ietf
[Top] [All Lists]

Re: Security of BGP Re: Status of the 16-bit AS Number space

2009-05-23 05:53:45
[belatedly]

On 12 mei 2009, at 21:42, Phillip Hallam-Baker wrote:

As for adding IPSEC to BGP, I would not want to comment on the
competence of the person involved.

We need to replace the MD5 hack with IPsec, because MD5 doesn't have any DoS potection, crypto algorithm agility or key rollover mechanisms. But of course that only protects your BGP sessions, not the content of the information in those sessions.

In particular I find it utterly unbelievable that large backbone
corporation A is going to configure its border routers to simply
accept routing information from large backboe corporation B. If I was
responsible for large corporation A then every piece of external
routing data would be funnelled into a control center and the edge
routers would only respond to control instructions from the control
center. No matter what specifications and standards might opine, that
is how I would run my network.

Sounds like a plan. Now explain to us how your control center knows which routing information is valid and which isn't? You have in the order of 30 seconds to decide for every update before your customers start to complain that "the internet" is broken.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf