130 likes | 136 Views
BGP Security Requirements. IETF-65 Getting close.... Tony Tauber. Imperatives. SIDR (Secure Inter-Domain Routing) WG Starts on protocol extensions in parallel RPSEC not charted for those IDR is already very busy RPSEC needs to provide consensus items to SIDR Let’s review.
E N D
BGP Security Requirements IETF-65 Getting close.... Tony Tauber
Imperatives • SIDR (Secure Inter-Domain Routing) WG • Starts on protocol extensions in parallel • RPSEC not charted for those • IDR is already very busy • RPSEC needs to provide consensus items to SIDR • Let’s review....
Practical Concerns • No flag-day • Must be able to realize benefit even without global deployment • General Operational (business) model can not be overhauled
Originating AS Authorization • Must be able to bind authorization to advertise some address space to a given Autonomous System • Must be able to handle delegation/transfer of authority to advertise • Must be able to follow address delegation practices
Transport Layer Protection • Replace TCP-MD5 • GTSM is nice but more is needed
Key Management • Yes!
Don’t kill router processors • Please
Make configuration reasonable • Focus on optimizations for based on frequent vs. infrequent types of changes • Bootstrapping • Must be able to come up without reachability to off-board data
What follows is the question... • Please pay attention
Question: AS_PATH Validation • MUST occur in some fashion • ASNs appearing in the AS_PATH matter • To keep free from loops • For Operational reasons (troubleshooting) • Length also matters • As part of decision algorithm
Question: AS Transit Validation • SHOULD be part of the solution • Can passage of BGP information be tracked as it moved through ASes? • More rigorous test than AS_Path validation • Could help with tracking sources of problems both naïve and malicious
Next Steps • In-Room Consensus Call • Is there consensus on current draft? • Yes? • No? • Should we revise clearly indicating that AS_Path parts don’t have consensus? • Yes? • No? • Working Group Last Call