> The proposed solution would work fine in practice as well. > Whichever prefix (or more specific of it) that the mitigator and the victim > decide to > propagate (via the mitigator) for DDoS mitigation today in BGP, the same > prefix can also > be propagated with BGPSEC (and more securely).
How long will it take a BGPSEC update to traverse the network, end-to-end? Remember that the update must be re-signed at every hop, take into account the normal speed of BGP operations, and don't forget the processing, serialization, and memory delay load of adding a signature... Just thought I'd bring us back to the original subject line --this isn't about solving the problem for "perfect security," but for real world use. And no, "it'll be fast enough once we've gone a generation or two of routers into the future," isn't a good enough answer. The only way to know what the Internet will look like in ten years is to stop innovation and growth in their tracks --I know a lot of folks would really like this solution, but... BTW, BGPSEC isn't even close to "perfect security." In fact, I don't think BGPSEC actually solves much of anything at all at this point --other than allowing you to point fingers at the "guilty party" much more effectively than in the past. I can't seem to find that particular requirement in any requirements document, though. Russ -- <>< [email protected] [email protected] _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
