North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: YouTube IP Hijacking

  • From: Scott Francis
  • Date: Mon Feb 25 06:57:22 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ED6pTm4T2CmxJ91PTRAos+VfyFgleQ1wDqgH3VNX7tc=; b=ErUKV/d4z30mCe11Oo9LpTcFFpVNut2nHVDuYLLSksO1z0bvhMwdR3iyd6chANUQthzgCIX0KsKFavK3RxhBbBHJljZ3Psszqkxtn26KQok0bd1pPlS8VpOf4CQho1YKoCcC8bRXHamsh7uz7kfCl3pEeGlAyzUMONter/dKCR0=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=F4bQEKO4Re60VFA7omBp2S4JF+84LBu3m24tkX/fAVdltIU8522j5xHxrgSYTwJCUJCxdn8wV1A8RuEl1z8b2NM9RcqVyXuOsMG57DjRPsGUqQ4BH5iHVDtf/7nFnRdgY90S/zwC1Dxm4SZEjSCfWF84+UDbIS3W5kYsmZNhMe0=

On Sun, Feb 24, 2008 at 10:49 PM, Sean Donelan <sean@xxxxxxxxxxx> wrote:
>  On Mon, 25 Feb 2008, Steven M. Bellovin wrote:
>  > How about state-of-the-art routing security?
>  The problem is what is the actual trust model?
>  Are you trusting some authority to not be malicious or never make a
>  mistake?
>  There are several answers to the malicious problem.
>  There are fewer answers to never making a mistake problem.

+5, Insightful.

The focus thus far seems to have been on establishing security on the
basis of trusted senders (SPF for BGP, if you'll pardon my rather
crude analogy). The impact of a mistake-based failure in a trusted
scenario could actually be quite a bit higher than what we've seen
thus far:

1) if data (e.g. routes) from a "trusted" source is allowed into a
network (or used as a basis for decision-making) with minimal
screening, attackers will immediately shift focus to spoofing trusted
sources, just as they currently do in other scenarios;

2) the impact of a typo or other operator error when operating in
"trusted mode" is much higher than that of mistakes from non-trusted
sources (if 17557's upstream had trusted a little less - by not
automatically propagating any new routes that showed up at the front
door - the current incident could very well have amounted to little
more than a log entry somewhere, and perhaps an email).

 I think what you and Steve Bellovin had to say about anti-mistake
protocol and belt-and-suspenders should be garnering at least as much
consideration as prevention of malicious attacks/forgeries/etc.,
considering the percentage of outages caused by operator error vs
those caused by malice ...
darkuncle@{,} || 0x5537F527 for public key