Re: BGP-4+

[Brad Smith <brad@cse.ucsc.edu>]

>    > A comment and question.  TCP and similar peer-to-peer security does
>    > not protect against a subverted speaker.  If an intruder is able to
>    > break into a speaker, where it would get access to all TCP security
>    > related keys, it would then be able to have it's way with the protocol
>    > (e.g. fabricate, modify, and replay routing information).
> 
>    Permit me to observe here that when there is subverted speaker, change
>    to BGP protocol spec isn't good enough to contain possible damage.
> 
> True.  In fact, Radia Perlman has looked at the subverted speaker problem
> quite a bit.  It turns out that you basically need a link state protocol to
> disseminate enough information to still have a functioning network.  And
> the cost in redundancy and additional computation is non-trivial.  
> 
> It's a major architectural change, which I haven't seen any willingness to
> pay for either in the enterprise market or in the Internet backbone.

True, although Radia's goal (in her PhD thesis) of what she called
Byzantine Robustness (the ability to continue correct operation in
the presence of arbitrary nodes with Byzantine failures) is quite
high.  It may be possible that there are lower goals that are still
very useful that can be acheived with information available in current
BGP updates.  I had the beginnings of a proposal for such a solution
until I talked to Sue Hares at the IETF... she "clarified":) a few issues
that pretty much shot my proposal, although I think there's still hope.

However, I should re-lurk on this specific issue until I have something
more concrete to say.

My main point/question was that providing only peer-to-peer measures
leaves the protocol vulnerable to subverted speakers, and whether this
was considered a significant threat.  I think my question was answered
(yes, it is significant, but not worth the pain that current solutions
would incur).

Brad