[180687] in North American Network Operators' Group
Re: Routing Insecurity (Re: BGP in the Washington Post)
daemon@ATHENA.MIT.EDU (David Mandelberg)
Tue Jun 9 19:12:15 2015
X-Original-To: nanog@nanog.org
Date: Tue, 09 Jun 2015 19:09:45 -0400
From: David Mandelberg <david@mandelberg.org>
To: <nanog@nanog.org>
In-Reply-To: <9188268B-59C4-4FA8-9CA4-3C514CF2625B@arbor.net>
Errors-To: nanog-bounces@nanog.org
On 2015-06-05 02:40, Roland Dobbins wrote:
> On 5 Jun 2015, at 10:56, David Mandelberg wrote:
>
>> Could you elaborate on your enumeration and DDoS concerns?
>
> Crypto = more overhead. Less priority to crypto plus DDoS = routing
> update issues.
I don't think there's an update issue here. The crypto verification is
probably going to be deferred in addition to being low priority. If I
understand it correctly, this means that a route can be passed along
right away without waiting for the crypto checks.
> One can infer peering relationships in a way not possible before.
How?
> What about bogus signatures?
If I understand correctly, these routes (and all newly received routes)
will initially be treated similarly to unsigned routes. Once BGPsec
validation completes, then local policy determines what to do with the
validation results.
--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
