> How long is too long for a replay attack to go unnoticed? I'd bet that
> a lot of the folks worried about this would answer in minutes, while
> those concerned primarily with the hardware in their routers would
> answer in hours...
from the bgpsec-ops docco
As beaconing places a load on the entire global routing system,
careful thought MUST be given to any need to beacon frequently. This
would be based on a conservative estimation of the vulnerability to a
replay attack.
Beacon timing and signature validity periods SHOULD be as follows:
The Exemplary Citizen: Prefix originators who are not overly
concerned about replay attacks might announce with a signature
validity of multiple weeks and beacon one third of the validity
period.
Normal Prefix: Most prefixes SHOULD announce with a signature
validity of a week and beacon every three days.
Critical Prefix: Of course, we all think what we do is critical.
But prefixes of top level DNS servers, and RPKI publication points
are actually critical to large swaths of the Internet and are
therefore tempting targets for replay attacks. It is suggested
that the beaconing of these prefixes SHOULD be two to four hours,
with a signature validity of six to twelve hours.
Note that this may incur route flap damping (RFD) with current
default but deprecated RFD parameters, see [I-D.ymbk-rfd-usable].
randy
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
