From: Stephen Kent [EMAIL PROTECTED]
Subject: Re: BGP to doom us all
Date: Wed, 2 Apr 2003 18:15:05 -0500
Folks,
I was not subscribed to the workshop list when Randy forwarded this message
at the beginning of last month. However, I would like to respond to the
issues raised in the text.
Steve
You forgot the other one - expense. AFAIK all of the registries have fees
or require you to be a customer. If there is no operational value for me
why would I want to spend the money? I realize most of you work for
companies that consider a million dollars chump change but that is not the
Mark Radabaugh [EMAIL PROTECTED] writes:
[...]
You forgot the other one - expense. AFAIK all of the registries have fees
or require you to be a customer. If there is no operational value for me
why would I want to spend the money? I realize most of you work for
companies that consider a
U it's nice to be able to change routing information in a
timely fashion without needing intensive therapy afterward. The
idea isn't inherently bad, but I'd not want the current ARIN
acting as a route registry.
How would you feel about ARIN being the root of a registry hierarchy
On dinsdag, maa 4, 2003, at 10:26 Europe/Amsterdam,
[EMAIL PROTECTED] wrote:
How would you feel about ARIN being the root of a registry hierarchy
that
works similar to the DNS? In that case, ARIN would not necessarily hold
the route information, they would just be at the top of the search
On 28.02 18:13, Barry Raveendran Greene wrote:
Now - show me an operational environment on the Internet were this authorization
chain is _working_ today. RIRs and RADB do not count. As you mention before,
those databases and keeping them up to date are a pulling teeth exercise.
...
My
I like the idea of people being able to START on the authentication
datbase of ownership/announcement in a distributed fashion, but
perhaps there are other ways (perhaps DNS-based) of getting there
as well...
Yes there are other ways and I suggest that the optimal choice of protocol
for
On Mon, Mar 03, 2003 at 11:53:51AM +,
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote
a message of 55 lines which said:
Yes there are other ways and I suggest that the optimal choice of protocol
for publishing this information is LDAP, not DNS.
...
Next step is to get ISPs to replace their
From: Avi Freedman
Router CPUs average 50%, and S-BG adds 10% (paraphrase)
Average is somewhat less relevant than common peaks.
GSRs and 7500s and 7200s all get up there at 90+% on the real Internet.
I agree. I'm have a tricked 7200 managing 3 peers. Normal traffic
utilization rate is 30%
Good point, Sean. The problem is the business process and the risk to the
process, vs. the cost to fix it.
Jim
-Original Message-
From: Sean Donelan [mailto:[EMAIL PROTECTED]
Sent: Friday, February 28, 2003 7:25 PM
To: '[EMAIL PROTECTED]'
Subject: Re: BGP to doom us all
On Fri, 28
I believe that LDAP can be the core of this toolset.
--Michael Dillon
Why not put everything into a MySQL db? :)
LDAP is a fine tool but it was not designed to do some
of the things that other tools do. We are not yet at the
point where all we have the
Why not? Can you be more specific as to why you think that LDAP is not
suitable?
Thanks,
Christian
I believe that LDAP can be the core of this toolset.
--Michael Dillon
Why not put everything into a MySQL db? :)
LDAP is a fine tool but it was not designed to do some
[EMAIL PROTECTED]
To: Joe Abley [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Who uses RADB? [was BGP to doom us all]
--- Joe Abley [EMAIL PROTECTED] wrote:
Generating route filters from the IRR via a small
lump of script has
the potential to be cheaper, quicker, more efficient
Too many features layered on a single tool. Haq the tool
and the dependencies will cripple your service offering.
Now I don't want to say that you can't do this on your own,
I am uncomfortable with such tactics being promoted as the
one true way
I'm thrilled to hear that that project is being picked
up again. The long-term benefits (IMO) are worth the
non-trivial amount of effort required to make a
functioning solution.
--- [EMAIL PROTECTED] wrote:
Very subtle, David. As it happens, somebody asked
only last week if
they could take
I believe that LDAP can be the core of this toolset.
Why not put everything into a MySQL db? :)
Arrgghhh!!! he yells running and screaming in horror...
Of all the example products you could have chosen to represent database
software, why on earth did you choose this abomination. Is it a
On Mon, 3 Mar 2003 [EMAIL PROTECTED] wrote:
Very subtle, David. As it happens, somebody asked only last week if
they could take up the project again. For those who think mapping
filters to route objects is nigh trivial, there is a significant
difference between network assignees and routes.
Too many features layered on a single tool. Haq the tool
and the dependencies will cripple your service offering.
