[180338] in North American Network Operators' Group
Re: Routing Insecurity (Re: BGP in the Washington Post)
daemon@ATHENA.MIT.EDU (Mike Hammett)
Mon Jun 1 11:05:40 2015
X-Original-To: nanog@nanog.org
Date: Mon, 1 Jun 2015 10:04:59 -0500 (CDT)
From: Mike Hammett <nanog@ics-il.net>
To: nanog@nanog.org
In-Reply-To: <04FE9EA4-8AB0-4A81-BF87-5DC29DF5EBF0@puck.nether.net>
Errors-To: nanog-bounces@nanog.org
Actually, that's the level of attention given to all kinds of infrastructur=
e just about everywhere. ;-)=20
-----=20
Mike Hammett=20
Intelligent Computing Solutions=20
http://www.ics-il.com=20
----- Original Message -----
From: "Jared Mauch" <jared@puck.nether.net>=20
To: "Ca By" <cb.list6@gmail.com>=20
Cc: nanog@nanog.org=20
Sent: Monday, June 1, 2015 10:00:38 AM=20
Subject: Routing Insecurity (Re: BGP in the Washington Post)=20
> On Jun 1, 2015, at 10:08 AM, Ca By <cb.list6@gmail.com> wrote:=20
> The article left me with the feeling that there was a secure version of B=
GP=20
> that is available but network operators are too short-term-focused and=20
> foolish to deploy it.=20
>=20
> I believe the situation is more complicated than that, no? There is no=20
> "secure version of BGP". There are a handful of things that help, like=20
> RPKI ... but they are far off from hitting the mark of "securing the=20
> internet"... not too mention the ARIN RPKI SNAFU with various lawyers tha=
t=20
> make RPKI impossible for a large part of the internet.=20
>=20
> CB=20
>=20
> PS. All my ipv4 and ipv6 routes are RPKI signed, but I can't validate=20
> because Cisco does not think validation within a VRF is an IOS-XR worthy=
=20
> features=20
>=20
> PPS. It does blow my mind that the internet works so well given that its=
=20
> security relies on the good faith and reputation of a few network janitor=
s=20
> and plumbers=20
The issue here is that people treat routing security the same way as=20
the Jennifer Anniston character in "Office Space" and her flair. People=20
do the minimum to make it work and forget about it.=20
This can have catastrophic effects if one does that with your sewers,=20
septic fields, etc but we accept it in the BGP and routing universe=20
for some reason. You even see that with the IRR data, people add and never=
=20
remove. You can explore your objects here, you might be surprised how old=
=20
they are or who is injecting garbage today. http://irrexplorer.nlnog.net/=
=20
at $dayjob we try to do the right thing and as a result see complaints=20
from customers, prospects and even our vendors that what we do pushes=20
their scale limits and capabilities. Gert asks if you enabled IPv6 on=20
something today, (or did you turn IPv4 off soon I think will be a fair=20
question).=20
What have we (You!) done to improve routing security recently?=20
Do we need a photo or t-shirt of randy bush saying =E2=80=9Conly you can pr=
event=20
route hijackings?=E2=80=9D=20
- Jared=20
