Home page logo

nanog logo nanog mailing list archives

Re: BGP to doom us all
From: batz <batsy () vapour net>
Date: Fri, 28 Feb 2003 18:01:28 -0500 (EST)

On Fri, 28 Feb 2003, Bruce Pinsky wrote:

:What a crock of crap.  Knowing who someone is doesn't stop them from causing 
:intentional or unintentional problems.  In fact, authentication is more likely 
:to cause people to become complacent wrt their filtering policies.  Hey I've 
:authenticated that router so it's going to only send me correct routes. 

The authentication I suspect he is referring to, is certification 
of the routes themselves, not just mere peer authentication. 

However, given the recent academic popularity of attacks against routers, 
such as the phenolit OSPF exploit, Bindviews TCP ISN strange attractors, 
Tim Newshams ISN paper, some large vendors use of widely available 
hardware and/or operating systems, and others, it's worth being extra 
mindful of router security. 

Dashing off press releases about internet vulnerabilities is a bit like
that cold fusion in a coffee cup incident. It harmed the credibility of 
all researchers and may have set back alot of other legitimate efforts. 

The technical solutions are pretty easy, almost everyone on the list
understands them. Us cassandras in the security business just have to 
find a better way of making people more mindful of security in their 
day to day operations. Appeasing the media's thirst for broad and 
fearsome pronouncements doesn't help things. Unfortunately, this 
sort of mindfulness isn't so much taught as it must be learned, and 
so we are back to the operator clue issue. 


Mu. ;) 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]