BGPsec and Reality

23 October 2017 |

From time to time, someone publishes a new blog post lauding the wonderfulness of BGPsec, such as this one over at the Internet Society. In return, I sometimes feel like I am a broken record discussing the problems with the basic idea of BGPsec—while it can solve some problems, it creates a lot of new…

On the ‘net: BGP Security, LACNOG 26

29 November 2016 | Comments Off on On the ‘net: BGP Security, LACNOG 26

BGP security: where we are now, where we are going, as presented at LACNOG 26 in November of 2016.

Securing BGP: A Case Study

13 May 2016 | Comments Off on Securing BGP: A Case Study

What would it take to secure BGP? Let’s begin where any engineering problem should begin: what problem are we trying to solve? This series of posts walks through a wide range of technical and business problems to create a solid set of requirements against which to measure proposed solutions for securing BGP in the global…

Securing BGP: A Case Study (10)

9 May 2016 |

The next proposed (and actually already partially operational) system on our list is the Router Public Key Infrastructure (RPKI) system, which is described in RFC7115 (and a host of additional drafts and RFCs). The RPKI systems is focused on solving a single solution: validating that the originating AS is authorized to originate a particular prefix.…

Securing BGP: A Case Study (9)

2 May 2016 | Comments Off on Securing BGP: A Case Study (9)

There are a number of systems that have been proposed to validate (or secure) the path in BGP. To finish off this series on BGP as a case study, I only want to look at three of them. At some point in the future, I will probably write a couple of posts on what actually…

Securing BGP: A Case Study (8)

25 April 2016 |

Throughout the last several months, I’ve been building a set of posts examining securing BGP as a sort of case study around protocol and/or system design. The point of this series of posts isn’t to find a way to secure BGP specifically, but rather to look at the kinds of problems we need to think…

Securing BGP: A Case Study (7)

18 April 2016 | Comments Off on Securing BGP: A Case Study (7)

In the last post on this series on securing BGP, I considered a couple of extra questions around business problems that relate to BGP. This time, I want to consider the problem of convergence speed in light of any sort of BGP security system. The next post (to provide something of a road map) should…

Securing BGP: A Case Study (6)

4 April 2016 | Comments Off on Securing BGP: A Case Study (6)

In my last post on securing BGP, I said— Here I’m going to discuss the problem of a centralized versus distributed database to carry the information needed to secure BGP. There are actually, again, two elements to this problem—a set of pure technical issues, and a set of more business related problems. The technical problems…

Rethinking BGP path validation (part 2)

24 March 2016 | Comments Off on Rethinking BGP path validation (part 2)

This is the second post in the two part series on BGP path validation over on the LinkedIn Engineering blog. We left off last time after having described the eight operational requirements that must be met for any system that reduces our reliance on transitive trust in relation to the AS Path. As a reminder,…

Securing BGP: A Case Study (5)

18 March 2016 | Comments Off on Securing BGP: A Case Study (5)

BGP provides reachability for the global ‘net, as well as being used in many private networks. As a system, BGP (ultimately) isn’t very secure. But how do we go about securing BGP? This series investigates the questions, constraints, and solutions any proposal to secure BGP must deal with as a case study of asking the…