BGP Experiment

• Previous message (by thread): BGP Experiment
• Next message (by thread): BGP Experiment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 9 Jan 2019 at 20:24, Töma Gavrichenkov <ximaera at gmail.com> wrote:

> So, network device vendors releasing security advisories twice a year
> isn't a big part of the explanation?

Those are scheduled, they have to meet some criteria to be pushed on
scheduled lot. There are also out of cycle SIRTs. And yes, vendors are
delaying them, because customers don't want to upgrade often, because
customer's customers don't want to see connections down often.

> Err... don't they?  My experience is quite the opposite.

Well that is odd experience, considering anyone with rudimentary
understanding of control-plane policing can bring internet down from
single VPS. Majority of deployed devices _cannot_ be protected against
DoS motivated attacker, and I'm not talking link congestion, I'm
talking control-plane congestion with few Mbps.

> If we could be sure that after such fuzzing there would still be a
> working transport infrastructure to report on top of, then yes.

If it's important to get right, we should try to prove it wrong
actively and persistently by good guys, at least then reporting and
statistics can be produced. But I'm not sure if it's important to get
right, market seems to indicate security does not matter.

>  — just like we did with IoT in 2016 —

Internet still running, I'm still getting paid.

> > If anything, I suspect if it's cheaper to enter the market with
> > inferior security and quality then that is likely good business case
>
> This is also correct so far. I wonder if it's here to stay.

We'd need the current security posture to be sufficiently
unmarketable. But motivation to simply DoS internet doesn't really
exist. DoS is against service end points, infrastucture is trivial
target, but for some reason not really targeted. I'm sure state actors
have library of DoS transit packets and BGP UPDATE packets to be
deployed when strategy requires given network or region to be
disrupted. Because, we, the internet plumbers, keep finding those
without trying, just trying to keep the network working, what can
someone find who is funded and motivated to find those?



-- 
  ++ytti

• Previous message (by thread): BGP Experiment
• Next message (by thread): BGP Experiment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]