Re: BGP in the Washngton Post
On (2015-06-02 21:51 -0700), Randy Bush wrote: The RPKI is an X.509 based hierarchy [rfc 6481] which is congruent with the internet IP address allocation administration, the IANA, Hijacking this thread. I've requested both our main vendors for 'loose rpki' years ago, nothing has happened. SP trying to deploy RPKI may have negative business impact, if far-end fat-fingers and fail RPKI, then my connectivity to them is broken, while competitor who isn't running RPKI still works fine. Essentially suits may view deploying RPKI as spending money to lose money. Comfortable slow-start would be to have 'loose rpki' which essentially has 3 adj-ribs, verified-rpki, missing-rpki, failed-rpki. Then loc-rib is build from each of these, so that no overlapping routes are installed from inferior ribs. That is, if verified-rpki has 192.0.2.0/24, missing/failed-rpki cannot install it or more-specific of it. Net result is, we will always use verified-rpki route if existing, but if no other options exist, we're happy to use any available route. JunOS allows routing-policy to match on verified status, but this cannot obviously override more-specifics. -- ++ytti
Re: BGP in the Washngton Post
On 6/2/2015 00:27, Scott Weeks wrote: Great article for the WP and they asked good questions from the correct people, but I have to take issue with the lack of network operator's participation comments: : But getting network operators to participate is proving : difficult. : Many network operators also are cool to taking the further : step of adopting a secure new routing protocol called BGPSEC : to replace BGP. : “Unless [network] operators can see that the benefits will : generally outweigh the costs, they just won’t deploy it.” It's more that the managers who have no idea what is going on are forcing operators to focus their attention elsewhere, rather than the important things until everyone's behind the 8-ball. Then, all of the sudden, the mostly clueless managers are all about it. But, by then it's too late. Farting in a hurricane and hoping it makes a difference... ;-) Pardon me, (and please forgive me if I am wrong), but I think that from the viewpoints of the Washington Post, its readers, and probably all of humanity save the view on this list, the MANAGEMENT of the several ISP firms and organizations IS the operators. Folks out on the operating floor don't really exist. -- sed quis custodiet ipsos custodes? (Juvenal)
Re: BGP in the Washngton Post
--- larryshel...@cox.net wrote: From: Larry Sheldon larryshel...@cox.net On 6/2/2015 00:27, Scott Weeks wrote: Great article for the WP and they asked good questions from the correct people, but I have to take issue with the lack of network operator's participation comments: : But getting network operators to participate is proving : difficult. : Many network operators also are cool to taking the further : step of adopting a secure new routing protocol called BGPSEC : to replace BGP. : “Unless [network] operators can see that the benefits will : generally outweigh the costs, they just won’t deploy it.” It's more that the managers who have no idea what is going on are forcing operators to focus their attention elsewhere, rather than the important things until everyone's behind the 8-ball. Then, all of the sudden, the mostly clueless managers are all about it. But, by then it's too late. Farting in a hurricane and hoping it makes a difference... ;-) Pardon me, (and please forgive me if I am wrong), but I think that from the viewpoints of the Washington Post, its readers, and probably all of humanity save the view on this list, the MANAGEMENT of the several ISP firms and organizations IS the operators. Folks out on the operating floor don't really exist. -- No, looking at it the way you phrase it, you're not wrong. To me, the operators are the folks with the technical know how and the admin password. I guess I have been out on the raggedy edges (likely soon to change...) too long and I am not used to managers that have any understanding of network operations/engineering. But I do understand what you're saying. And I'm on the list. ;-) scott
Re: BGP in the Washngton Post
In message 556c8ebc.7080...@netassist.ua, Max Tulyev writes: Is there *IN THEIORY* any possibility to make BGP secure enough now? Yes, RPKI protects from fat fingered people, but NOT protects from people doing hijacks knowlingly. At the moment because not enough of the net is covered. When you get enough coverage then yes it will protect you because there is no way to get a valid CERT to authenticate the hijack. Even before that RPKI will limit the impact of the hijack by isolating the attack to the networks close to the injection points. Think of this as herd immunity. The global routing registry really can be the solution, but it automatically gives one authority a power to cut off any network. Imagine how fast it will be used for censorship. On 01.06.15 16:24, William Herrin wrote: Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ -Bill -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: BGP in the Washngton Post
