BGP security: learning an old dog new tricks (posted 2007-03-21)

Warning: spoiler. Last week's episode (#74) of MythBusters showed that, in fact, old dogs can learn new tricks. That's a good thing, because securing inter-domain routing requires a whole bag of them. After lots of talk about S-BGP and soBGP over the past years, more recently, work in the IETF on making inter-domain routing more secure has shifted to a different approach. The relatively new secure inter-domain routing (sidr) working group is now working on providing a public key infrastructure that makes it possible to link an IP prefix to an origin AS with certificates. In the future, this mechanism may be used in S-BGP, soBGP or a similar mechanism, but in the mean time, it allows generating and validating filters. Although it's possible to choose arbitrary trust anchors, the idea is that IANA and the RIRs will serve as certificate authorities as they are the ones giving out the address space and AS numbers. Although the basic idea is simple enough, I'm slightly worried about how this is going to work in practice, because the underlying mechanisms are very complex, and not something "BGP people" are likely to be familiar with. Have a look at the sidr page on the IETF website and the links to the current drafts to get an idea. A good one to start with is draft-ietf-sidr-arch-00.txt or "An Infrastructure to Support Secure Internet Routing". (Link to the latest version.)