[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Routing Insecurity (Re: BGP in the Washington Post)

Subject: Routing Insecurity (Re: BGP in the Washington Post)
From: randy at psg.com (Randy Bush)
Date: Wed, 10 Jun 2015 06:31:07 -0700
In-reply-to: <[email protected]>
References: <17689457.2434.1433171075960.JavaMail.mhammett@ThunderFuck> <[email protected]> <CAD6AjGQWs-aKD8axgiRyaYXPB564MswKZsuaOUhjUn--KJXuUg@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <CAGvYMCrvPEBXv+P0no3DZ+uKBuvObemz=b0EfaR7=M9xxva82w@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <m2381zpxvf.wl%[email protected]> <[email protected]>

>> rtfm.  bgpsec key aggregation is at the descretion of the operator.
>> they could use one key to cover 42 ASs.
> 
> I've been reading the presentations and the mailing lists, both of
> which imply you should use one key per router for security reasons.
> I would tend to agree with that assessment, BTW.

folk have different threat models.  yours (and mine) may be
propagation of router compromise.  for others, it might be a subtle
increase in disclosure of router links.  contrary to your original
assertion, the protocol supports both.

randy

Follow-Ups:
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: russw at riw.us (Russ White)

References:
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: nanog at ics-il.net (Mike Hammett)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: mark.tinka at seacom.mu (Mark Tinka)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: cb.list6 at gmail.com (Ca By)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: marka at isc.org (Mark Andrews)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: rdobbins at arbor.net (Roland Dobbins)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: dwcarder at wisc.edu (Dale W. Carder)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: ethan at cs.washington.edu (Ethan Katz-Bassett)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: rdobbins at arbor.net (Roland Dobbins)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: david at mandelberg.org (David Mandelberg)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: rdobbins at arbor.net (Roland Dobbins)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: david at mandelberg.org (David Mandelberg)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: russw at riw.us (Russ White)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: randy at psg.com (Randy Bush)
- Routing Insecurity (Re: BGP in the Washington Post)
  - From: russw at riw.us (Russ White)

Prev by Date: Android (lack of) support for DHCPv6
Next by Date: Routing Insecurity (Re: BGP in the Washington Post)
Previous by thread: Routing Insecurity (Re: BGP in the Washington Post)
Next by thread: Routing Insecurity (Re: BGP in the Washington Post)
Index(es):
- Date
- Thread