LDAP is not a tool, it is a protocol that can be used by many tools to
communicate in the same way that many servers (BIND, NSD, DJBDNS, MS-DNS,
QuickDNS) can use the DNS
From: Avi Freedman
snip
: Why don't SWIP forms include Origin-AS?
Ahem. Origin-AS(s) - plural. Agreed - mildly. Of course, SWIP isn't
updated when delegation info changes, so origin AS(s) would get just as
stale as contact info.
If networks are filtering based on SWIP information, it
It has to be separate from SWIP though, as rwhois servers don't issue
SWIP.
This is basically where I started thinking about LDAP. If rwhois doesn't
do the job, then we could either fix/enhance rwhois or move to something
else. Anyone who has ever delved into the internals of rwhoisd knows
On Monday, March 3, 2003, at 06:52 AM, Kuhtz, Christian wrote:
Why not?
Well, it depends on what you want to use LDAP for.
For example, take a naive approach: your router crashes. It comes back
up. It receives 130,000 prefixes that it needs to validate. For each
prefix, your router must do
RADB? [was BGP to doom us all]
Who actually uses RADB to build filters other than Verio? While my
experience with other providers is limited Verio is the only one (of the
ones we have used) who used RADB entries for BGP peers.
Level3 do atleast. Most European providers do
Yes, at iMCI (we) had our own registry, MCI-RR, but we only used it
(in addition to data from the other IRRs) to generate customer prefix
filters, not peers.
Cable Wireless still uses the RR, now know as CW-RR.
-danny
As I remember and I could be wrong, its been a few years now, when I
For example, take a naive approach: your router crashes. It comes back
up. It receives 130,000 prefixes that it needs to validate. For each
prefix, your router must do an LDAP query.
Then take a smarter approach: your router crashes. It comes back up and
your network management system
:59 AM
To: [EMAIL PROTECTED]
Subject: Re: Who uses RADB? [was BGP to doom us all]
Yes, at iMCI (we) had our own registry, MCI-RR, but we only used it
(in addition to data from the other IRRs) to generate customer prefix
filters, not peers.
Cable Wireless still uses the RR, now know as CW-RR
JB Date: Mon, 3 Mar 2003 09:45:37 -0600
JB From: Jack Bates
JB Personally, I think ARIN handling routing information is an
JB excellent idea. It has to be separate from SWIP though, as
U it's nice to be able to change routing information in a
timely fashion without needing intensive
In article [EMAIL PROTECTED] The Great Sean wrote:
: I'll be stupid, and ask some questions I've always wondered about.
: Why should routes learned by eBGP have a higher priority than iBGP?
Love to know myself. Took me a few years to figure out why the strange
iBGP redistribution rules
On Sun, 2 Mar 2003, Avi Freedman wrote:
In article [EMAIL PROTECTED] The Great Sean wrote:
^^
: I'll be stupid, and ask some questions I've always wondered about.
: Why should routes learned by eBGP have a higher priority than
On Fri, 28 Feb 2003, Vadim Antonov wrote:
Thank you very much, but no.
DNS (and DNSSEC) relies on working IP transport for its operation.
Doesn't sBGP also have this problem? A catch-22 where you have to have
good routing to get good routing? Or did I miss something?
Now you
On Saturday, Mar 1, 2003, at 11:28 America/Vancouver, [EMAIL PROTECTED]
wrote:
It doesnt cost a million dollars to have access to a RR, its somewhat
less! You
pay for your domains you pay for your IPs you pay for your ASN you
pay for your
SSL, so why be shocked you pay a little for this too?
On Sunday, Mar 2, 2003, at 14:06 America/Vancouver, [EMAIL PROTECTED]
wrote:
It doesnt cost a million dollars to have access to a RR, its
somewhat
less! You pay for your domains you pay for your IPs you pay for your
ASN you pay for your SSL, so why be shocked you pay a little for
this
too?
--- Joe Abley [EMAIL PROTECTED] wrote:
Generating route filters from the IRR via a small
lump of script has
the potential to be cheaper, quicker, more efficient
and less
customer-enraging than the common alternative
approach of opening six
different tickets with the NOC and sacrificing
No, the lazy operational implementations of how people deploy BGP
in their networks will be the downfall of the Internet. I see on a daily
basis, wrong announcements, route leaks tripping max-prefixes, RADB
entries that are either totally out of date, completely wrong or
for some large
Who actually uses RADB to build filters other than Verio? While my
experience with other providers is limited Verio is the only one (of the
ones we have used) who used RADB entries for BGP peers.
Level3 do atleast. Most European providers do.
Neil.
