> Signed. I wonder --if I sign my door knob, does that make it secure?
Cryptographic signatures are not security. In fact, for all our wailing about "obscurity is not security," cryptography is just a more sophisticated form of obscurity. Somewhere along the way we've lost sight of the original meaning of that phrase, and the original goals of security. >> The failure to define and separate policy from routing has caused a >> great deal of confusion within the BGP security space over the years. > > Correct. And given that there exist malicious use cases for violating implicit > policy, it makes sense that it be addressed in conjunction with BGPSEC. There are several problems here. 1. Most providers apparently want to enforce policy without telling anyone what their policy actually is. That this is a logical contradiction doesn't seem to disturb anyone. 2. You can't "enforce" your policy --all you can do is signal to someone else what that policy is, and ask them nicely to enforce it for you. 2a. If you have a business relationship with this other party, then you already have an enforcement mechanism at hand --signatures and other sorts of things won't provide anything additional. 2b. If you don't have a business relationship with this other party, then there's no point in asking, because they're going to do what's best for them, not for you. There's some sort of dream world where you can not tell anyone what your policies are, and people you don't have a business relationship with will somehow enforce those policies (that they don't know about, because you refuse to tell them) for you. It's a nice dream, but I don't see how it has any bearing on reality. Until we can get past this little dream world, I don't see how SIDR is going to make any real progress towards actually securing BGP. Either policies --all policies-- must be off limits, even ones masquerading as "man in the middle attacks," or all policies must be within bounds, and we must enumerate and deal with them honestly. :-) Russ _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
