Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Internet failures over the next 3 years

  • From: Alex Bligh
  • Date: Tue Jun 22 19:13:09 1999

> >    - Critical Internet control software and systems
> 
> I am not a router vendor, but it seems that adding some sort of auth key to
> BGP (similar to the auth system of OSPF) wouldn't be all that difficult. 
> You could specify a key for each peer.

In the spirit of Randy Bush:

mae-east1#conf t
mae-east1(config)#router bgp nnnn
mae-east1(config-router)#neighb 1.1.1.1 pass ?
  <0-7>  Encryption type (0 to disable encryption, 7 for proprietary)
  LINE   The password

The issue is not how you authenticate an individual neighbor,
but how you differentially authenticate the data sent
from that peer.

That authentication can be deployed manually (we trust
that peer entirely so won't filter them down to we require manual
prefix-list updates from that peer), but it is difficult
to do manually. IRR based filtering has well known problems.
There have been a number of suggestions for in-band (i.e.
within BGP or at least within router) authentication.
I have not yet seen one with no disadvantages. This is
not a dissimilar problem to the Usenet2 authenticated
news issue - it's not generally the direct peer that's
the problem, it's some of the articles/routes they
receive indirectly, and mistakenly trust.

-- 
Alex Bligh
GX Networks (formerly Xara Networks)







Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.