Who actually uses RADB to build filters other than Verio? While my
experience with other providers is limited Verio is the only one (of the
ones we have used) who used RADB entries for BGP peers.
Level3 do atleast. Most European providers do.
For customers, though not inter-provider.
as you say for customers only. Inter-provider we have basic bogon checking plus
maximum prefix. Its too unwieldy to build when you have peers exchanging
thousands of routes... theres a belief that the peer should be behaving
responsibly tho and this is a condition of most bilateral
So, let's recap why no one uses them (as many have said already in the
related
thread): Laziness. The same laziness that results in the slew of other
things
many folks have pointed out not being addressed.
-danny
You forgot the other one - expense. AFAIK all of the registries have fees
On Sat, 1 Mar 2003, Mark Radabaugh wrote:
So, let's recap why no one uses them (as many have said already in the
related
thread): Laziness. The same laziness that results in the slew of other
things
many folks have pointed out not being addressed.
-danny
You forgot the other one
You forgot the other one - expense. AFAIK all of the registries have fees
or require you to be a customer. If there is no operational value
First problem, you see no operational value.
for me why would I want to spend the money?
Money changing hands no longer makes the IRR a
It doesnt cost a million dollars to have access to a RR, its somewhat
less! You
pay for your domains you pay for your IPs you pay for your ASN you pay for
your
SSL, so why be shocked you pay a little for this too? And if everyone
filters
your prefixes that will be operational value enough to
On Sat, 1 Mar 2003, Mark Radabaugh wrote:
Who actually uses RADB to build filters other than Verio? While my
experience with other providers is limited Verio is the only one (of the
ones we have used) who used RADB entries for BGP peers.
AFAIK, Level3 and CW. I have to keep RADB entries
It doesnt cost a million dollars to have access to a RR, its somewhat less! You
pay for your domains you pay for your IPs you pay for your ASN you pay for your
SSL, so why be shocked you pay a little for this too? And if everyone filters
your prefixes that will be operational value enough to
On Sat, Mar 01, 2003 at 10:20:43AM -0500, Mark Radabaugh wrote:
This is not meant as a complaint toward Verio - I'm simply trying to
decide why we should go to the added expense of entering our routes in a
RADB. To date I have seen no operational difference between using RADB
and not using
A) Verio provides a free db for its customers
They're not the only ones, CWI and Level3 do as well, off the top of my
head.
B) Altdb is free, and works great
That it does, round of applause for Steve :)
Jeff
--
Jeffrey Meltzer
ICS/VillageWorld
631-218-0700 x100
On Sat, 1 Mar 2003, Avi Freedman wrote:
Re: S-BGP in particular, I think that the analysis on S-BGP has been...
limited. Ironic for a security protocol that I haven't seen any
real analysis of the effect on router CPUs when *under attack*. I
am not saying oh, the authentication will drive
On Sat, 1 Mar 2003, Mark Radabaugh wrote:
Who actually uses RADB to build filters other than Verio? While my
experience with other providers is limited Verio is the only one (of the
ones we have used) who used RADB entries for BGP peers.
AFAIK, Level3 and CW.
Teleglobe as well
On Sat, Mar 01, 2003 at 11:31:30AM -0500, Mark Radabaugh wrote:
So, let's recap why no one uses them (as many have said already in the
related
thread): Laziness. The same laziness that results in the slew of other
things
many folks have pointed out not being addressed.
-danny
On Sun, 2 Mar 2003, Sean Donelan wrote:
Why should routes learned by eBGP have a higher priority than iBGP?
In general, isn't it better that they pay to carry the traffic across
the world on their network, rather than you?
Why don't SWIP forms include Origin-AS?
Good question...but is it
http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed
Seems the BGP will be the down fall of the internet, the sky is falling the
sky is falling
Jim Deleskie wrote:
http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed
Seems the BGP will be the down fall of the internet, the sky is falling the
sky is falling
What a crock of crap. Knowing who someone is doesn't stop them from causing
intentional or unintentional problems. In
: Friday, February 28, 2003 5:17 PM
To: Jim Deleskie
Cc: '[EMAIL PROTECTED]'
Subject: Re: BGP to doom us all
Jim Deleskie wrote:
http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed
Seems the BGP will be the down fall of the internet, the sky is falling
the
sky is falling
What a crock
Jim Deleskie wrote:
Bruce,
I agree, while we all need to 'do the right thing' and only announce what
we are suppose to, we also need to maintain the right level being paranoid
to protect the networks we are responsible for.
