[102744] in North American Network Operators' Group
Re: Secure BGP (Was: YouTube IP Hijacking)
daemon@ATHENA.MIT.EDU (Sandy Murphy)
Mon Feb 25 18:28:44 2008
To: michael.dillon@bt.com, nanog@merit.edu
Cc: sandy@tislabs.com
In-Reply-To: <D03E4899F2FB3D4C8464E8C76B3B68B00203B5C1@E03MVC4-UKBR.domain1.systemhost.net>
Date: Mon, 25 Feb 2008 15:01:34 -0500 (EST)
From: sandy@tislabs.com (Sandy Murphy)
Errors-To: owner-nanog@merit.edu
>Is there some way of deploying a solution like Secure BGP without
>actually requiring that it go into the routers?
The IETF SIDR wg (shameless plug as I'm wg co-chair) is working on
a way to say with strong assurance who holds what prefixes, and
therefore who can authorize the origination of what prefixes.
This could be used in creating filter lists, answering customer
request (please announce this for me...), checking the RIB out-of-band,
etc.
Such info is also the foundation of any yet proposed mechanism for doing
in-band bgp security (S-BGP, soBGP, psBGP, SPV, etc., etc.), but the
sidr work by itself does not need to be done in the router.
Maybe some of you could take a look and comment.
Look for the drafts at http://www.ietf.org/html.charters/sidr-charter.html
--Sandy
