nanog mailing list archives
Re: BGP Experiment
From: Saku Ytti <saku () ytti fi>
Date: Wed, 9 Jan 2019 20:32:29 +0200
On Wed, 9 Jan 2019 at 20:24, Töma Gavrichenkov <ximaera () gmail com> wrote:
So, network device vendors releasing security advisories twice a year isn't a big part of the explanation?
Those are scheduled, they have to meet some criteria to be pushed on scheduled lot. There are also out of cycle SIRTs. And yes, vendors are delaying them, because customers don't want to upgrade often, because customer's customers don't want to see connections down often.
Err... don't they? My experience is quite the opposite.
Well that is odd experience, considering anyone with rudimentary understanding of control-plane policing can bring internet down from single VPS. Majority of deployed devices _cannot_ be protected against DoS motivated attacker, and I'm not talking link congestion, I'm talking control-plane congestion with few Mbps.
If we could be sure that after such fuzzing there would still be a working transport infrastructure to report on top of, then yes.
If it's important to get right, we should try to prove it wrong actively and persistently by good guys, at least then reporting and statistics can be produced. But I'm not sure if it's important to get right, market seems to indicate security does not matter.
— just like we did with IoT in 2016 —
Internet still running, I'm still getting paid.
If anything, I suspect if it's cheaper to enter the market with inferior security and quality then that is likely good business caseThis is also correct so far. I wonder if it's here to stay.
We'd need the current security posture to be sufficiently unmarketable. But motivation to simply DoS internet doesn't really exist. DoS is against service end points, infrastucture is trivial target, but for some reason not really targeted. I'm sure state actors have library of DoS transit packets and BGP UPDATE packets to be deployed when strategy requires given network or region to be disrupted. Because, we, the internet plumbers, keep finding those without trying, just trying to keep the network working, what can someone find who is funded and motivated to find those? -- ++ytti
Current thread:
- Re: BGP Experiment, (continued)
- Re: BGP Experiment Owen DeLong (Jan 09)
- Re: BGP Experiment Nick Hilliard (Jan 08)
- Re: BGP Experiment Randy Bush (Jan 08)
- Re: BGP Experiment Eric Kuhnke (Jan 08)
- Re: BGP Experiment Randy Bush (Jan 08)
- Re: BGP Experiment Job Snijders (Jan 08)
- Re: BGP Experiment Tore Anderson (Jan 08)
- Re: BGP Experiment Töma Gavrichenkov (Jan 09)
- Re: BGP Experiment Saku Ytti (Jan 09)
- Re: BGP Experiment Töma Gavrichenkov (Jan 09)
- Re: BGP Experiment Saku Ytti (Jan 09)
- Re: BGP Experiment Töma Gavrichenkov (Jan 09)
- Re: BGP Experiment Eric Kuhnke (Jan 08)
- Re: BGP Experiment Owen DeLong (Jan 09)
- Re: BGP Experiment Töma Gavrichenkov (Jan 09)
- Re: BGP Experiment Saku Ytti (Jan 09)
- Re: BGP Experiment Töma Gavrichenkov (Jan 09)
- Re: BGP Experiment Saku Ytti (Jan 09)
- Re: BGP Experiment Töma Gavrichenkov (Jan 09)
- RE: BGP Experiment adamv0025 (Jan 09)
- Re: BGP Experiment Töma Gavrichenkov (Jan 09)
- Re: BGP Experiment Owen DeLong (Jan 09)