Do Not Complicate Routing Security with Voodoo Economics

[ http://archive.psg.com/110904.broadside.html ]

  Do Not Complicate Routing Security with Voodoo Economics
            a broadside

A recent NANOG presentation and SIGCOMM paper by Gill, Schapira, and
Goldberg[1] drew a lot of 'discussion' from the floor. But that
discussion missed significant problems with this work. I raise this
because of fear that uncritical acceptance of this work will be used as
the basis for others' work, or worse, misguided public policy.
o The ISP economic and incentive model is overly naive to the point of
   being misleading,
o The security threat model is unrealistic and misguided, and
o The simulations are questionable.

Basic ISP economics are quite different from those described by the
authors. Above the tail links to paying customers, the expenses of
inter-provider traffic are often higher than the income, thanks to the
telcos' race to the bottom. In this counter-intuitive world, transit
can often be cheaper than peering. I.e. history shows that in the rare
cases where providers have been inclined to such games, they usually
shed traffic not stole it, the opposite of what the paper presumes. The
paper also completely ignores the rise of the content providers as
described so well in SIGCOMM 2010 by Labovitz et alia[2]

It is not clear how to ‘fix’ the economic model, especially as[3] says
you can not do so with rigor. Once one starts, e.g. the paper may lack
Tier-N peering richness which is believed to be at the edges, we have
bought into the game for which there is no clear end.

But this is irrelevant, what will motivate deployment of BGP security is
not provider traffic-shifting. BGP security is, as its name indicates,
about security, preventing data stealing (think banking
transactions[4]), keeping miscreants from originating address space of
others (think YouTube incident) or as attack/spam sources, etc.

The largest obstacle to deployment of BGP security is that the
technology being deployed, RPKI-based origin validation and later
BGPsec, are based on an X.509 certificate hierarchy, the RPKI. This
radically changes the current inter-ISP web of trust model to one having
ISPs' routing at the mercy of the Regional Internet Registries (RIRs).
Will the benefits of security - no more YouTube incidents, etc. - be
perceived as worth having one's routing at the whim of an
non-operational administrative monopoly? Perhaps this is the real
economic game here, and will cause a change in the relationship between
the operators and the RIR cartel.

The paper's simulations really should be shown not to rely on the
popular but highly problematic3 Gao-Rexford model of inter-provider
relationships, that providers prefer customers over peers (in fact, a
number of global Tier-1 providers have preferred peers for decades), and
that relationships are valley free, which also has significant
exceptions. Yet these invalid assumptions may underpin the simulation
results.

Given recent events in SSL CA-land, how certain are we that the putative security benefits are all that great? Not to mention the near-certainty of a BGP version of 'PROTECT IP', once the mechanisms are in place.

Same applies to DNSSEC, of course.

Well said Randy - the previous paper is flawed and if the findings where true you would wonder how anyone ever created a viable online business.

Neil

the previous paper is flawed and if the findings where true you would
wonder how anyone ever created a viable online business.

to me honest, what set me off was

   http://transition.fcc.gov/pshs/advisory/csric3/wg-descriptions_v1

describing, among others, a routing working group of an fcc
"communications security, reliability and interoperability council"

i.e. these folk plan to write policy and procedures for operators, not
just write publish or perish papers.

randy

the previous paper is flawed and if the findings where true you would
wonder how anyone ever created a viable online business.

to me honest, what set me off was

   http://transition.fcc.gov/pshs/advisory/csric3/wg-descriptions_v1

describing, among others, a routing working group of an fcc
"communications security, reliability and interoperability council"

i.e. these folk plan to write policy and procedures for operators, not
just write publish or perish papers.

apologies. dorn caught my error

http://transition.fcc.gov/pshs/advisory/csric3/wg-descriptions_v1.pdf

randy

Mostly excellent thoughts, well documented. I have a question about this statement though:

in fact, a number of global Tier-1 providers have preferred peers for decades

I assume you mean for a very limited subset of their customers? I've checked routing on well over half the transit free networks on the planet, and for the small number of customers I was researching, they definitely preferred customer routes over peering.

