The problem that sBGP is trying to solve is *authorization*, not
identification. Briefly -- and please read the papers and the specs
before flaming -- every originating AS would have a certificate chain
rooted at their local RIR stating that they own a certain address
block. If an ISP SWIPs a block to some customer, that ISP (which owns
a certificate from the RIR for the parent block) would sign a
certificate granting the subblock to the customer. The customer could
then announce it via sBGP.
The other part sBGP is that it provides a chain of signatures of the
entire ASpath back to the originator.
Now -- there are clearly lots of issues here, including the fact that
the the authoritative address ownership data for old allocations is,
shall we say, a bit dubious. And the code itself is expensive to run,
since it involves a lot of digital signatures and verifications,
especially when things are thrashing because of a major backhoe hit.
But -- given things like the AS7007 incident, and given the possibility
-- probability? -- that it can happen again, can we afford to not do
sBGP? My own opinion is that sophisticated routing attacks are the
single biggest threat to the Internet.
:But -- given things like the AS7007 incident, and given the possibility
:-- probability? -- that it can happen again, can we afford to not do
:sBGP? My own opinion is that sophisticated routing attacks are the
:single biggest threat to the Internet.
Without sliding into a discussion about what our worst imaginable
attack would be, how are they more of a threat than a worm that
saturates links?
I am interested in how you measure the threat of attacks against
routing protocols against that of something like slammer, as I
would think that routing problems would limit their own propagation
much faster than say, the way slammer slowed itself down by
saturating links.
I am taking sophisticated routing attacks to mean specific protocol
exploitation, instead of attacks on the devices themselves. I would
even suspect that it is not possible for routing information to be
scrambled in any widely propagated and irrepairable way, for similar
reasons to why it can't be kept straight without constant updates.
That is, the routes confusion will limit it's own propagation
precisely because it may no longer know how to propagate itself. Or
rather, the more valid paths valid routing information has, the more
likely it will spread, no?
The problem that sBGP is trying to solve is *authorization*, not
identification. Briefly -- and please read the papers and the specs
before flaming -- every originating AS would have a certificate chain
rooted at their local RIR stating that they own a certain address
block. If an ISP SWIPs a block to some customer, that ISP (which owns
a certificate from the RIR for the parent block) would sign a
certificate granting the subblock to the customer. The customer could
then announce it via sBGP.
The other part sBGP is that it provides a chain of signatures of the
entire ASpath back to the originator.
Now - show me an operational environment on the Internet were this authorization
chain is _working_ today. RIRs and RADB do not count. As you mention before,
those databases and keeping them up to date are a "pulling teeth" exercise.
Now -- there are clearly lots of issues here, including the fact that
the the authoritative address ownership data for old allocations is,
shall we say, a bit dubious. And the code itself is expensive to run,
since it involves a lot of digital signatures and verifications,
especially when things are thrashing because of a major backhoe hit.
But -- given things like the AS7007 incident, and given the possibility
-- probability? -- that it can happen again, can we afford to not do
sBGP?
AS 7007 can be solved with our existing tool set.
As mentioned here and NANOGs in the past, our biggest problem are providers not
using the tools that they have to build incident resistance into today's
network.
My own opinion is that sophisticated routing attacks are the
single biggest threat to the Internet.
My opinion is that lazy operational practices are the single biggest threat to
the Internet. What's the point of building security and robustness into a system
when people choose not to turn it on?
RIRs do count and the infrastructure to set up the chain is there.
Address assignment and allocation is a quite formal and well recorded
process these days.
The address *allocation&assignment* databases are in good shape for
about the last 8 years. The fact that they are not in good shape for
assignments from "the good old days" is true. But this is being
actively worked on and one should not blow it up out of proportion.
Deploying technologies like SBGP would of course provide additional
incentives to record allocations and assignments and the resulting
signing of certs even better.