Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP to doom us all

  • From: Steven M. Bellovin
  • Date: Fri Feb 28 20:21:52 2003

In message <3E5FDFC8.3000208@whack.org>, Bruce Pinsky writes:
>
>Jim Deleskie wrote:
>> 
>> http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed
>> 
>> Seems the BGP will be the down fall of the internet, the sky is falling the
>> sky is falling
>
>
>What a crock of crap.  Knowing who someone is doesn't stop them from causing 
>intentional or unintentional problems.  In fact, authentication is more likely
> 

The problem that sBGP is trying to solve is *authorization*, not 
identification.  Briefly -- and please read the papers and the specs 
before flaming -- every originating AS would have a certificate chain
rooted at their local RIR stating that they own a certain address 
block.  If an ISP SWIPs a block to some customer, that ISP (which owns 
a certificate from the RIR for the parent block) would sign a 
certificate granting the subblock to the customer.  The customer could 
then announce it via sBGP.  

The other part sBGP is that it provides a chain of signatures of the 
entire ASpath back to the originator.

Now -- there are clearly lots of issues here, including the fact that 
the the authoritative address ownership data for old allocations is, 
shall we say, a bit dubious.  And the code itself is expensive to run, 
since it involves a lot of digital signatures and verifications, 
especially when things are thrashing because of a major backhoe hit.

But -- given things like the AS7007 incident, and given the possibility 
-- probability? -- that it can happen again, can we afford to not do 
sBGP?  My own opinion is that sophisticated routing attacks are the 
single biggest threat to the Internet.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.