I have worked for more then one transit free network, and have work with people from (most) of the rest, we always prefer cust over peer, every time.

-jim

I have worked for more then one transit free network, and have work
with people from (most) of the rest, we always prefer cust over peer,
every time.

again, more than one of the world's largest providers prefer peers. and
even if they wanted to change, it would be horribly anti-pola to the
affected customers, like white hot wires. and one just does not do that
to customers.

randy

I repeat, you are obviously talking about a small subset of customers, right? Please clarify.

Because I know customers of all 14 transit free networks, and these customers all believe the network is preferring their routes unless the customer sends a community to override that preference.

Presumably you can change that behaviour with communities?

While I can think of some corner cases for this, ie you have a
satellite down link from one provider and fiber to anther. I expect
this is not the norm for most networks/customers.

-jim

to me honest, what set me off was

   http://transition.fcc.gov/pshs/advisory/csric3/wg-descriptions_v1

describing, among others, a routing working group of an fcc
"communications security, reliability and interoperability council"

i.e. these folk plan to write policy and procedures for operators, not
just write publish or perish papers.

apologies. dorn caught my error

http://transition.fcc.gov/pshs/advisory/csric3/wg-descriptions_v1.pdf

As one of the co-chairs of this working group, I'd like to chime in to clarify the purpose of this group. Our goal is to assemble a group of vendors and operators (not "publish or perish" academics) to discuss and recommend effective strategies for incremental deployment of security solutions for BGP (e.g., such as the ongoing RPKI and BGP-SEC work). It is not to design new security protocols or to "write policy and procedures for operators" -- that would of course be over-reaching and presumptuous. The goal is specifically to identify strategies for incremental deployment of the solutions designed and evaluated by the appropriate technical groups (e.g., IETF working groups). And, while the SIGCOMM paper you mention is an example of such a strategy, it is just one single example -- and is by no means the recommendation of a group that is not yet even fully assembled yet. The working group will debate and discuss a great many issues before suggesting any strategies, and those strategies would be the output of the entire working group.

<tongue in cheek> As for "publish or perish" academics, I doubt you'll find that the small set of academics who choose to go knee deep into operational issues do so because they are trying to optimize their academic careers... </tongue in cheek>

-- Jen

Jen,
What operators are involved? And who represents them specifically?

Neil.

Neil,

The group is being assembled right now, so we don't have a list as of yet.

-- Jen

maybe volunteers from the nanog community should contact you?

As one of the co-chairs of this working group, I'd like to chime in to
clarify the purpose of this group. Our goal is to assemble a group of
vendors and operators (not "publish or perish" academics) to discuss and
recommend effective strategies for incremental deployment of security
solutions for BGP (e.g., such as the ongoing RPKI and BGP-SEC work). It
is not to design new security protocols or to "write policy and
procedures for operators"

    This Working Group will recommend the framework for an industry
    agreement regarding the adoption of secure routing procedures and
    protocols based on existing work in industry and research. The
    framework will include specific technical procedures and protocols. The
    framework will be proposed in a way suitable for opt-in by large
    Internet Service Providers...

randy

While I can think of some corner cases for this, ie you have a
satellite down link from one provider and fiber to anther. I expect
this is not the norm for most networks/customers.

what is it you do not understand about "more than one of the world's
largest providers?" not in corner cases, but as core policy.

randy

+1

-Tk

Randy,

Yes, as the brief write-up says, the group will make "recommendations regarding the adoption" (e.g., suggesting effective strategies for incremental deployment) of "procedures and protocols based on existing work" (e.g., RPKI, BGP-SEC, etc.). In any case, if our current wording is unclear, we can easily revise it to clarify our goals.

-- Jen

Because routing to peers as a policy instead of customer as a matter
of policy, outside of corner cases make logical sence. While many
providers aren;t good at making money it is fact the purpose of the
ventures. If I route to a customer I get paid for it. If I send it
to a peer I do not.