Right. And so while authentication and encryption of routing protocol
On Fri, 28 Feb 2003, Bruce Pinsky wrote:
:What a crock of crap. Knowing who someone is doesn't stop them from causing
:intentional or unintentional problems. In fact, authentication is more likely
:to cause people to become complacent wrt their filtering policies. Hey I've
:authenticated
On Fri, 28 Feb 2003, Jim Deleskie wrote:
http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed
Seems the BGP will be the down fall of the internet, the sky is falling the
sky is falling
Other than pending patents and a cool name Secure BGP, you still have
the fundamental problem.
Secure Garbage(tm).
Definitely a great name for a rock band.
--
Bruce Robertson, President/CEO +1-775-348-7299
Great Basin Internet Services, Inc. fax: +1-775-348-9412
http://www.greatbasin.net
What a crock of crap. Knowing who someone is doesn't stop them
from causing intentional or unintentional problems. In fact,
authentication is more likely to cause people to become
complacent wrt their filtering policies. Hey I've authenticated
that router so it's going to only send me
http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed
actually, the article is not all that far off reality as i see it.
the exception being that the ietf has NOT been diligently pursuing
sBGP but rather a lot of the effort is going into a 3/4 hack being
pushed by vendor laziness.
randy
In message [EMAIL PROTECTED], Bruce Pinsky writes:
Jim Deleskie wrote:
http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed
Seems the BGP will be the down fall of the internet, the sky is falling the
sky is falling
What a crock of crap. Knowing who someone is doesn't stop them
On Fri, 28 Feb 2003, Randy Bush wrote:
:actually, the article is not all that far off reality as i see it.
:the exception being that the ietf has NOT been diligently pursuing
:sBGP but rather a lot of the effort is going into a 3/4 hack being
:pushed by vendor laziness.
The comments in the
I think the only problem with the comments is that they
over-estimate the benefit of that level of security relative
to the overhead it requires.
crypto hardware has become cheap.
randy
On Fri, 28 Feb 2003, Steven M. Bellovin wrote:
:But -- given things like the AS7007 incident, and given the possibility
:-- probability? -- that it can happen again, can we afford to not do
:sBGP? My own opinion is that sophisticated routing attacks are the
:single biggest threat to the
On Fri, 28 Feb 2003, Randy Bush wrote:
: I think the only problem with the comments is that they
: over-estimate the benefit of that level of security relative
: to the overhead it requires.
:
:crypto hardware has become cheap.
Cheap to buy, but the time for processing each certificate will
Cheap to buy, but the time for processing each certificate will
increase with the size of the routing table, and we just end up
replicating the problem of recalculating large routing tables,
but now with certification, no?
no. you *really* may want to read up on sbgp before attempting
to
The problem that sBGP is trying to solve is *authorization*, not
identification. Briefly -- and please read the papers and the specs
before flaming -- every originating AS would have a certificate chain
rooted at their local RIR stating that they own a certain address
block. If an ISP
In message [EMAIL PROTECTED], Barry Raveendran Greene
writes:
The problem that sBGP is trying to solve is *authorization*, not
identification. Briefly -- and please read the papers and the specs
before flaming -- every originating AS would have a certificate chain
rooted at their local
Hi, NANOGers.
] However, given the recent academic popularity of attacks against routers,
Indeed! Compromised routers (generally Cisco) are routinely traded in
the underground. However, these routers are usually compromised by
taking advantage of weak passwords, e.g. cisco for access and
Indeed! Compromised routers (generally Cisco) are routinely traded in
the underground. However, these routers are usually compromised by
taking advantage of weak passwords, e.g. cisco for access and enable. :(
RCS of your router config is your friend.
mailing of the diff between
Hi, Alex.
] RCS of your router config is your friend.
Yep, agreed. Sanity checking router configurations is a very wise move.
Just so everyone knows, the miscreants generally disable all logging
capability and enact ACLs to block all ICMP, UDP, and selectively permit
telnet from their hacked
Hi, Dean.
] Assuming the router is compromised, so is the MD5 key. And presumably,
] the acls and anything else can be changed as well.
Agreed. My point was to take a few steps to avoid the compromise. :)
It isn't difficult to make things just a *bit* more difficult, and thus
avoid the pain
In article [EMAIL PROTECTED] Barry wrote:
: Now - show me an operational environment on the Internet were this authorization
: chain is _working_ today. RIRs and RADB do not count. As you mention before,
: those databases and keeping them up to date are a pulling teeth exercise.
Well, while I
Thank you very much, but no.
DNS (and DNSSEC) relies on working IP transport for its operation.
Now you effectively propose to make routing (and so operation of IP
transport) dependent on DNS(SEC).
Am I the only one who sees the problem?
--vadim
PS. The only sane method for routing info
71 matches
Mail list logo
