[144213] in North American Network Operators' Group
Re: Do Not Complicate Routing Security with Voodoo Economics
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Sep 5 14:37:06 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4E64EC71.9080704@ttec.com>
Date: Mon, 5 Sep 2011 11:34:44 -0700
To: Joe Maimon <jmaimon@ttec.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 5, 2011, at 8:36 AM, Joe Maimon wrote:
>=20
>=20
> Owen DeLong wrote:
>>=20
>> On Sep 5, 2011, at 7:24 AM, Jennifer Rexford wrote:
>>=20
>>>=20
>>>>=20
>>>> One could argue that rejecting routes which you previously had no =
way to
>>>> know you should reject will inherently alter the routing system and =
that this
>>>> is probably a good thing.
>>>=20
>>> Good point. Also, "tie breaking" in favor of signed-and-verified =
routes over not-signed-and-verified routes does not necessarily affect =
your traffic "positively or negatively" -- rather, if you are letting an =
arbitrary final tie break make the decision anyway, you are arguably =
*neutral* about the outcome...
>>>=20
>>> -- Jen
>>=20
>> This is true in terms of whether you care or not, but, if one just =
looks at whether it changes the content of the FIB or not, changing =
which arbitrary tie breaker you use likely changes the contents of the =
FIB in at least some cases.
>>=20
>> The key point is that if you are to secure a previously unsecured =
database such as the routing table, you will inherently be changing the =
contents of said database, or, your security isn't actually =
accomplishing anything.
>>=20
>> Owen
>>=20
>=20
>=20
> Except if you believe we have been lucky until now and security is all =
about the future where we may be less lucky.
>=20
I'm pretty sure that there is actually a fair amount of pollution in the =
routing table today and that it will only get worse until we have some =
form of security.
I believe that most spammers operate by advertising hijacked prefixes =
for short periods of time and then going away before people can react.
Since there have been multiple instances of proof of my above belief, I =
would find it very hard to believe we have been lucky until now.
> What I would be interested in seeing is a discussion on whether any =
anti-competitive market distortion incentives exist for large providers =
in adopting secured BGP. We might be lucky there too.
>=20
Of course they do. We probably won't get particularly lucky there, =
either.
> Perhaps this will finally help solve the routing slot scalability =
problem. Might also jumpstart LISP. Which may put some more steam into =
v6. Welcome to the brave new internet.
>=20
Probably not. I really doubt it will do much to help LISP.
Contrary to many people's opinions, I think that IPv4 address shortage =
and the coming costs of attempting to maintain IPv4 on life support will =
put more steam into IPv6 than any artificial move we could make in this =
area.
> Good for everyone, right?
>=20
IPv6 is good for everyone whether they realize it or not.
LISP I'm not as convinced.
> Are you feeling lucky?
>=20
No, not really.
Owen
