Hey Randy,
On Nov 4, 2011, at 4:11 AM, Randy Bush wrote:
>> 5) I totally agree that route leaks don't violate BGP as a protocol
>> and are related to policies. But it doesn't mean route leaks are not
>> security threats. Receiving spam/viruses via email is a threat
>> although it doesn't violate any SMTP standards.
>>
>> 6) route leaking is related to a BGP threat model and isn't specific
>> to BGPSEC, and BGPSEC doesn't provide any protection from that threat.
>> So I'd like to second the idea of clarifying that in the document.
>
> could someone post a clear technical explanation of WHAT a route leak
> is, HOW one would definitively detect all cases of them, and WHAT one
> would do about it?
This is a list of three questions. Until there is discussion of the first, it
is premature to address the second two. Therefore, how about we just choose a
specific case of the first: how would BGPSec protect against an instance of an
event found here:
http://puck.nether.net/bgp/leakinfo.cgi
> you are correct, BGPsec tries to secure the BGP protocol against abuse,
> not protect the internet. the latter is a very worthy goal but a bit
> nebulous. of course an internet draft or two might clarify that.
This seems like a very pedantic distinction. Having an AS' traffic routed
through an invalid path seems like a BGP protocol abuse to me. So, in that
language, it seems to me that this issue is in scope (i.e. if the path is to be
protected, then subverting it is an abuse).
Eric
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
