RE: [RPSEC] Re: draft-convery-bgpattack-00

[Stephen Kent <kent@bbn.com>]

At 11:55 PM +0100 11/8/02, Iljitsch van Beijnum wrote:
>On Fri, 8 Nov 2002, Stephen Kent wrote:
>
>>  There is a difference between approaches to security that rely on
>>  other ISPs to do the right thing, and approaches that let you know if
>>  other ISPs are doing the right thing. S-BGP falls into the latter
>>  category and thus is more resistant to benign failures and attacks
>>  against internal ISP route management components or procedures, vs.
>>  schemes that rely on ISPs doing local source address filtering, for
>>  example.
>
>Source address filtering can be done in other places than just the
>customer edge. It is possible to do this on peering interfaces as well,
>if done with care. Unfortunately, it can't be done on transit
>interfaces. So the tier-1 ISPs (who get all their traffic from peering)
>should step up to the plate and start doing this to protect the rest of
>us.

I realize that one can filter other than at the edge, but it gets 
harder to do it the further one goes away from the edge, with transit 
interfaces being the agreed upon limiting case. Your last sentence 
conflicts with my observation about the undesirability of relying on 
others to protect you, as far as security goes.

Its somewhat analogous to living in an apartment building; you can 
lock your own door to keep out unwanted visitors, or you can rely on 
all your fellow apartment dwellers to not loose their keys and to not 
buzz in bad visitors.

Steve
_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec