[175831] in North American Network Operators' Group
Re: BGP Security Research Question
daemon@ATHENA.MIT.EDU (Yuri Slobodyanyuk)
Tue Nov 4 08:45:49 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <20141104.133814.74685217.sthaug@nethelp.no>
Date: Tue, 4 Nov 2014 15:45:40 +0200
From: Yuri Slobodyanyuk <yuri@yurisk.info>
To: sthaug@nethelp.no
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Let me disagree - Pakistan Youtube was possible only because their uplink
provider did NOT implement inbound route filters . As always the weakest
link is human factor - and no super-duper newest technology is ever to help
here .
As regards to S-bgp/soBGP from technical point of view , wait for the day
when the vulnerability gets published (SSL-heartbleed style) that
invalidates all this PKI stuff ...
Yuri
On Tue, Nov 4, 2014 at 2:38 PM, <sthaug@nethelp.no> wrote:
> > In real life people use - bgp ttl security, md5 passwords, control plane
> > protection of 179 port, inbound/outbound routes filters. So far this has
> > been enough.
>
> These mechanisms do little or nothing to protect against unauthorized
> origination of routing information. There are plenty of examples which
> say it has *not* been enough, see for instance the Pakistan Telecom -
> Youtube incident in 2008.
>
> Steinar Haug, Nethelp consulting, sthaug@nethelp.no
>
--
Taking challenges one by one.
http://yurisk.info
