Home page logo
/

nanog logo nanog mailing list archives

Re: BGPSEC & soBGP
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Fri, 16 Jan 2009 21:37:55 -0500

On Sat, 17 Jan 2009 00:14:17 +0000
Naveen Nathan <naveen () calpop com> wrote:

I came across this article on /.:
http://www.networkworld.com/news/2009/011509-bgp.html?page=1

I'm not too familiar with security of routing protocols, but it became
immediately evident as I read this article that much of the work has
been accomplished with soBGP. I'm wondering why there is a new
initiative for another technology to secure BGP.

There are two parts to the answer.

First, neither SoBGP nor SBGP, the two primary secured BGP proposals,
have a consensus behind them.  Whether or not either or both do the
job in some objective sense, large segments of the community do not
perceive that they do, and it's not for lack of trying by the
proponents of either.

Second, and more serious, both proposals do have major technical
issues.  SoBGP is very good at protecting origin announcements (and
hence at preventing mistakes), but it doesn't work nearly as well
against deliberate hijacking.  SBGP protects entire path announcements,
but is very heavy-weight and requires many signature verifications,
probably too many.  We need a protocol that solves both of these issues.

-- 
                --Steve Bellovin, http://www.cs.columbia.edu/~smb


  By Date           By Thread  

Current thread:
  • BGPSEC & soBGP Naveen Nathan (Jan 17)
    • Re: BGPSEC & soBGP Steven M. Bellovin (Jan 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]