RE: [RPSEC] Re: draft-convery-bgpattack-00

[Randy Bush <randy@psg.com>]

> 1) An approach that attempts to comprehensively provide security for BGP
> 2) An approach that for deployment probably requires significant 
> enhancements in the actual routing hardware (storage, increased memory, 
> crypto hardware).
> 
> It seems this overlooks several things:
> A) The indications are that operators are not interested in (or possibly 
> even capable of) deploying solutions with this complexity
> B) We could probably get a lot of coverage (but not as complete) with a 
> much simpler solution or set of solutions.
> C) Securing BGP this carefully when the rest of the infrastructure is 
> completely insecure seems almost counter-productive.
> 
> Note that currently many operators do not deploy source address
> filtering, or even martian address filtering with their
> customers.  And that is only the tip of the iceberg of simple
> things that need to be done.  It would seem that whatever energy
> it would take to even begin serious development and deployment of
> S-BGP could be much better spent getting some of the simple steps
> that are necessary deployed.  Then we could examine again to
> determine what makes sense to do next based on that experience.

what this analysis omits is what we will have to do in a month or
three years when we get _serious_ widespread routing attacks [0].
as serious defense will, as you well point out, take some time to
deploy, it seems prudent to start now, rather than have a large
window of major problems while we deploy too late.

randy

---

[0] - note that we have already seen real non-trivial routing
      attacks.  folk just don't talk about them in public.

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec