BGP to doom us all

The problem that sBGP is trying to solve is *authorization*, not
identification. Briefly -- and please read the papers and the specs
before flaming -- every originating AS would have a certificate chain
rooted at their local RIR stating that they own a certain address
block. If an ISP SWIPs a block to some customer, that ISP (which owns
a certificate from the RIR for the parent block) would sign a
certificate granting the subblock to the customer. The customer could
then announce it via sBGP.

The other part sBGP is that it provides a chain of signatures of the
entire ASpath back to the originator.

Now - show me an operational environment on the Internet were this authorizati
on
chain is _working_ today. RIRs and RADB do not count. As you mention before,
those databases and keeping them up to date are a "pulling teeth" exercise.

It doesn't exist -- and we have routing problems, due mostly to
carelessness, but...

Now -- there are clearly lots of issues here, including the fact that
the the authoritative address ownership data for old allocations is,
shall we say, a bit dubious. And the code itself is expensive to run,
since it involves a lot of digital signatures and verifications,
especially when things are thrashing because of a major backhoe hit.

But -- given things like the AS7007 incident, and given the possibility
-- probability? -- that it can happen again, can we afford to not do
sBGP?

AS 7007 can be solved with our existing tool set.

As mentioned here and NANOGs in the past, our biggest problem are providers no
t
using the tools that they have to build incident resistance into today's
network.

But not against more sophisticated variants.

My own opinion is that sophisticated routing attacks are the
single biggest threat to the Internet.

My opinion is that lazy operational practices are the single biggest threat to
the Internet. What's the point of building security and robustness into a syst
em
when people choose not to turn it on?

"Never attribute to malice what can be explained by incompetence".

    --Steve Bellovin, error (me)
    http://www.wilyhacker.com (2nd edition of "Firewalls" book)

How do you tell the difference? There have been weird routing problems
on the Net for a long time. Some have been large, and quickly fixed.
Others have been small, and aren't fixed (as quickly). Some don't even
cause problems, but route traffic through unusual places. There have
been a few poison packets over the years which crashed alternate
implementations. Although I still think the recovery mechanism was
sometimes worse than the problem.

I'll be stupid, and ask some questions I've always wondered about.

Why should routes learned by eBGP have a higher priority than iBGP?

Why should BGP implementations flap all good routes when they see a single
bad route packet?

Why don't SWIP forms include Origin-AS?

Why should routes learned by eBGP have a higher priority than iBGP?

In general, isn't it better that they pay to carry the traffic across
the world on their network, rather than you?

Why don't SWIP forms include Origin-AS?

Good question...but is it too late? Would seem like a more-worthy effort
than forcing security into bgp...at least in the interim. If nothing else,
it would seem like the route dbs solved a problem that should never have
existed in the first place. Why isn't that totally integrated with network
assignment? Why have multiple authorities? To me, the lack of true
authority makes the radb and friends advisory bodies at best. What we
really need is an authoritative body. Somebody who can say, without a
doubt (and without having to pay an additional maintenance fee or maintain
multiple objects with multiple routing arbiters), who should be allowed to
announce which prefix.

Andy

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills 301-682-9972
Xecunet, LLC www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access