IETF Logo Mail Archive

Re: [RPSEC] Re: draft-convery-bgpattack-00

sandy@tislabs.com Thu, 07 November 2002 14:41 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA26251 for <rpsec-archive@odin.ietf.org>; Thu, 7 Nov 2002 09:41:17 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id gA7EhHi22096 for rpsec-archive@odin.ietf.org; Thu, 7 Nov 2002 09:43:17 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA7EhHv22093 for <rpsec-web-archive@optimus.ietf.org>; Thu, 7 Nov 2002 09:43:17 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA26219 for <rpsec-web-archive@ietf.org>; Thu, 7 Nov 2002 09:40:46 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA7Eh3v22084; Thu, 7 Nov 2002 09:43:03 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA7EgAv22053 for <rpsec@optimus.ietf.org>; Thu, 7 Nov 2002 09:42:10 -0500
Received: from sentry.gw.tislabs.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA26202 for <rpsec@ietf.org>; Thu, 7 Nov 2002 09:39:39 -0500 (EST)
From: sandy@tislabs.com
Received: by sentry.gw.tislabs.com; id JAA02376; Thu, 7 Nov 2002 09:42:12 -0500 (EST)
Received: from raven.gw.tislabs.com(10.33.1.50) by sentry.gw.tislabs.com via smap (V5.5) id xma002363; Thu, 7 Nov 02 09:41:31 -0500
Received: (from sandy@localhost) by raven.gw.tislabs.com (8.11.6/8.11.6) id gA7EfPu14442; Thu, 7 Nov 2002 09:41:25 -0500 (EST)
Date: Thu, 07 Nov 2002 09:41:25 -0500
Message-Id: <200211071441.gA7EfPu14442@raven.gw.tislabs.com>
To: iljitsch@muada.com
Subject: Re: [RPSEC] Re: draft-convery-bgpattack-00
Cc: rpsec@ietf.org
Sender: rpsec-admin@ietf.org
Errors-To: rpsec-admin@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>

>- include all neighbors in one signature: more costly in terms of
>  memory, less in processing

You have probably read Charlie Lynn's mail by now where he says that
SBGP can do this.  And we had discussed earlier grouping neighbors.

Which brings up the point that I should and will stop trying to answer
questions about the SBGP stuff, since I'm definitely not the expert here.

>Because there is simply a lot of peering.

Well, it's widely know that the average AS_PATH is not long.  But it
isn't *2*.  Which means that there are lots of cases where two AS's
aren't neighbors.  Which opens opportunities for influencing routing
to the bad, if you don't have protections.

>- don't include the AS for peering neighbors but only transit neighbors
>  in the signature. Then peers don't get to announce the route any
>  further, which is good, mostly. Customers of the peer would have to
>  accept the route without a signature, though.

I don't get this at all.  But, more importantly, I don't think that we
should be trying to work out the details of a solution for BGP.
Certainly not in this working group.

The original comment that sparked this thread was that the SBGP
protections eliminated certain optimizations that are used and desirable.
That was incorrect, as Charlie's message shows.  But the lesson for
this working group is (1) most security solutions can have an effect
on optimizations and (2) should the security requirements prohibit
impact on optimizations?  permit the impact?  limit the impact?  Etc.

--Sandy
_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.23.0 | Report a Bug | By Email