[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Routing Insecurity (Re: BGP in the Washington Post)

Subject: Routing Insecurity (Re: BGP in the Washington Post)
From: david at mandelberg.org (David Mandelberg)
Date: Tue, 09 Jun 2015 19:09:45 -0400
In-reply-to: <[email protected]>
References: <17689457.2434.1433171075960.JavaMail.mhammett@ThunderFuck> <[email protected]> <CAD6AjGQWs-aKD8axgiRyaYXPB564MswKZsuaOUhjUn--KJXuUg@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <CAGvYMCrvPEBXv+P0no3DZ+uKBuvObemz=b0EfaR7=M9xxva82w@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]>

On 2015-06-05 02:40, Roland Dobbins wrote:
> On 5 Jun 2015, at 10:56, David Mandelberg wrote:
>
>> Could you elaborate on your enumeration and DDoS concerns?
>
> Crypto = more overhead.  Less priority to crypto plus DDoS = routing
> update issues.

I don't think there's an update issue here. The crypto verification is 
probably going to be deferred in addition to being low priority. If I 
understand it correctly, this means that a route can be passed along 
right away without waiting for the crypto checks.

> One can infer peering relationships in a way not possible before.

How?

> What about bogus signatures?

If I understand correctly, these routes (and all newly received routes) 
will initially be treated similarly to unsigned routes. Once BGPsec 
validation completes, then local policy determines what to do with the 
validation results.

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

Follow-Ups:
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: russw at riw.us (Russ White)

References:
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: nanog at ics-il.net (Mike Hammett)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: mark.tinka at seacom.mu (Mark Tinka)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: cb.list6 at gmail.com (Ca By)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: marka at isc.org (Mark Andrews)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: rdobbins at arbor.net (Roland Dobbins)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: dwcarder at wisc.edu (Dale W. Carder)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: ethan at cs.washington.edu (Ethan Katz-Bassett)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: rdobbins at arbor.net (Roland Dobbins)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: david at mandelberg.org (David Mandelberg)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: rdobbins at arbor.net (Roland Dobbins)

Prev by Date: Looking for information on IGP choices in dual-stack networks
Next by Date: Looking for information on IGP choices in dual-stack networks
Previous by thread: Routing Insecurity (Re: BGP in the Washington Post)
Next by thread: Routing Insecurity (Re: BGP in the Washington Post)
Index(es):
- Date
- Thread