On Sun, Feb 24, 2008 at 10:49 PM, Sean Donelan <sean@donelan.com> wrote:
On Mon, 25 Feb 2008, Steven M. Bellovin wrote:
How about state-of-the-art routing security?
The problem is what is the actual trust model?
Are you trusting some authority to not be malicious or never make a mistake?
There are several answers to the malicious problem.
There are fewer answers to never making a mistake problem.
[snip] +5, Insightful. The focus thus far seems to have been on establishing security on the basis of trusted senders (SPF for BGP, if you'll pardon my rather crude analogy). The impact of a mistake-based failure in a trusted scenario could actually be quite a bit higher than what we've seen thus far: 1) if data (e.g. routes) from a "trusted" source is allowed into a network (or used as a basis for decision-making) with minimal screening, attackers will immediately shift focus to spoofing trusted sources, just as they currently do in other scenarios; 2) the impact of a typo or other operator error when operating in "trusted mode" is much higher than that of mistakes from non-trusted sources (if 17557's upstream had trusted a little less - by not automatically propagating any new routes that showed up at the front door - the current incident could very well have amounted to little more than a log entry somewhere, and perhaps an email). I think what you and Steve Bellovin had to say about anti-mistake protocol and belt-and-suspenders should be garnering at least as much consideration as prevention of malicious attacks/forgeries/etc., considering the percentage of outages caused by operator error vs those caused by malice ... -- darkuncle@{gmail.com,darkuncle.net} || 0x5537F527 http://darkuncle.net/pubkey.asc for public key