IETF Logo Mail Archive

Re: [RPSEC] BGP Security Requirements v08

Russ White <riw@cisco.com> Wed, 11 July 2007 14:45 UTC

Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I8dRw-0007Sr-SA; Wed, 11 Jul 2007 10:45:52 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43) id 1I8dRw-0007Sl-E0 for rpsec-confirm+ok@megatron.ietf.org; Wed, 11 Jul 2007 10:45:52 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I8dRw-0007Sd-4Y for rpsec@ietf.org; Wed, 11 Jul 2007 10:45:52 -0400
Received: from xmail09.myhosting.com ([168.144.250.252]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I8dRs-00028l-SG for rpsec@ietf.org; Wed, 11 Jul 2007 10:45:52 -0400
Received: (qmail 15141 invoked from network); 11 Jul 2007 14:45:46 -0000
Received: from unknown (HELO [192.168.100.205]) (Authenticated-user:_russ@riw.us@[65.190.218.139]) (envelope-sender <riw@cisco.com>) by xmail09.myhosting.com (qmail-ldap-1.03) with ESMTPA for <sandy@tislabs.com>; 11 Jul 2007 14:45:44 -0000
Message-ID: <4694ED10.4030503@cisco.com>
Date: Wed, 11 Jul 2007 10:45:36 -0400
From: Russ White <riw@cisco.com>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: Sandy Murphy <sandy@tislabs.com>
Subject: Re: [RPSEC] BGP Security Requirements v08
References: <20070711143219.97D2E3F481@pecan.tislabs.com>
In-Reply-To: <20070711143219.97D2E3F481@pecan.tislabs.com>
X-Enigmail-Version: 0.95.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
Cc: rpsec@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>> Why? Because if you can validate the originator and the first (second)
>> hop (the second entry in the AS Path), then you have a good bit more
>> assurance the destination is valid/etc, than if you just drop this
>> information out.
> 
> As many people have said (I recall particularly Danny McPherson at NANOG),
> a deliberate attack would just take the valid initial info and add
> invalid info to it.  So it is best to be cautious about the good bit
> more assurance.

Right--the more information you have, the more assurance you have. Just
the origination authorization is easy to fool. Including the second AS
in the AS Path (the first hop) makes it harder to fool but still not
impossible. As you add more path information, you add more assurance.

So, I would say it's not an "all or nothing" affair, and retaining
information through a non-supporting AS is useful.

:-)

Russ

- --
riw@cisco.com CCIE <>< Grace Alone

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGlO0QER27sUhU9OQRAj2/AJoCXvR21xQSZCpHldM+A1O2smkYRQCgjKnJ
Oboutp1yYLSfCP15JIXTW84=
=m8hQ
-----END PGP SIGNATURE-----


_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email