IETF Logo Mail Archive

Re: [RPSEC] BGP Security Requirements v08

sandy@tislabs.com (Sandy Murphy) Wed, 18 July 2007 19:51 UTC

Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBFY7-0002Jk-PW; Wed, 18 Jul 2007 15:51:03 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43) id 1IBFY3-0002IC-LQ for rpsec-confirm+ok@megatron.ietf.org; Wed, 18 Jul 2007 15:50:59 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBFY3-0002HW-7n for rpsec@ietf.org; Wed, 18 Jul 2007 15:50:59 -0400
Received: from nutshell.tislabs.com ([192.94.214.100]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IBFY1-0004q3-8b for rpsec@ietf.org; Wed, 18 Jul 2007 15:50:59 -0400
Received: (from uucp@localhost) by nutshell.tislabs.com (8.12.9/8.12.9) id l6IJme53025398; Wed, 18 Jul 2007 15:48:40 -0400 (EDT)
Received: from pecan.tislabs.com(10.66.1.30) by nutshell.tislabs.com via csmap (V6.0) id srcAAAEFaqEX; Wed, 18 Jul 07 15:47:59 -0400
Received: by pecan.tislabs.com (Postfix, from userid 2005) id D2FBB3F43C; Wed, 18 Jul 2007 15:45:58 -0400 (EDT)
To: curtis@occnc.com
Subject: Re: [RPSEC] BGP Security Requirements v08
In-Reply-To: <200707181655.l6IGtc1o026662@harbor.brookfield.occnc.com>
Message-Id: <20070718194558.D2FBB3F43C@pecan.tislabs.com>
Date: Wed, 18 Jul 2007 15:45:58 -0400 (EDT)
From: sandy@tislabs.com (Sandy Murphy)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a
Cc: rpsec@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

>The major ISPs have important major customers and peer.  For example
>they would not want their routing corrupted by a bad route to a major
>content provider.  Therefore many major providers will only accept
>these major customer and peer routes from a very limited set of ISPs.

I hear you about the Internet mostly just works.

But we seem to have p-l-e-n-t-y of publically discussed examples of
cases where the trust structure did not not serve us well.

Furthermore, from what major ISP have said, what is said by others
about major ISPs and from the analyses of public data of some incidents,
it seems the case that some major ISPs (Spring comes to mind?) do not
filter well enough to prevent some noticable traffic redirection.
These have been accidents so far, but provide worked examples of
how bad the problem can get.

Relying on the ISP trust and policies is mostly good enough for
mostly just works.

>Add some authentication and you may have further improviment in the
>reliability of routing information.  Don't allow that to cross the
>major ISPs and the authenticaion is of very little use for ISPs.

I agree with you here!  But I don't think anyone is talking about
not allowing auth info to cross major ISPs.  We're mostly arguing
how strong a requirement to make the ability to transit un-upgraded
ISPs: MUST, SHOULD, or MAY.

--Sandy


_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email