| |||||||||||||
The Web of Trust isn't better, it's just better than nothingThe Web of Trust isn't better, it's just better than nothingPosted Feb 22, 2010 15:36 UTC (Mon) by micah (subscriber, #20908)In reply to: The Web of Trust isn't better, it's just better than nothing by nix Parent article: Trust, but verify
>(But! oh no! you're trusting everyone's BGP announcements as well! And
> they're really easy to spoof...)
Not if you are using authentication (typically MD5 based) and ACLs, or S-BGP. If you are accepting BGP advertisements from anyone, you are asking for it. You should only accept routing updates from trusted peers, peers that you have identified as ones that you should be receiving announcements from.
(Log in to post comments)
The Web of Trust isn't better, it's just better than nothing Posted Feb 22, 2010 17:39 UTC (Mon) by nix (subscriber, #2304) [Link]
I'm assuming that you shouldn't really trust MD5-based BGP auth these
days, either. MD5 is quite broken these days (although perhaps not broken enough to be able to forge BGP announcements with).
The Web of Trust isn't better, it's just better than nothing Posted Feb 22, 2010 19:30 UTC (Mon) by paulj (subscriber, #341) [Link]
Attacks on BGP at a session level (e.g. breaking MD5 to sneak in bogus
packets) are not really the main worry when BGP systemically assumes that speakers are trusted. There are various ways you can subvert routing, including some quite ingenious, stealthy re-routing techniques described in the last few years at blackhat conferences.
|
|||||||||||||