IETF Logo Mail Archive

Re: [RPSEC] BGP Security Requirements v08

"tom.petch" <cfinss@dial.pipex.com> Thu, 19 July 2007 18:27 UTC

Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBaiU-0000uR-L1; Thu, 19 Jul 2007 14:27:10 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43) id 1IBaiT-0000t4-Um for rpsec-confirm+ok@megatron.ietf.org; Thu, 19 Jul 2007 14:27:09 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBaiT-0000sv-5e for rpsec@ietf.org; Thu, 19 Jul 2007 14:27:09 -0400
Received: from galaxy.systems.pipex.net ([62.241.162.31]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IBaiS-0000vQ-Gn for rpsec@ietf.org; Thu, 19 Jul 2007 14:27:09 -0400
Received: from pc6 (1Cust124.tnt28.lnd4.gbr.da.uu.net [62.188.156.124]) by galaxy.systems.pipex.net (Postfix) with SMTP id 65ED1E000278; Thu, 19 Jul 2007 19:27:04 +0100 (BST)
Message-ID: <051901c7ca29$521f4780$0601a8c0@pc6>
From: "tom.petch" <cfinss@dial.pipex.com>
To: <curtis@occnc.com>, "Sandy Murphy" <sandy@tislabs.com>
References: <200707182101.l6IL172W031766@harbor.brookfield.occnc.com>
Subject: Re: [RPSEC] BGP Security Requirements v08
Date: Thu, 19 Jul 2007 16:42:05 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Score: 1.4 (+)
X-Scan-Signature: 31247fb3be228bb596db9127becad0bc
Cc: rpsec@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "tom.petch" <cfinss@dial.pipex.com>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

I am very much with Curtis on this one.  What he says seems pragmatic
engineering, allowing the Internet to evolve to a better place.  I would go for
a MUST in the protocol at this stage.

Tom Petch


----- Original Message -----
From: "Curtis Villamizar" <curtis@occnc.com>
To: "Sandy Murphy" <sandy@tislabs.com>
Cc: <rpsec@ietf.org>
Sent: Wednesday, July 18, 2007 11:01 PM
Subject: Re: [RPSEC] BGP Security Requirements v08


>
> In message <20070718194558.D2FBB3F43C@pecan.tislabs.com>
> Sandy Murphy writes:
> >
> > >The major ISPs have important major customers and peer.  For example
> > >they would not want their routing corrupted by a bad route to a major
> > >content provider.  Therefore many major providers will only accept
> > >these major customer and peer routes from a very limited set of ISPs.
> >
> > I hear you about the Internet mostly just works.
> >
> > But we seem to have p-l-e-n-t-y of publically discussed examples of
> > cases where the trust structure did not not serve us well.
> >
> > Furthermore, from what major ISP have said, what is said by others
> > about major ISPs and from the analyses of public data of some incidents,
> > it seems the case that some major ISPs (Spring comes to mind?) do not
> > filter well enough to prevent some noticable traffic redirection.
> > These have been accidents so far, but provide worked examples of
> > how bad the problem can get.
> >
> > Relying on the ISP trust and policies is mostly good enough for
> > mostly just works.
>
>
> This has been true for over a decade.
>
> Back in the mid-1990s ANS days two very major incidents occurred.  One
> was the intentional advertisement of very specific routes into PSI for
> every DNS TLD servier.  This took out DNS for anyone who beleived
> those routes.  It did not affect ANS due to IRR policy.  Another was
> announding critical subnets of AOL.  Again that did not affect ANS
> since they had specific filters to protect their direct customers and
> any peer that wished to register in the IRR.
>
> Even earlier, Sprint, UUNET, and PSI default routed to the NSFNET.
> Someone got a 56K circuit to ANS at a university in the middle east
> and announced the NSFNET address.  Sprint, UUNET and PSI were a mess
> for 10 hours.  NSFNET customers were fine (then it was the PRDB).
>
> There are ways to protect routing today.  Not everyone makes use of
> them.  That's been the case for a very long time.  And they are far
> from perfect.
>
>
> > >Add some authentication and you may have further improviment in the
> > >reliability of routing information.  Don't allow that to cross the
> > >major ISPs and the authenticaion is of very little use for ISPs.
> >
> > I agree with you here!  But I don't think anyone is talking about
> > not allowing auth info to cross major ISPs.  We're mostly arguing
> > how strong a requirement to make the ability to transit un-upgraded
> > ISPs: MUST, SHOULD, or MAY.
> >
> > --Sandy
>
>
> Some providers may never upgrade.  Some mechanism to still pass routes
> through them is needed, albiet placing less trust in those routes.
>
> Curtis
>
>
> _______________________________________________
> RPSEC mailing list
> RPSEC@ietf.org
> https://www1.ietf.org/mailman/listinfo/rpsec



_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email