Priscilla,
comments inline...
----- Original Message -----
From: "Priscilla Oppenheimer"
To:
Sent: Wednesday, August 14, 2002 2:40 PM
Subject: RE: OT: Nanog thread - Routing Protocol Security [7:51335]
> Jeff Doyle is allowed to ask questions too. ;-)
NT: I do beileve I've seen him ask questions.. if I'm not mistaken I think
they were rehorical in nature..;-)
>
> Serisouly, what was the gist of the responses? Are NANOG types concerned
> about routing protocol security vulnerabilities? I know that that there's
a
> lot of academic work going on in this area. If you search on "routing
> protocol security" in Google, for example, you'll come accross lots of
> references to academic work, IEEE papers, a DAPRA-sponsored Internet
> Infrastructure Protection project, etc.
NT: I believe the concern stems from a number of different issues which
relates to
the overall problem of global routing failures. There is mention of using
IGPs and it's
services(http://www.phenoelit.de/irpas/index.html) to stage an attack on
external
protocols. I think the biggest issue is lack of standardization on
authenticated routing
information throughout the internet. There area number of papers that
address the lack of these mechanisms(MD5)
IR verification, secure route servers) being used and by major
players(within the Default Free Zone).
As noted by another avid "nanog poster" Sean Donelan, there are a number of
various things
currently being used
(http://www.merit.edu/mail.archives/nanog/msg02502.html) to prevent the
likes of AS7007 from being repeated. however, I was also unable to find
anything along the lines
of progress made by the "rpsec" WG.
>
> There's also an IETF Working Group for this topic, the Routing Protocol
> Security Requiremetns group or soemthing of that sort (rpsec for short).
But
> I couldn't find any Internet drafts from them!? (just e-mail threads that
> didn't sound any more sophisticated than the wrangles we get into here!
;-)
>
> On a philosophical note, we have to realize that the bad guys aren't going
> to do the expected things, and if they do, we will have already designed
> protection for them. I heard Paul Kocher (one of the creators of SSL I
think
> and a security luminary) say at a recent conference, somewhat
sarcastically,
> that the real adversaries lack the propriety to limit themselves to tidy
> attacks such as brute force, factoring, and differential cryptanalysis....
> (the things we tend to protect against with huge keys, etc.)
NT: Yes, this does raise a good point, however I must mention that there are
flaws
in the methods used to ensure routing information being propagated globally
as having been
verified and/or authenticated. Nonetheless, with implementations like
BGP/VPNs, PPVPNs
and the constant growth of ISPs, W B Norton's papers - "Internet Service
Providers
and Peering and The Art of Peering", suggest that with the exception of
existing "transit" peering
relationships, more and more providers will endeavor to enhance their
services and attractiveness
in an attempt to form direct peering relationships. This minimizes the
access of predators intent
on proving their ability to hack, crack and or assimilate (Resistance is
Futile ;-)..)
Nigel
>
> Priscilla
>
> Nigel Taylor wrote:
> >
> > All,
> > I was doing my usual reading of the nanog mailing list and
> > came across one
> > of the more recent threads - "Routing Protocol Security".
> > What I found interesting was the name of the original poster,
> > which noted,
> > Jeff Doyle! Now, I'm sure there are quite a number of "Jeff
> > Doyle's"
> > on the planet, however this name does mean a lot to those of us
> > who has had
> > the privilege of owning Routing TCP/IP.
> >
> > Basically, I thought folks on the list would be interested in
> > the question as
> > it relates to the possible global affects based on current
> > Internet routing
> > policies, or lack thereof on "Private-to-Private", IXP peering
> > or external
> > peering in general.
> >
> > As a side note after reading the recently presented
> > paper(nanog0202 mtg) "ISP
> > Essentials Supp" by Barry Raveendran Greene and Philip Smith,
> > http://www.nanog.org/mtg-0206/ppt/barry.pdf I must say that
> > BGPv4, the
> > protocol has made great strides in it's operational
> > enhancements.
> > Possible vulnerabilities like the one noted in rfc1948, or the
> > points raised
> > by Tim Newsham's paper called "The Problem With Random
> > Increments"
> > are for the most part no longer valid/relevant possibilities.
> >
> > Furthermore, with the implementation of MD5 support and the
> > possibility of BGP
> > over IPSec the future looks bright for the security of global
> > routing. Of
> > course with the growing use of mostly layer 2 peering(between
> > IXP peers) and
> > MPLS/VPNs the need to implement even greater security within
> > BGP the protocol itself might become a NON-issue.
> >
> > Thoughts anyone
> >
> > Nigel
> >
> >
> > >HI,
> >
> > >Can any of you cite cases where an attack has been carried out
> > against a
> > network's routing protocol (BGP or OSPF in particular)? My
> > apologies if this
> > question is too >far off-topic, but if anyone knows of such
> > incidents it would
> > be the members of this group.
> >
> > >Jeff Doyle
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51436&t=51335
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
