Re: Heads up: Long AS-sets announced in the next few days
On Thu, 2005-03-03 at 20:27 +1100, Geoff Huston wrote:
On 2005-03-02, at 19.38, James A. T. Rice wrote:
This seems to suggest that you are just picking ASns at random to inject into the paths, and that you don't have a set of ASs which you have the assignees permission to use.
Would't this then actually equate to resource hijacking along the lines of prefix hijacking? Who will be the first to hit the RIRs?
Isn't this a case of illustrating how easy it is to tell lies in BGP today? I don't see what hitting the RIRs has do to with this. The problem appears to be more basic than that - its just too easy to tell lies in BGP and get the lies propagated globally.
I am probably telling you what you already know, but for the ones who don't know it yet: Secure BGP (S-BGP): http://www.ir.bbn.com/projects/s-bgp/ http://www.nanog.org/mtg-0306/pdf/bellovinsbgp.pdf http://www.nwfusion.com/details/6484.html?def and of course the sister by amongst others Cisco: Secure Origin BGP (SO-BGP): http://bgp.potaroo.net/ietf/idref/ draft-ng-sobgp-bgp-extensions/ http://www.nwfusion.com/details/6485.html http://www.nanog.org/mtg-0306/pdf/alvaro.pdf etc... most people know how to google I guess ;) Aka BGP with certificates and other nice tricks. Greets, Jeroen
I am probably telling you what you already know, but for the ones who don't know it yet:
Secure BGP (S-BGP): http://www.ir.bbn.com/projects/s-bgp/ http://www.nanog.org/mtg-0306/pdf/bellovinsbgp.pdf http://www.nwfusion.com/details/6484.html?def
and of course the sister by amongst others Cisco:
Secure Origin BGP (SO-BGP): http://bgp.potaroo.net/ietf/idref/ draft-ng-sobgp-bgp-extensions/ http://www.nwfusion.com/details/6485.html http://www.nanog.org/mtg-0306/pdf/alvaro.pdf
etc... most people know how to google I guess ;)
Aka BGP with certificates and other nice tricks.
And, of course, the RPSEC working group draft that is supposed to target the BGP requirements for those proposed systems is... http://www.ietf.org/internet-drafts/draft-ietf-rpsec-bgpsecrec-01.txt The folks who worked on S-BGP and SO-BGP participated in it's creation (as well as several operators). Please note that there are more than just two proposed mechanisms for securing BGP. The two mentioned above are just the most popular <grin>.
On Thu, 2005-03-03 at 13:51 -0500, Blaine Christian wrote:
And, of course, the RPSEC working group draft that is supposed to target the BGP requirements for those proposed systems is...
http://www.ietf.org/internet-drafts/draft-ietf-rpsec-bgpsecrec-01.txt
The folks who worked on S-BGP and SO-BGP participated in it's creation (as well as several operators). Please note that there are more than just two proposed mechanisms for securing BGP. The two mentioned above are just the most popular <grin>.
Thanks for the new reading material, I had not seen that one yet... *print* will be a nice read (hmmm, actually I should swear at you for even more reading material, for which I have no time, oh well :) Greets, Jeroen
participants (2)
-
Blaine Christian
-
Jeroen Massar