[ih] Exterior Gateway Protocol
tony.li at tony.li
tony.li at tony.li
Fri Sep 4 08:29:58 PDT 2020
>> Most of the symptoms that you cite are all a result of the lack of a workable security architecture. A problem that pervades the entire stack, even to this day.
>
> Were it not for the TCP-to-BGPpath correlation, BGP security could be completely supported elsewhere, e.g., by signing the individual routes. Even if there were a deployable solution to those signatures, TCP connection vulnerability still requires MD5, AO, or IPsec — or an override in the config to NOT correlate TCP sustainability with path viability.
Sorry, but that’s provably incorrect. As we’ve seen with other protocols the transport mechanism must be secured as well, not just the contents. We have authentication in OSPF hellos and IS-IS IIHs for this reason.
Tony
More information about the Internet-history
mailing list