On Sun, 23 Aug 2020 12:40:19 +0000 Dovid Bender <dovid@telecurve.com> wrote:
Ok. So here is another n00b question. Why don't we have something where when we advertise IP space we also pass along a cert [...]
Take a look at: Stephen Kent, Charles Lynn, and Karen Seo. 2000. Secure border gateway protocol (S-BGP). IEEE Journal on Selected areas in Communications 18, 4 (2000), 582–592. and Russ White. 2003. Securing BGP: soBGP. Internet Protocol Journal 6, 3 (Sept. 2003), 15–22. Two precursors to the system we have today. Both proposed some form of including PKI-related matter in BGP messages. Neither system gained much actual traction outside of the design phase as far as I know. Some might suggest that a lot of time was spent debating how to do it with little actual progress or experimentation done. The current approach has echoes of those ideas with the obvious difference as you imply, it is independent from BGP. This poses some challenges to providing a complete solution, but was probably necessary for deployment and might prove useful if something other than wants to BGP uses it. John
John,
Two precursors to the system we have today.
I would not say that either S-BGP nor so-BGP were precursors to BGP origin validation ( I am assuming this is what you are referring to as "system we have today"). If I recall, securing BGP and validating src ASN were independent projects both aiming at completely different goals. Former was to assure no one could hijack your prefixes along the path and latter to detect someone fat fingering your prefix or ASN. Thx, R. On Mon, Aug 24, 2020 at 2:43 PM John Kristoff <jtk@depaul.edu> wrote:
On Sun, 23 Aug 2020 12:40:19 +0000 Dovid Bender <dovid@telecurve.com> wrote:
Ok. So here is another n00b question. Why don't we have something where when we advertise IP space we also pass along a cert [...]
Take a look at:
Stephen Kent, Charles Lynn, and Karen Seo. 2000. Secure border gateway protocol (S-BGP). IEEE Journal on Selected areas in Communications 18, 4 (2000), 582–592.
and
Russ White. 2003. Securing BGP: soBGP. Internet Protocol Journal 6, 3 (Sept. 2003), 15–22.
Two precursors to the system we have today. Both proposed some form of including PKI-related matter in BGP messages. Neither system gained much actual traction outside of the design phase as far as I know. Some might suggest that a lot of time was spent debating how to do it with little actual progress or experimentation done. The current approach has echoes of those ideas with the obvious difference as you imply, it is independent from BGP. This poses some challenges to providing a complete solution, but was probably necessary for deployment and might prove useful if something other than wants to BGP uses it.
John
Some might suggest that a lot of time was spent debating how to do it with little actual progress or experimentation done.
this is the internet. some have suggested pretty much anything. for the historians in the audience, the first s-bgp, what we would now call testathon i guess, was held at u oregon, on the side of the eugene nanog in either 1999 or 2000. a few large isps, bbn folk, ... this was where ops met crypto theorists and started s-bgp's evolution into the separate threads of rpki, rov, and bgpsec. randy
participants (3)
-
John Kristoff -
Randy Bush -
Robert Raszuk