potential new IETF WG on anonymous IPSec
Major Variola (ret)
mv at cdc.gov
Mon Sep 13 09:49:04 PDT 2004
Currently BGP is "secured" by
1. accepting BGP info only from known router IPs
2. ISPs not propogating BGP from the edge inwards
Its a serious vulnerability (as in, take down the net),
equivalent to the ability to confuse the post office
machinery that sorts postcards. All you need to
do is subvert some trusted routers.
At 10:54 PM 9/10/04 -0700, Bill Stewart wrote:
>Also, the author's document discusses protecting BGP to prevent
>some of the recent denial-of-service attacks,
>and asks for confirmation about the assertion in a message
>on the IPSEC mailing list suggesting
> "E.g., it is not feasible for BGP routers to be configured with the
> appropriate certificate authorities of hundreds of thousands of
peers".
>Routers typically use BGP to peer with a small number of partners,
>though some big ISP gateway routers might peer with a few hundred.
>(A typical enterprise router would have 2-3 peers if it does BGP.)
>If a router wants to learn full internet routes from its peers,
>it might learn 1-200,000, but that's not the number of direct
connections
>that it has - it's information it learns using those connections.
>And the peers don't have to be configured "rapidly without external
>assistance" -
>you typically set up the peering link when you're setting up the
>connection between an ISP and a customer or a pair of ISPs,
>and if you want to use a CA mechanism to certify X.509 certs,
>you can set up that information at the same time.
More information about the cypherpunks-legacy
mailing list