nanog mailing list archives
Re: Routing Insecurity (Re: BGP in the Washington Post)
From: Mike Hammett <nanog () ics-il net>
Date: Mon, 1 Jun 2015 10:04:59 -0500 (CDT)
Actually, that's the level of attention given to all kinds of infrastructure just about everywhere. ;-) ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "Jared Mauch" <jared () puck nether net> To: "Ca By" <cb.list6 () gmail com> Cc: nanog () nanog org Sent: Monday, June 1, 2015 10:00:38 AM Subject: Routing Insecurity (Re: BGP in the Washington Post)
On Jun 1, 2015, at 10:08 AM, Ca By <cb.list6 () gmail com> wrote: The article left me with the feeling that there was a secure version of BGP that is available but network operators are too short-term-focused and foolish to deploy it. I believe the situation is more complicated than that, no? There is no "secure version of BGP". There are a handful of things that help, like RPKI ... but they are far off from hitting the mark of "securing the internet"... not too mention the ARIN RPKI SNAFU with various lawyers that make RPKI impossible for a large part of the internet. CB PS. All my ipv4 and ipv6 routes are RPKI signed, but I can't validate because Cisco does not think validation within a VRF is an IOS-XR worthy features PPS. It does blow my mind that the internet works so well given that its security relies on the good faith and reputation of a few network janitors and plumbers
The issue here is that people treat routing security the same way as the Jennifer Anniston character in "Office Space" and her flair. People do the minimum to make it work and forget about it. This can have catastrophic effects if one does that with your sewers, septic fields, etc but we accept it in the BGP and routing universe for some reason. You even see that with the IRR data, people add and never remove. You can explore your objects here, you might be surprised how old they are or who is injecting garbage today. http://irrexplorer.nlnog.net/ at $dayjob we try to do the right thing and as a result see complaints from customers, prospects and even our vendors that what we do pushes their scale limits and capabilities. Gert asks if you enabled IPv6 on something today, (or did you turn IPv4 off soon I think will be a fair question). What have we (You!) done to improve routing security recently? Do we need a photo or t-shirt of randy bush saying “only you can prevent route hijackings?” - Jared
Current thread:
- BGP in the Washngton Post William Herrin (Jun 01)
- Re: BGP in the Washngton Post Måns Nilsson (Jun 01)
- Re: BGP in the Washngton Post Christopher Morrow (Jun 01)
- RE: BGP in the Washngton Post Jeff Masiello (Jun 01)
- Re: BGP in the Washngton Post Ca By (Jun 01)
- Routing Insecurity (Re: BGP in the Washington Post) Jared Mauch (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mike Hammett (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Tinka (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Ca By (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Andrews (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Denis Fondras (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Dale W. Carder (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Ethan Katz-Bassett (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 03)
- Routing Insecurity (Re: BGP in the Washington Post) Jared Mauch (Jun 01)
- Re: BGP in the Washngton Post Måns Nilsson (Jun 01)