[180337] in North American Network Operators' Group
Routing Insecurity (Re: BGP in the Washington Post)
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Jun 1 11:01:24 2015
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAD6AjGSU-JCiax2UtT9ibL1s8Hy9RhfEbY_PmssBqUCyNrPeAA@mail.gmail.com>
Date: Mon, 1 Jun 2015 11:00:38 -0400
To: Ca By <cb.list6@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Jun 1, 2015, at 10:08 AM, Ca By <cb.list6@gmail.com> wrote:
> The article left me with the feeling that there was a secure version =
of BGP
> that is available but network operators are too short-term-focused and
> foolish to deploy it.
>=20
> I believe the situation is more complicated than that, no? There is =
no
> "secure version of BGP". There are a handful of things that help, =
like
> RPKI ... but they are far off from hitting the mark of "securing the
> internet"... not too mention the ARIN RPKI SNAFU with various lawyers =
that
> make RPKI impossible for a large part of the internet.
>=20
> CB
>=20
> PS. All my ipv4 and ipv6 routes are RPKI signed, but I can't validate
> because Cisco does not think validation within a VRF is an IOS-XR =
worthy
> features
>=20
> PPS. It does blow my mind that the internet works so well given that =
its
> security relies on the good faith and reputation of a few network =
janitors
> and plumbers
The issue here is that people treat routing security the same way as
the Jennifer Anniston character in "Office Space" and her flair. People
do the minimum to make it work and forget about it.
This can have catastrophic effects if one does that with your sewers,
septic fields, etc but we accept it in the BGP and routing universe
for some reason. You even see that with the IRR data, people add and =
never
remove. You can explore your objects here, you might be surprised how =
old
they are or who is injecting garbage today. =
http://irrexplorer.nlnog.net/
at $dayjob we try to do the right thing and as a result see complaints
from customers, prospects and even our vendors that what we do pushes
their scale limits and capabilities. Gert asks if you enabled IPv6 on
something today, (or did you turn IPv4 off soon I think will be a fair=20=
question). =20
What have we (You!) done to improve routing security recently?
Do we need a photo or t-shirt of randy bush saying =E2=80=9Conly you can =
prevent=20
route hijackings?=E2=80=9D
- Jared=
