[180435] in North American Network Operators' Group
Re: Routing Insecurity (Re: BGP in the Washington Post)
daemon@ATHENA.MIT.EDU (Ethan Katz-Bassett)
Tue Jun 2 22:04:45 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <20150602151233.GA29050@DOIT-2NW1MRFY-X.doit.wisc.edu>
From: Ethan Katz-Bassett <ethan@cs.washington.edu>
Date: Wed, 03 Jun 2015 02:04:31 +0000
To: "Dale W. Carder" <dwcarder@wisc.edu>, Roland Dobbins <rdobbins@arbor.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
The same folks also followed up that workshop paper with a longer paper on
the topic:
https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf
On Tue, Jun 2, 2015 at 8:16 AM Dale W. Carder <dwcarder@wisc.edu> wrote:
> Thus spake Roland Dobbins (rdobbins@arbor.net) on Tue, Jun 02, 2015 at
> 03:05:13PM +0700:
> >
> > On 2 Jun 2015, at 11:07, Mark Andrews wrote:
> >
> > >If you have secure BGP deployed then you could extend the authenication
> > >to securely authenticate source addresses you emit and automate
> > >BCP38 filter generation and then you wouldn't have to worry about
> > >DNS, NTP, CHARGEN etc. reflecting spoofed traffic
> >
> > This can be and is done by networks which originate routes and which
> > practice good network hygiene, no PKI required.
> >
> > But then we get into the customer of my customer (of my customer, of my
> > customer . . .) problem, and this aren't quite so clear.
> >
> > There are also potentially significant drawbacks to incorporating PKI
> into
> > the routing space, including new potential DoS vectors against
> PKI-enabled
> > routing elements, the potential for enumeration of routing elements, and
> the
> > possibility of building a true 'Internet kill switch' with effects far
> > beyond what various governmental bodies have managed to do so far in the
> DNS
> > space.
> >
> > Once governments figured out what the DNS was, they started to use it as
> a
> > ban-hammer - what happens in a PKIed routing system once they figure out
> > what BGP is?
> >
> > But nobody seems to be discussing these potential drawbacks, very much.
>
> Start here:
> https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf
>
> Dale
>
