IETF Logo Mail Archive

Re: [RPSEC] BGP Security Requirements v08

sandy@tislabs.com (Sandy Murphy) Wed, 11 July 2007 14:37 UTC

Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I8dJh-0005oJ-6a; Wed, 11 Jul 2007 10:37:21 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43) id 1I8dJf-0005oC-DN for rpsec-confirm+ok@megatron.ietf.org; Wed, 11 Jul 2007 10:37:19 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I8dJf-0005o2-3p for rpsec@ietf.org; Wed, 11 Jul 2007 10:37:19 -0400
Received: from sentry.gw.tislabs.com ([192.94.214.100] helo=nutshell.tislabs.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I8dJb-0001sz-Om for rpsec@ietf.org; Wed, 11 Jul 2007 10:37:19 -0400
Received: (from uucp@localhost) by nutshell.tislabs.com (8.12.9/8.12.9) id l6BEYkch029872; Wed, 11 Jul 2007 10:34:46 -0400 (EDT)
Received: from pecan.tislabs.com(10.66.1.30) by nutshell.tislabs.com via csmap (V6.0) id srcAAA3Aaio6; Wed, 11 Jul 07 10:34:13 -0400
Received: by pecan.tislabs.com (Postfix, from userid 2005) id 97D2E3F481; Wed, 11 Jul 2007 10:32:19 -0400 (EDT)
To: riw@cisco.com, rpsec@ietf.org
Subject: Re: [RPSEC] BGP Security Requirements v08
In-Reply-To: <4694DD0F.4000104@cisco.com>
Message-Id: <20070711143219.97D2E3F481@pecan.tislabs.com>
Date: Wed, 11 Jul 2007 10:32:19 -0400 (EDT)
From: sandy@tislabs.com (Sandy Murphy)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d17f825e43c9aed4fd65b7edddddec89
Cc: sandy@tislabs.com
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

>Why? Because if you can validate the originator and the first (second)
>hop (the second entry in the AS Path), then you have a good bit more
>assurance the destination is valid/etc, than if you just drop this
>information out.

As many people have said (I recall particularly Danny McPherson at NANOG),
a deliberate attack would just take the valid initial info and add
invalid info to it.  So it is best to be cautious about the good bit
more assurance.

--Sandy


_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email