http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed
Seems the BGP will be the down fall of the internet, the sky is falling the
sky is falling
Jim Deleskie wrote:
http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed
Seems the BGP will be the down fall of the internet, the sky is falling the
sky is falling
What a crock of crap. Knowing who someone is doesn't stop them from causing intentional or unintentional problems. In fact, authentication is more likely to cause people to become complacent wrt their filtering policies. Hey I've authenticated that router so it's going to only send me correct routes. Puleeeaaazzzz...
:What a crock of crap. Knowing who someone is doesn't stop them from causing
:intentional or unintentional problems. In fact, authentication is more likely
:to cause people to become complacent wrt their filtering policies. Hey I've
:authenticated that router so it's going to only send me correct routes.
:Puleeeaaazzzz...
The authentication I suspect he is referring to, is certification
of the routes themselves, not just mere peer authentication.
However, given the recent academic popularity of attacks against routers,
such as the phenolit OSPF exploit, Bindviews TCP ISN strange attractors,
Tim Newshams ISN paper, some large vendors use of widely available
hardware and/or operating systems, and others, it's worth being extra
mindful of router security.
Dashing off press releases about internet vulnerabilities is a bit like
that cold fusion in a coffee cup incident. It harmed the credibility of
all researchers and may have set back alot of other legitimate efforts.
The technical solutions are pretty easy, almost everyone on the list
understands them. Us cassandras in the security business just have to
find a better way of making people more mindful of security in their
day to day operations. Appeasing the media's thirst for broad and
fearsome pronouncements doesn't help things. Unfortunately, this
sort of mindfulness isn't so much taught as it must be learned, and
so we are back to the operator clue issue.
*sigh*.
Mu. 
actually, the article is not all that far off reality as i see it.
the exception being that the ietf has NOT been diligently pursuing
sBGP but rather a lot of the effort is going into a 3/4 hack being
pushed by vendor laziness.
randy
What a crock of crap. Knowing who someone is doesn't stop them
from causing intentional or unintentional problems. In fact,
authentication is more likely to cause people to become
complacent wrt their filtering policies. Hey I've authenticated
that router so it's going to only send me correct routes.
maybe you should actually read the sBGP specs before spouting off.
randy
Other than pending patents and a cool name Secure BGP, you still have
the fundamental problem. Garbage In, Garbage Out. The only difference
is now you have Secure Garbage(tm).
There is a problem that needs to be solved. But like the whole
micro-payments, SET, etc thing; if the solution is more complicated and
more expensive than the alternatives; it won't get used no matter how
"secure" it is.
:actually, the article is not all that far off reality as i see it.
:the exception being that the ietf has NOT been diligently pursuing
:sBGP but rather a lot of the effort is going into a 3/4 hack being
:pushed by vendor laziness.
The comments in the article are accurate, but the choice of
facts is conspicuous. This, given all the other horrible
what-if scenarios out there. Also, publicly riffing
on specific technical issues doesn't address the underlying
causes of the problems.
I think the only problem with the comments is that they over-estimate
the benefit of that level of security relative to the overhead it
requires.
I think the only problem with the comments is that they
over-estimate the benefit of that level of security relative
to the overhead it requires.
crypto hardware has become cheap.
randy
:> I think the only problem with the comments is that they
:> over-estimate the benefit of that level of security relative
:> to the overhead it requires.
:
:crypto hardware has become cheap.
Cheap to buy, but the time for processing each certificate will
increase with the size of the routing table, and we just end up
replicating the problem of recalculating large routing tables,
but now with certification, no?
Cheap to buy, but the time for processing each certificate will
increase with the size of the routing table, and we just end up
replicating the problem of recalculating large routing tables,
but now with certification, no?
no. you *really* may want to read up on sbgp before attempting
to discuss its scaling qualities.
randy
Hi, NANOGers.
] However, given the recent academic popularity of attacks against routers,
Indeed! Compromised routers (generally Cisco) are routinely traded in
the underground. However, these routers are usually compromised by
taking advantage of weak passwords, e.g. "cisco" for access and enable. 
Some who trade for compromised routers (one cisco is worth approximately
three to five stolen credit cards) specifically ask for routers running
BGP, and may pay a premium for this extra.
Trade in compromised Juniper routers is rare, but it does occur.
As to what is done with these compromised routers, well, ask me at the
next NANOG.
There are many things folks can do with existing BGP configurations to
make things a bit better. Prefix filtering, both on ingress and egress,
MD5 authentication, and ACLs for TCP 179 help. Are they perfect? No,
nothing is a panacea. However, raising the bar even a little can yield
impressive results.
Thanks,
Rob.
Indeed! Compromised routers (generally Cisco) are routinely traded in
the underground. However, these routers are usually compromised by
taking advantage of weak passwords, e.g. "cisco" for access and enable.
RCS of your router config is your friend.
mailing of the diff between authorized config and running config every N
mintues to eng-int@network is your friend.
Not running "trust everything" configuration on your network is your friend.
Some who trade for compromised routers (one cisco is worth approximately
three to five stolen credit cards) specifically ask for routers running
BGP, and may pay a premium for this extra.
Who cares? If the other routers are configured correctly, they wont take
tainted advertisements. If they are not configured correctly, any Super
Secure BGP wont help.
Alex
Hi, Alex.
] RCS of your router config is your friend.
Yep, agreed. Sanity checking router configurations is a very wise move.
Just so everyone knows, the miscreants generally disable all logging
capability and enact ACLs to block all ICMP, UDP, and selectively permit
telnet from their hacked hosts. These are some of the warning signs.
] Who cares? If the other routers are configured correctly, they wont take
] tainted advertisements. If they are not configured correctly, any Super
] Secure BGP wont help.
Yep, thus my constant raving about prefix filtering. 
Thanks,
Rob.