RE: [RRG] Renumbering... ACLs etc.

["Tony Li" <tony.li@tony.li>]

Hi Iljitsch, 


|> To date, folks have claimed that the return routability of the  
|> address was
|> 'enough' security.  However, that depends on routing being secure.   
|> I hope
|> the folks in this group are aware of the reality in that regard.
|
|Security is in the eye of the beholder.


Indeed.  Understanding the state of BGP security is necessary and sufficient
to understand the level of security being offered by the return routability
check.

|In other words: in a loc/id solution you lose the return routability  
|check on the identifiers so new security mechanisms are needed that  
|are at least as strong as the (fairly weak) return routability check.  
|These need to be easier to work with and more efficient than IPsec,  
|though.


More precisely: in a loc/id solution, just filtering on the id is
insufficient.  One can emulate the previous (insecure) semantics by
filtering on the (loc, id) tuple.  

If folks feel that IPsec is unwieldy, then they're free to propose something
else.  Obviously, that's a bit out of our scope.

Tony


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg