On 06/03/2015 04:27 AM, Roland Dobbins wrote:
(not to mention the enumeration and enhanced DDoS impact of packeting routers doing crypto for their BGP sessions and which aren't protected via iACLs/GTSM).
Could you elaborate on your enumeration and DDoS concerns? If you're concerned about the public finding out exactly how many routers you have because you've published one BGPsec router key per router, you can choose to use the same router key on multiple routers. If you're concerned about all the crypto work overloading a router, the plan (as far as I've heard) is for the routers to do the BGPsec crypto work in the background as a low priority. I.e., incoming signed routes will initially be treated like unsigned routes, and the BGPsec validation will be kicked off in the background. Once the validation is complete, then routing decisions can be made based on the BGPsec validity. -- David Eric Mandelberg / dseomn http://david.mandelberg.org/