[144230] in North American Network Operators' Group
Re: Do Not Complicate Routing Security with Voodoo Economics
daemon@ATHENA.MIT.EDU (Alexander Harrowell)
Tue Sep 6 05:34:04 2011
From: Alexander Harrowell <a.harrowell@gmail.com>
To: nanog@nanog.org
Date: Tue, 6 Sep 2011 10:33:12 +0100
In-Reply-To: <22122255-5F6E-4395-BFF7-007CE5FE8CA9@delong.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--nextPart2299740.asvE5pcg1I
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
On Monday 05 Sep 2011 15:53:38 Owen DeLong wrote:
> This is true in terms of whether you care or not, but, if one just=20
looks at whether it changes the content of the FIB or not, changing=20
which arbitrary tie breaker you use likely changes the contents of the=20
=46IB in at least some cases.
>=20
> The key point is that if you are to secure a previously unsecured=20
database such as the routing table, you will inherently be changing the=20
contents of said database, or, your security isn't actually=20
accomplishing anything.
This is true and should probably be considered a universal law. If the=20
introduction of security precautions to a system does not change the=20
system, the security precautions are ineffective.=20
This is based on the principle that people and systems are imperfect, so=20
it is extremely unlikely that there are no bad actors or wildlife in the=20
pre-security state, and further that false-positive results are=20
inevitable. It has the corollary that introducing security precautions=20
is invariably costly, and therefore that you must consider the security=20
gain relative to the inevitable costs before deciding to do so.
This is of course an intellectually difficult problem. With regard to=20
BGP, the security gain is not so much determined by how bad the problem=20
is now, as by how bad it could potentially be if someone took it into=20
their heads to tear up the rules and declare war. The answer is "very,=20
very bad indeed" which is why we're having this discussion.
It also reminds me of J.K. Galbraith's notion of the bezzle - at any=20
time, there is an inventory of undiscovered embezzlement in the economy.=20
Before it is discovered, both the fraudster and his or her victim=20
believe themselves to possess the money that has been stolen - there is=20
a net increase in psychic wealth, in JKG's words. In times of=20
prosperity, the bezzle grows, and in times of recession, it shrinks.
There is a bezzle of indeterminate size in the routing table, but we=20
won't find out how big it is until we audit it (i.e. deploy SBGP). Some=20
of it will just be randomness - misconfigurations and errors - but some=20
of it will be enemy action.
=2D-=20
The only thing worse than e-mail disclaimers...is people who send e-mail=20
to lists complaining about them
--nextPart2299740.asvE5pcg1I
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iEYEABECAAYFAk5l6OQACgkQ0c69vkueJcTO3wCgln2gqj1XAamlF8tq/NT/b5jw
6F8AnRoyLVwvA3PZayPEsJ+2s+tPqv0X
=C947
-----END PGP SIGNATURE-----
--nextPart2299740.asvE5pcg1I--
