[sidr] beacons and bgpsec

Danny McPherson <danny@tcb.net> Wed, 10 August 2011 01:06 UTC

Return-Path: <danny@tcb.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D278C21F8AA9 for <sidr@ietfa.amsl.com>; Tue, 9 Aug 2011 18:06:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id eCkS6GfHmcU3 for <sidr@ietfa.amsl.com>; Tue, 9 Aug 2011 18:06:11 -0700 (PDT)
Received: from mailserver.ops-netman.net (unknown [IPv6:2001:470:e495:fade:5054:ff:fe79:69db]) by ietfa.amsl.com (Postfix) with ESMTP id EE2C821F8A95 for <sidr@ietf.org>; Tue, 9 Aug 2011 18:06:10 -0700 (PDT)
Received: from [] (90.sub-166-248-43.myvzw.com []) (Authenticated sender: danny@OPS-NETMAN.NET) by mailserver.ops-netman.net (Postfix) with ESMTPSA id DE4913202FA for <sidr@ietf.org>; Wed, 10 Aug 2011 01:06:36 +0000 (UTC)
From: Danny McPherson <danny@tcb.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 09 Aug 2011 21:06:34 -0400
Message-Id: <A37CADA4-F16D-4C01-8D9C-D01001C4EFE4@tcb.net>
To: sidr wg list <sidr@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [sidr] beacons and bgpsec
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2011 01:06:22 -0000

The discussion of "Beacons" at the last meeting reminds of of EIGRP's 'triggered updates" v. RIP's "periodic updates" (i.e., cousin of beacons)...

I think Randy successfully convinced me during his talk at the Quebec City WG session that "beacons" at a frequency of 24 hours (or anything in the "hours" range) are pretty much useless and add considerable churn and complexity with little return from a practical attack surface perspective.  

With the lifetime of the average phishing site being only ~55 hours (for many reasons, I know), and an inclination to believe that infrastructure threats are likely to be even more temporal, and I'm inclined to recommend that beacons be removed altogether in their current incarnation of bgpsec, as there are plenty of other scale issues to focus on. 

Further study on alternatives, downstream purging issues, and clock skew for network elements might be useful in this context.  I saw something on the DANE list from PHB about vast skew across end systems, wondering if anyone has measured this?