North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Whitehouse Tackels Cybersecurity
- From: Jared Mauch
- Date: Wed Sep 18 13:52:03 2002
On Wed, Sep 18, 2002 at 07:31:41PM +0200, Iljitsch van Beijnum wrote:
> On Wed, 18 Sep 2002, Steven M. Bellovin wrote:
> > See http://www.whitehouse.gov/pcipb/
> Wow, we should all start using out of band management. Anyone think it is
> feasible to do management of an IP network exclusively out of band?
> And BGP should be more secure. What is the problem we should be trying to
> fix here? There is a "Secure BGP" draft:
I think the problem that people are attempting to address is
the fact that most interprovider bgp sessions are unfiltered and
this can cause significant problems if someone starts leaking
improper routes or decides to do something malicious.
Authentication of routing announcements is seen as better than
"just letting it all slosh around".
> Implementing this may make BGP very secure, but it will make the internet
> as a whole much less reliable because routing will no longer be a function
> that can be performed autonomously by routers, but something that's tied
> into a global (public key) infrastructure. An infrastructure that depends
> on routing to work... Hello circularity.
Well, you need to have graded levels of trust. You will trust
your upstream more than your customers obviously. But yeah, there
do become some issues if people aren't doing local mirroring of
the dataset and they break their configs badly and need to
reconfigure. This does increase the barrier to entry significantly
in getting your announcements out there.
> I read solutions (well, avenues for possible solutions) without a good
> indication of what the problem is. (That goes for both the Secure
> Cyberspace and S-BGP drafts.)
Well, there are significant problems today with router
architecture that prevent s-bgp and other things from being deployed.
Namely start looking at those still using 2500/4500/4700 for bgp in
their networks (yes people still do this) and then ask it to do some
major cryptograhic authentication... The hardware is not designed
for this. Even a reasonable amount of todays 'modern' hardware may not
be able to handle this due to the centralized architecture. (take the
above router types as example as well as any others that don't have
When "W" goes surfing the net at night to shop for things
on ebay and can't get there because someone is improperly announcing
a /24 to hijack/DoS them, these are the things that they will suggest
down that there needs to be authentication and centralized routing
data created. Take a look at the LERG sometime if you have the
ability to see it. Lists the CLLI for each NPA-NXX that you are required
to deliver the call to. There are those that understand that
there are more complicated lookups involved but without people
from the industry providing feedback and playing hawk on the gov't,
we may not like what they come up with if we don't get people involved.
Jared Mauch | pgp key available via finger from email@example.com
clue++; | http://puck.nether.net/~jared/ My statements are only mine.