IETF Logo Mail Archive

Re: [RPSEC] BGP Security Requirements v08

Stephen Kent <kent@bbn.com> Wed, 18 July 2007 18:30 UTC

Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBEHq-0005u3-7y; Wed, 18 Jul 2007 14:30:10 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43) id 1IBEHo-0005jS-BL for rpsec-confirm+ok@megatron.ietf.org; Wed, 18 Jul 2007 14:30:08 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBEHn-0005j9-Vl for rpsec@ietf.org; Wed, 18 Jul 2007 14:30:08 -0400
Received: from mx11.bbn.com ([128.33.0.80]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IBEHn-0002OE-Ke for rpsec@ietf.org; Wed, 18 Jul 2007 14:30:07 -0400
Received: from dhcp89-089-071.bbn.com ([128.89.89.71]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1IBEHm-0005PI-5b; Wed, 18 Jul 2007 14:30:06 -0400
Mime-Version: 1.0
Message-Id: <p06240515c2c4060958e4@[128.89.89.71]>
In-Reply-To: <200707181614.l6IGEGrr026084@harbor.brookfield.occnc.com>
References: <200707181614.l6IGEGrr026084@harbor.brookfield.occnc.com>
Date: Wed, 18 Jul 2007 14:10:18 -0400
To: curtis@occnc.com
From: Stephen Kent <kent@bbn.com>
Subject: Re: [RPSEC] BGP Security Requirements v08
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc: rpsec@ietf.org, Russ White <riw@cisco.com>
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

At 12:14 PM -0400 7/18/07, Curtis Villamizar wrote:
>In message <F1A1D21DA394814E824AC89F5A005BA312CCE59D@zcarhxm0.corp.nortel.com>
>"James Ko" writes:
>> 
>> 
>>  Indeed, ideally incoming data should be "authentic" and "verifiable",
>>  otherwise we are back to square one and this work is no different but to
>>  give bad guys a window of opportunity to run man-in-the-middle attacks,
>>  or inject bogus routes.
>
>
>So why does Internet routing work at all today?  Rhetorical question.
>
>It does work by the way.  Not always perfectly.
>
>Curtis
>
>
>ps - The answer is because the DOS would be short lived and very
>traceable (ie: not much damage and they'd get caught).  The reason for
>this is the bogus information would have to be injected from within an
>ISP and ISP security of their own infrastructure is reasonably good.

Curtis,

a few observations:
	- as I just noted in a prior response, DoS is not the only issue here.

	- the fact that routing does generally work today is not a 
good basis for deciding on security requirements.  If we turn back 
the clock a few years we could say that DDoS attacks never happen and 
thus one need not make provisions to deter such attacks.  As they say 
in the financial sector "performance data shown represents past 
performance and is no guarantee of future results" :-).

	- active attacks against BGP sessions are possible. not all 
BGP sessions make use of extant protection mechanisms like the TCP 
MD5 checksum, and among those that do there are reports of key 
management that leave s a lot ot be desired

Steve


_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email