IETF Logo Mail Archive

Re: Helpful BGP Feature

Brandon Black <photon@nol.net> Mon, 03 February 1997 20:06 UTC

Received: from cnri by ietf.org id aa06647; 3 Feb 97 15:06 EST
Received: from merit.edu by CNRI.Reston.VA.US id aa20295; 3 Feb 97 15:06 EST
Received: (from daemon@localhost) by merit.edu (8.8.5/merit-2.0) id OAA25230 for idr-outgoing; Mon, 3 Feb 1997 14:35:39 -0500 (EST)
Received: from interlock.ans.net (interlock.ans.net [147.225.5.5]) by merit.edu (8.8.5/merit-2.0) with SMTP id OAA25224 for <bgp@merit.edu>; Mon, 3 Feb 1997 14:35:34 -0500 (EST)
Received: by interlock.ans.net id AA10770 (InterLock SMTP Gateway 3.0 for bgp@ans.net); Mon, 3 Feb 1997 14:35:32 -0500
Received: by interlock.ans.net (Internal Mail Agent-1); Mon, 3 Feb 1997 14:35:32 -0500
X-Auth: NOLNET SENDMAIL AUTH
Date: Mon, 03 Feb 1997 13:35:29 -0600
From: Brandon Black <photon@nol.net>
To: EDS@rhqvm21.vnet.ibm.com
Cc: bgp@ans.net
Subject: Re: Helpful BGP Feature
In-Reply-To: <199702031811.AA06854@interlock.ans.net>
Message-Id: <Pine.GSO.3.95.970203132618.5945A-100000@dazed.nol.net>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-idr@merit.edu
Precedence: bulk

On Mon, 3 Feb 1997 EDS@RHQVM21.VNET.IBM.COM wrote:

> It may be helpful to add a feature to allow for Directed Route
> announcements. The originator of a BGP Route, for example, could
> specify in an optional attribute, the desired recipient(s) of the
> Route Advertisement e.g.listing the AS numbers or IP addresses of
> the Networks or even the specific gateways that should receive
> the Route Advertisement.
> 
> This would allow for capabilities including:
> 
> Creating Virtual Private Networks. Controlling access to a
> destination.
> 
> Limiting where Route advertisements are propogated. Not all
> destinations need or want to be in all the Global Routing tables.
> Avoiding the need to get Network Service Providers to place
> complex policy statements on their Routers - which may not
> have the desired granularity anyway.
> 
> Avoiding having to wait for Service Providers to enter the policy
> changes,which sometimes can only occur during monthly
> change windows.
> Thanks, Ed Segal EDS@RHQVM21.VNET.IBM.COM 914 784-3259
> 


Well... that might allow for "Virtual Networks", but no Private ones.
Simply not advertising your route does _NOT_ protect your traffic.  For
one, it can still be sniffed at the providers the Virtual Network uses,
and it can be sniffed at the NAP's... (do you trust every single employee
at all of those places...?).  Two, I've heard rumors of people claiming it
is possible to "remote sniff" traffic, by sending carefully contructed BGP
advertisements which reroute the desired traffic to the sniffer, and then
routing it back out.  It sounds very complicated to me, but I believe
there are people out there capable of doing it.

Point is.... encryption leads to Private networks, not obscurity.  And
most people who would give so little care to their traffic as to route it
across the current IPv4 Internet Backbone in an attempt to make a Virtual
Network, will probably want Internet access from their sites as well.. and
thus wouldn't use the feature. 

The idea probably still has merit as a useful hack for Multihomed
non-transit customers with wierd routing requirements... but I don't see
it as a tool for "Virtual Private Networks"..... just wait for IPv6, and
then (hopefully) we can make VPN's where and when we want to easily.

.................................             ..............
: Brandon Lee Black  : [Office] :.............: [Personal] :....
:....................: brandon.black@wcom.com : photon@nol.net :.......
: "Sanity is the     : +1.281.362.6466 .......: photon@gnu.ai.mit.edu :
: trademark of a     :.................:..../\: vis_blb@unx1.shsu.edu :
: weak mind. . ."    : LDDS WorldCom, Inc. :\/: +1.281.397.3490 ......:
:....................:.....................:..:.................:

v2.23.0 | Report a Bug | By Email