Routing Insecurity (Re: BGP in the Washington Post)

[danny at tcb.net (Danny McPherson)]

On 2015-06-01 22:07, Mark Andrews wrote:

> If you have secure BGP deployed then you could extend the 
> authenication
> to securely authenticate source addresses you emit and automate
> BCP38 filter generation and then you wouldn't have to worry about
> DNS, NTP, CHARGEN etc. reflecting spoofed traffic.


I don't believe this is entirely true, and BGPSEC certainly doesn't 
solve most of what I'm concerned about from a routing security 
perspective.  See, e.g.:

https://tools.ietf.org/html/draft-ietf-grow-simple-leak-attack-bgpsec-no-help-04

That said, a Internet number resource certification infrastructure, be 
it RPKI or something with s single root and scalable(!), is certainly 
necessary, and can be used to bootstrap policy databases (e.g., IRRs) 
that address both the inter-domain routing (e.g., origin "validation") 
and data plane anti-spoofing security problems, and perhaps not require 
operators (enterprises and nation states alike) to trade the autonomy 
and flexibility they have in routing today for what others see as their 
infrastructure security needs.

After all, stability, resiliency, and availability are ALSO factors in 
the risk management gumbo that need to be considered by organizations, 
and the tight coupling of RPKI and BGPSEC as designed, are quite 
possibly not as attractive to some operators as the designers might 
suggest, particularly in light of new external dependencies, competitive 
markets, Internet governance, geopolitical climate, etc..

Many that haven't deployed or have lost interest in having the 
conversation have done so deliberately, and would prefer a routing by 
rumor paradigm that affords autonomy and flexibility to one where new 
control points and exorbitant costs and complexity simply scare the heck 
out of them, the primitives of which surely extend to many of the 
luminaries quoted in those articles.

YMMV,

-danny