Yes, RPKI protects from fat fingered people, but NOT protects from people doing hijacks knowingly. the rpki protects from fat fingers as well as the telephone white pages protects from wrong number dialing. it doesn't. for the 312th time (i had to make this clear once again from the floor of nanog this week), ... The RPKI is an X.509 based hierarchy [rfc 6481] which is congruent with the internet IP address allocation administration, the IANA, RIRS, ISPs, ... It is just a database, but is the substrate on which the next two mechanisms are based. It is currently deployed in all five administrative regions. RPKI-based Origin Validation [RFC 6811] uses some of the RPKI data to allow a router to verify that the autonomous system originating an IP address prefix is in fact authorized to do so. This is not crypto checked so can be violated. But it should prevent the vast majority of accidental 'hijackings' on the internet today, e.g. the famous Pakistani accidental announcement of YouTube's address space. RPKI-based origin validation is in shipping code from AlcaLu, Cisco, Juniper, and possibly others. RPKI-based Path Validation, a future technology still being designed [draft-ietf-sidr-bgpsec-overview-06.txt], uses the full crypto information of the RPKI to make up for the embarrassing mistake that, like much of the internet BGP was designed with no thought to securing the BGP protocol itself from being gamed/violated. It allows a receiver of a BGP announcement to cryptographically validate that the autonomous systems through which the announcement passed were indeed those which the sender/forwarder at each hop intended. randy
Re: BGP in the Washngton Post
Is there *IN THEIORY* any possibility to make BGP secure enough now? Yes, RPKI protects from fat fingered people, but NOT protects from people doing hijacks knowlingly. The global routing registry really can be the solution, but it automatically gives one authority a power to cut off any network. Imagine how fast it will be used for censorship. On 01.06.15 16:24, William Herrin wrote: Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ -Bill
BGP in the Washngton Post
Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ -Bill -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/
Re: BGP in the Washngton Post
Subject: BGP in the Washngton Post Date: Mon, Jun 01, 2015 at 09:24:33AM -0400 Quoting William Herrin (b...@herrin.us): Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ sort of dissappointed they did not quote randy using only lower case. looks weird. once past that, good comment. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Isn't this my STOP?! signature.asc Description: Digital signature
Re: BGP in the Washngton Post
On Mon, Jun 1, 2015 at 6:24 AM, William Herrin b...@herrin.us wrote: Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ -Bill The article left me with the feeling that there was a secure version of BGP that is available but network operators are too short-term-focused and foolish to deploy it. I believe the situation is more complicated than that, no? There is no secure version of BGP. There are a handful of things that help, like RPKI ... but they are far off from hitting the mark of securing the internet... not too mention the ARIN RPKI SNAFU with various lawyers that make RPKI impossible for a large part of the internet. CB PS. All my ipv4 and ipv6 routes are RPKI signed, but I can't validate because Cisco does not think validation within a VRF is an IOS-XR worthy features PPS. It does blow my mind that the internet works so well given that its security relies on the good faith and reputation of a few network janitors and plumbers -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/
RE: BGP in the Washngton Post
Excellent find, Thanks! I forwarded this to a bunch of people. Mostly managers. Jeff A. Masiello -Original Message- From: NANOG [mailto:nanog-bounces+jmasiello=actionet@nanog.org] On Behalf Of William Herrin Sent: Monday, June 01, 2015 9:25 AM To: nanog@nanog.org Subject: BGP in the Washngton Post Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ -Bill -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/
Re: BGP in the Washngton Post
On Mon, Jun 1, 2015 at 9:39 AM, Måns Nilsson mansa...@besserwisser.org wrote: Subject: BGP in the Washngton Post Date: Mon, Jun 01, 2015 at 09:24:33AM -0400 Quoting William Herrin (b...@herrin.us): Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ sort of dissappointed they did not quote randy using only lower case. looks weird. once past that, good comment. and in comic sans you mean?
Re: BGP in the Washngton Post
--- b...@herrin.us wrote: From: William Herrin b...@herrin.us Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ Great article for the WP and they asked good questions from the correct people, but I have to take issue with the lack of network operator's participation comments: : But getting network operators to participate is proving : difficult. : Many network operators also are cool to taking the further : step of adopting a secure new routing protocol called BGPSEC : to replace BGP. : “Unless [network] operators can see that the benefits will : generally outweigh the costs, they just won’t deploy it.” It's more that the managers who have no idea what is going on are forcing operators to focus their attention elsewhere, rather than the important things until everyone's behind the 8-ball. Then, all of the sudden, the mostly clueless managers are all about it. But, by then it's too late. Farting in a hurricane and hoping it makes a difference... ;-) scott