Re: [RPSEC] BGP Security Requirements v08

In message <p06240507c2c167b442a1@[128.89.89.71]>
Stephen Kent writes:
>  
> I think the question is why, if the path info received by an "island 
> AS" has a number of unverified hops, is this path info useful, in a 
> security sense, to the AS that receives? How does the requirement to 
> send such info promote adoption of the protocol?
>  
> Steve

Because it is likely to be more reliable than information with no
authentication at all.

The major ISPs are fairly reliable at getting their internal routing
right so if the non-authenticating routers in the middle are entirely
in a set of ISPs that are known to generally not have breakins into
their own infrastructure.  For the purposes of commercial traffic
among other ISPs that want to distinguish their services as having
somewhat more reliable routing due to the use of authentication, there
is a great deal of value.

It may be optimistic to think that this value would be enough to give
any routing authentication sufficient value to gain critical mass in
the commercial world.  If there is no value for islands of deployment
except to authenticate within the island this is a non-starter from
day one in the commercial world.  If so it may be a non-starter at
router vendors without a very large influx of money from elsewhere,
such as government funding specifically for something that is not
being implemented because it will never get commercially deployed.  If
you are sure that the money is out there waiting for this spec to
publish, then fine.  Otherwise you may be wasting your time and ours
if the requirement to add value to disconnected islands is ignored.

That's just an opinion and I don't know how widely held it is today.
This might be a good question to ask at the WG meeting.

Curtis

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec