Re: BGP-4+

["Dorian R. Kim" <dorian@cic.net>]

On Thu, 19 Dec 1996, Brad Smith wrote:

> > Permit me to observe here that when there is subverted speaker, change to BGP
> > protocol spec isn't good enough to contain possible damage.
> 
> This is certainly the challenge; however, I think, if you take the
> perspective of minimizing or eliminating what a speaker can say
> about resources it doesn't have authority for, you can go a long
> way toward containing damage.

This seems to involve authentication AND authorization, and some manner in
which both can be independently verified. This too me is an absolutely
non-trivial set up, and I seriousl question the scalability of it. It would 
also IMO, imposes significant restrictions in routing flexibility.
Furthermore, this type of scheme is very likely to show operationally
unacceptable failure modes during network failures unless we someone come up
with completely out-of-band signaling. 

> > While this threat is not that unlikely and should not be ignored, my view on
> > this is that the prevention should take the form of speaker/host hardening
> > rather than modification of BGP transport.
> 
> Hardening involves procedures and people in addition to technology; what
> you say implies imposing significant restrictions on who can operate a
> BGP speaker to achieve any significant improvements in security.  Is this
> realistic?

Sure, you have to start from simple physical access to people to boxes and
bits. And then there is a point where you draw the line between manageability
and security. Routers can be protected better than they are currently
protected in most places without incurring too much of an overhead, human or
otherwise.

> > I especially wonder about scalability aspect of such modifications, strictly
> > from an operational perspective.
> 
> Absolutely.  This is the final measure... is the illness more painful
> than the cure.  It is certainly going to be quite painful.

I suspect that the cure's side affect will make it unpalatable.

-dorian