1 / 13

BGP Security Requirements

BGP Security Requirements. IETF-65 Getting close.... Tony Tauber. Imperatives. SIDR (Secure Inter-Domain Routing) WG Starts on protocol extensions in parallel RPSEC not charted for those IDR is already very busy RPSEC needs to provide consensus items to SIDR Let’s review.

gmcmillan
Download Presentation

BGP Security Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BGP Security Requirements IETF-65 Getting close.... Tony Tauber

  2. Imperatives • SIDR (Secure Inter-Domain Routing) WG • Starts on protocol extensions in parallel • RPSEC not charted for those • IDR is already very busy • RPSEC needs to provide consensus items to SIDR • Let’s review....

  3. Practical Concerns • No flag-day • Must be able to realize benefit even without global deployment • General Operational (business) model can not be overhauled

  4. Originating AS Authorization • Must be able to bind authorization to advertise some address space to a given Autonomous System • Must be able to handle delegation/transfer of authority to advertise • Must be able to follow address delegation practices

  5. Transport Layer Protection • Replace TCP-MD5 • GTSM is nice but more is needed

  6. Key Management • Yes!

  7. Don’t kill router processors • Please

  8. Make configuration reasonable • Focus on optimizations for based on frequent vs. infrequent types of changes • Bootstrapping • Must be able to come up without reachability to off-board data

  9. What follows is the question... • Please pay attention

  10. Question: AS_PATH Validation • MUST occur in some fashion • ASNs appearing in the AS_PATH matter • To keep free from loops • For Operational reasons (troubleshooting) • Length also matters • As part of decision algorithm

  11. Question: AS Transit Validation • SHOULD be part of the solution • Can passage of BGP information be tracked as it moved through ASes? • More rigorous test than AS_Path validation • Could help with tracking sources of problems both naïve and malicious

  12. Next Steps • In-Room Consensus Call • Is there consensus on current draft? • Yes? • No? • Should we revise clearly indicating that AS_Path parts don’t have consensus? • Yes? • No? • Working Group Last Call

  13. Thanks!

More Related