Secure BGP

One of the decades-long grudges most people have with BGP is that it’s so easy to insert bogus routing information into the Internet if your upstream ISP happens to be a careless idiot (as Google discovered when Pakistan decided to use blackhole routing for Youtube and leaked the routes). There are two potential solutions that use X.509 certificates to authenticate BGP information: Secure BGP (which uses optional transitive attributes) authenticates the originator as well as the whole AS-path (using AS-by-AS certificates), while the significantly simpler Secure Origin BGP (which uses new BGP messages) authenticates only the originator of the routing information.

However, even though the Secure BGP project got DARPA funding and some of the required tools and a proof-of-concept router code were demonstrated, the interest amongst the Service Providers was nonexistent. To understand this sad fact, consider the two questions Yakov Rekhter asked in his GoogleTechTalk (around 39:00): Who is going to bear the cost and who is going to benefit?

The only Internet participants benefitting from the Secure BGP would be the content providers, while the majority of the cost would fall on the ISPs all around the world. No wonder they were not interested.

1 comment:

  1. Dmitri Kalintsev13 March, 2010 04:07

    I'm with Yakov on this one - it ain't gonna happen.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.