nanog mailing list archives
Re: BGPMON Alert Questions
From: Sharon Goldberg <goldbe () cs bu edu>
Date: Thu, 3 Apr 2014 23:06:22 -0400
On Thu, Apr 3, 2014 at 8:50 PM, Randy Bush <randy () psg com> wrote:
Good point, which makes me ask: So which 5 to 10 networks, implementing source validation, could result in the greatest "coverage" or "protection" for the largest part of the Internetto the best of my knowledge, no one has looked at this for origin validation. sharon goldberg and co-conspirators have done a lot of work in the area, see her pubs at https://www.cs.bu.edu/~goldbe/. but the concentration seems to be on bgpsec which deploys quite differently
Right, we (and others) have not looked at the efficacy of a partial deployment of origin validation (using the RPKI) yet. But, we did look at partial deployments of BGPSEC. We found that a large number of networks (around 50% of ASes) need to deploy BGPSEC before its security benefits really kick in. The reasons for this include (1) routing policies during partial deployment might not prioritize the BGPSEC validity over its AS path or local pref, (2) you need every node on an AS path to deploy BGPSEC before it works. Full paper here: https://www.cs.bu.edu/~goldbe/papers/partialSec.pdf We also looked at prefix filtering and found that it has better partial deployment characteristics. Our analysis assumed that ISPs only filter routes from their *stub* customers. (We defined a stub an AS that does not have its own customers.) Then we looked at the fraction of attacks that would be eliminated, if the X largest ISPs correctly implemented prefix filtering. ("Large" was measured in terms of the number of customers ASes the ISP had.) See Figure 18 on pg 15 of this paper, and the text explaining it in the middle of the right column on pg 15: http://research.microsoft.com/pubs/120428/BGPAttack-full.pdf Finally, like Randy says, RPKI deploys quite different from BGPSEC. My intuition says that (1) once the RPKI is fully populated with ROAs for all originated prefixes, then (2) a partial deployment of origin validation at a few large ISPs should be fairly effective. But I would have to validate this with experiments before I can be sure, or say exactly how many ISPs, etc. Sharon -- Sharon Goldberg Computer Science, Boston University http://www.cs.bu.edu/~goldbe
Current thread:
- Re: BGPMON Alert Questions, (continued)
- Re: BGPMON Alert Questions Randy Bush (Apr 03)
- Re: BGPMON Alert Questions Mark Tinka (Apr 03)
- Re: BGPMON Alert Questions Christopher Morrow (Apr 03)
- Re: BGPMON Alert Questions Mark Tinka (Apr 03)
- Re: BGPMON Alert Questions Christopher Morrow (Apr 03)
- Re: BGPMON Alert Questions Mark Tinka (Apr 03)
- Re: BGPMON Alert Questions Tony Tauber (Apr 03)
- Re: BGPMON Alert Questions Christopher Morrow (Apr 03)
- Re: BGPMON Alert Questions Randy Bush (Apr 03)
- Message not available
- Re: BGPMON Alert Questions Randy Bush (Apr 03)
- Re: BGPMON Alert Questions Sharon Goldberg (Apr 03)
- Re: BGPMON Alert Questions Mark Tinka (Apr 03)
- Re: BGPMON Alert Questions Sharon Goldberg (Apr 04)
- Re: BGPMON Alert Questions Nick Hilliard (Apr 04)
- Re: BGPMON Alert Questions Sharon Goldberg (Apr 04)
- Re: BGPMON Alert Questions Mark Tinka (Apr 05)
- Re: BGPMON Alert Questions Sharon Goldberg (Apr 06)
- Re: BGPMON Alert Questions Mark Tinka (Apr 06)
- Re: BGPMON Alert Questions Benno Overeinder (Apr 04)
- Re: BGPMON Alert Questions Mark Tinka (Apr 05)
- Re: BGPMON Alert Questions Anthony Williams (Apr 03)