[180493] in North American Network Operators' Group
Re: Routing Insecurity (Re: BGP in the Washington Post)
daemon@ATHENA.MIT.EDU (David Mandelberg)
Fri Jun 5 01:43:04 2015
X-Original-To: nanog@nanog.org
Date: Thu, 04 Jun 2015 23:56:01 -0400
From: David Mandelberg <david@mandelberg.org>
To: nanog@nanog.org
In-Reply-To: <EE691157-0F9A-4DE2-A5DD-878F56456F98@arbor.net>
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--7fdu8nX7OAEQXWs5Bs2543i33ck5UVSRd
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 06/03/2015 04:27 AM, Roland Dobbins wrote:
> (not to mention the
> enumeration and enhanced DDoS impact of packeting routers doing crypto
> for their BGP sessions and which aren't protected via iACLs/GTSM).
Could you elaborate on your enumeration and DDoS concerns? If you're
concerned about the public finding out exactly how many routers you have
because you've published one BGPsec router key per router, you can
choose to use the same router key on multiple routers. If you're
concerned about all the crypto work overloading a router, the plan (as
far as I've heard) is for the routers to do the BGPsec crypto work in
the background as a low priority. I.e., incoming signed routes will
initially be treated like unsigned routes, and the BGPsec validation
will be kicked off in the background. Once the validation is complete,
then routing decisions can be made based on the BGPsec validity.
--=20
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
--7fdu8nX7OAEQXWs5Bs2543i33ck5UVSRd
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlVxHdEACgkQRKlmUHCg4sAPXwCgkIweGDndyrQjaxNHVoAEs0Mq
TNwAoJl0C1x7W5LMU529jmh9Wr3HBuK8
=XgLC
-----END PGP SIGNATURE-----
--7fdu8nX7OAEQXWs5Bs2543i33ck5UVSRd--
