Re: BGP-4+

Brad Smith <brad@cse.ucsc.edu> Thu, 19 December 1996 22:31 UTC

Received: from cnri by ietf.org id aa15896; 19 Dec 96 17:31 EST
Received: from merit.edu by CNRI.Reston.VA.US id aa22962; 19 Dec 96 17:31 EST
Received: (from daemon@localhost) by merit.edu (8.8.4/merit-2.0) id RAA12237 for idr-outgoing; Thu, 19 Dec 1996 17:09:05 -0500 (EST)
Received: from interlock.ans.net (interlock.ans.net [147.225.5.5]) by merit.edu (8.8.4/merit-2.0) with SMTP id RAA12118 for <bgp@merit.edu>; Thu, 19 Dec 1996 17:08:55 -0500 (EST)
Received: by interlock.ans.net id AA02638 (InterLock SMTP Gateway 3.0 for bgp@ans.net); Thu, 19 Dec 1996 17:08:53 -0500
Received: by interlock.ans.net (Internal Mail Agent-1); Thu, 19 Dec 1996 17:08:53 -0500
Message-Id: <199612192208.OAA11834@toltec.cse.ucsc.edu>
To: "Dorian R. Kim" <dorian@cic.net>
Cc: bgp@ans.net
Subject: Re: BGP-4+
In-Reply-To: Your message of "Thu, 19 Dec 1996 15:21:42 EST." <Pine.GSO.3.95.961219151510.22740C-100000@nic.hq.cic.net>
Date: Thu, 19 Dec 1996 14:08:51 PST
From: Brad Smith <brad@cse.ucsc.edu>
Sender: owner-idr@merit.edu
Precedence: bulk

> Permit me to observe here that when there is subverted speaker, change to BGP
> protocol spec isn't good enough to contain possible damage.

This is certainly the challenge; however, I think, if you take the
perspective of minimizing or eliminating what a speaker can say
about resources it doesn't have authority for, you can go a long
way toward containing damage.

> While this threat is not that unlikely and should not be ignored, my view on
> this is that the prevention should take the form of speaker/host hardening
> rather than modification of BGP transport.

Hardening involves procedures and people in addition to technology; what
you say implies imposing significant restrictions on who can operate a
BGP speaker to achieve any significant improvements in security.  Is this
realistic?

> I especially wonder about scalability aspect of such modifications, strictly
> from an operational perspective.

Absolutely.  This is the final measure... is the illness more painful
than the cure.  It is certainly going to be quite painful.

Brad