[102717] in North American Network Operators' Group
Re: YouTube IP Hijacking
daemon@ATHENA.MIT.EDU (Scott Francis)
Mon Feb 25 06:56:46 2008
Date: Mon, 25 Feb 2008 03:26:57 -0800
From: "Scott Francis" <darkuncle@gmail.com>
To: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.64.0802250140420.28061@clifden.donelan.com>
Errors-To: owner-nanog@merit.edu
On Sun, Feb 24, 2008 at 10:49 PM, Sean Donelan <sean@donelan.com> wrote:
>
> On Mon, 25 Feb 2008, Steven M. Bellovin wrote:
> > How about state-of-the-art routing security?
>
> The problem is what is the actual trust model?
>
> Are you trusting some authority to not be malicious or never make a
> mistake?
>
> There are several answers to the malicious problem.
>
> There are fewer answers to never making a mistake problem.
[snip]
+5, Insightful.
The focus thus far seems to have been on establishing security on the
basis of trusted senders (SPF for BGP, if you'll pardon my rather
crude analogy). The impact of a mistake-based failure in a trusted
scenario could actually be quite a bit higher than what we've seen
thus far:
1) if data (e.g. routes) from a "trusted" source is allowed into a
network (or used as a basis for decision-making) with minimal
screening, attackers will immediately shift focus to spoofing trusted
sources, just as they currently do in other scenarios;
2) the impact of a typo or other operator error when operating in
"trusted mode" is much higher than that of mistakes from non-trusted
sources (if 17557's upstream had trusted a little less - by not
automatically propagating any new routes that showed up at the front
door - the current incident could very well have amounted to little
more than a log entry somewhere, and perhaps an email).
I think what you and Steve Bellovin had to say about anti-mistake
protocol and belt-and-suspenders should be garnering at least as much
consideration as prevention of malicious attacks/forgeries/etc.,
considering the percentage of outages caused by operator error vs
those caused by malice ...
--
darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
http://darkuncle.net/pubkey.asc for public key
