RE: [RPSEC] Re: draft-convery-bgpattack-00
Iljitsch van Beijnum <iljitsch@muada.com> Wed, 06 November 2002 16:39 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA00793 for <rpsec-archive@odin.ietf.org>; Wed, 6 Nov 2002 11:39:27 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id gA6GfTe26878 for rpsec-archive@odin.ietf.org; Wed, 6 Nov 2002 11:41:29 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA6GfTv26875 for <rpsec-web-archive@optimus.ietf.org>; Wed, 6 Nov 2002 11:41:29 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA00785 for <rpsec-web-archive@ietf.org>; Wed, 6 Nov 2002 11:38:56 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA6Gf6v26831; Wed, 6 Nov 2002 11:41:06 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA6GdWv26664 for <rpsec@optimus.ietf.org>; Wed, 6 Nov 2002 11:39:32 -0500
Received: from sequoia.muada.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA00659 for <rpsec@ietf.org>; Wed, 6 Nov 2002 11:36:59 -0500 (EST)
Received: from localhost (iljitsch@localhost) by sequoia.muada.com (8.11.3/8.9.3) with ESMTP id gA6Gcxg58703; Wed, 6 Nov 2002 17:38:59 +0100 (CET) (envelope-from iljitsch@muada.com)
Date: Wed, 06 Nov 2002 17:38:59 +0100
From: Iljitsch van Beijnum <iljitsch@muada.com>
To: sandy@tislabs.com
cc: bgreene@cisco.com, rpsec@ietf.org
Subject: RE: [RPSEC] Re: draft-convery-bgpattack-00
In-Reply-To: <200211061542.gA6FgfF14354@raven.gw.tislabs.com>
Message-ID: <20021106171433.J58530-100000@sequoia.muada.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: rpsec-admin@ietf.org
Errors-To: rpsec-admin@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
On Wed, 6 Nov 2002 sandy@tislabs.com wrote: > >IMHO - "Security requirements" that force Internet capital spending and > >network wide maintenance windows to deploy are not going to be adopted by > >the operations community. > Not a surprising development and reminiscent of the auto manufacturers' > stance on seat belts, crash resistent bumpers, air bags, ... Those whose > focus is the bottom line always want to be shown a financial incentive. > "How about 'survival'?" seems to be unpersuasive. Routers are a lot like regular computers in many ways, but you can only expect to sell a very small number compared to computers. I'm not a router builder but I think that's the reason why router CPUs are so slow compared to those of regular computers: the design costs to keep up with the latest CPU technology would be too high. As far as I can tell, verifying a signature takes in the order of a millisecond on a decent CPU. So with 115,000 routes in the global routing table, that's 2 minutes to initialize BGP, assuming one signature must be checked per route. I don't think this is acceptable, especially not considering router CPUs may be slower, there is other processing to do as well and the expected growth of the global routing table. This means routers must be equipped with crypto modules. Then there is memory. There are still many routers in production that are already in trouble memory-wise as their design allows only 32, 64 or 128 MB and a Cisco needs 256 MB to comfortably run BGP. I've tried to add up all the extra fields but I couldn't be sure how much of what goes where, but it looks like S-BGP will take at least twice the memory of regular BGP. This means some routers must be replaced completely and all others need hardware upgrades. So expect resistance from the people who have to pay the bill. Especially if there is so much of a byte wasted in your packet formats, or there is a place where crypto is used when the same result could be obtained without it. Also note that the perceived need for more security in BGP can't be all that high, as we can tell by the level of MD5 option deployment. _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Joachim Jensen
- RE: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- [RPSEC] draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] draft-convery-bgpattack-00 Damir Rajnovic
- [RPSEC] Re: draft-convery-bgpattack-00 David G. Boney
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] draft-convery-bgpattack-00 Christopher Lonvick
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Birger Toedtmann
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Randy Bush
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Birger Toedtmann
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- [RPSEC] prefix origin authentication (was Re: dra… Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Tony Tauber
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Danny McPherson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Larry J. Blunk
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Barry Raveendran Greene
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Barry Raveendran Greene
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- RE: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Randy Bush
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Charles Lynn
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Susan Hares
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Aggregation in S-BGP was RE: [RPSEC] Re: draft-co… Charles Lynn
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Joel M. Halpern
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Randy Bush
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- [RPSEC] Potential requirements Charles Lynn
- Re: [RPSEC] Potential requirements Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Potential requirements Tony Tauber
- Re: [RPSEC] Potential requirements Steve Suehring
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson