töma Gavrichenkov <ximaera at gmail.com> wrote:

> Which is, as usual, a pity, because, generally, synchronizing a piece of software with upstream security updates less frequently than once to twice in a week belongs in Jurassic Park today; and doing it hardly more frequently than once in 6 months, as ISPs usually do, clearly belongs in a bughouse.

Not disputing bug or bog house as ideal location for said policy, just
want to explain my perspective why it is so. SPs are making their
reasonable effort to produce product that customers want to buy.
Hitless upgrades are not really a thing yet, even though they've been
marketed for 20 years now. Customers have expectation on how often
their link flaps which is mutually exclusive with rapid upgrade
cycles.

And mostly all this is for show, the code is very broken, all of it.
And the configurations are very broken, all of them. We regularly
break Internet without trying, BGP parsing crashes are like bi-annual
thing. I'm holding, without any motivation or attempt to do so,
transit -packet-of-death for JNPR applicable to ~all JNPR backbones,
and JNPR isn't outlier here. People happily deploy new devices which
cannot be protected against even trivial (<10Mbps) control-plane
attacks. Only reason things work as well as they do, is because bad
guys are not trying to DoS the infrastructure with BGP or
packet-of-deaths, it would be very cheap if someone should be so
motivated.

If this is something we think should be fixed, then we should have
good guys intentionally fuzzing _public internet_ BGP and
transit-packet-of-deaths with good reporting. But likely it doesn't
actually matter at all that the configurations and implementations are
fragile, if they are abused, Internet will fix those in no more than
days, and trying to guarantee it cannot happen probably is fools
errant

If anything, I suspect if it's cheaper to enter the market with
inferior security and quality then that is likely good business case,
internet works so well, consumers are not willing to pay more for
better, but would gladly sacrifice uptime for cheaper price.



-- 
  ++ytti

• Previous message (by thread): BGP Experiment
• Next message (by thread): BGP Experiment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]