Re: potential new IETF WG on anonymous IPSec
Currently BGP is "secured" by 1. accepting BGP info only from known router IPs 2. ISPs not propogating BGP from the edge inwards Its a serious vulnerability (as in, take down the net), equivalent to the ability to confuse the post office machinery that sorts postcards. All you need to do is subvert some trusted routers. At 10:54 PM 9/10/04 -0700, Bill Stewart wrote:
Also, the author's document discusses protecting BGP to prevent some of the recent denial-of-service attacks, and asks for confirmation about the assertion in a message on the IPSEC mailing list suggesting "E.g., it is not feasible for BGP routers to be configured with the
appropriate certificate authorities of hundreds of thousands of peers". Routers typically use BGP to peer with a small number of partners, though some big ISP gateway routers might peer with a few hundred. (A typical enterprise router would have 2-3 peers if it does BGP.) If a router wants to learn full internet routes from its peers, it might learn 1-200,000, but that's not the number of direct connections that it has - it's information it learns using those connections. And the peers don't have to be configured "rapidly without external assistance" - you typically set up the peering link when you're setting up the connection between an ISP and a customer or a pair of ISPs, and if you want to use a CA mechanism to certify X.509 certs, you can set up that information at the same time.
participants (1)
-
Major Variola (ret)