We've been talking about this for a little while now. It looks like the babeld folks have been considering it as well: ---------- Forwarded message ---------- From: Dave Taht <dave.taht(a)gmail.com> Date: Tue, Apr 7, 2015 at 7:25 AM Subject: [Babel-users] securing default routes and source specific gateways To: Juliusz Chroboczek <jch(a)pps.univ-paris-diderot.fr> Cc: babel-users <babel-users(a)lists.alioth.debian.org> On Tue, Apr 7, 2015 at 3:32 AM, Juliusz Chroboczek <jch(a)pps.univ-paris-diderot.fr> wrote: Well, that died, mutated, came back to life, died again, and I dont know what is going on today but so far as I know it STILL involves a lot of phone calls and teeth gnashing when china re-routes the internet. I think resolving the question whilst babel is still at a relatively small scale would be good, before people start deploying it on citywide networks. The context of the question comes from this part of a post to the working-group-that-shall-not-be-named that apparently flew over everyone´s head in the other sturm und drang[1]: "Security has two meanings here, one of which is not useful, one that may be. The "lets encrypt and authenticate everything" part is not terribly useful (particularly in a world that still has arp and ra). I see no reason for e2e encryption here, do see so a small one for authentication, but am not sure it needs to be e2e. A part that *usefully* allowed a network to allow a mixture of authenticated nodes (injecting default routes), while retaining un-authenticated routing for other nodes would be nice. I only briefly deployed the HMAC auth, but as the quagga version fell too far behind the mainline, did not gain enough operational experience with it to have a feel for it. I look forward to seeing it in babeld-1.7. ... somewhat related ... I have a smallish bcp38-ish like document for some best current practices (like filtering out local announcements of non-rfc1918 addresses, filtering out route announcements for the hip 1.0.0.0/24, 2001:10::/28, and advice to not announce local-only vpn routes) which I could maybe finish by Prague. (On the other hand I think it is easier read if on a wiki.) ... But it is the prospect of someone with a laptop announcing the lowest metric possible default route is through them and out via 3G that is the biggest hole in the "security" of not just babel, but all non-authenticated routing protocols (targeted at the home. at least. So far as I know there are a lot of insecured routing protocol *deployments* in general. Someone feel free to correct me)." Now, I like that a malicious (or misconfigured) droid can only damage the nearest couple hops in the case of sending a default route but I imagine everyone here has misconfigured a router to announce a default route, only to suck a goodly portion of their network through a non-working [2] device. Having some means to indicate that a default route (in particular) is honestly such, would lead to a network where a mixture of secured and insecured devices could exist (think guifi), where individual exit node owners could publish their willingness to share their source specific gateway with other exit node operators, and so on. [1] Incidentally I did not know the true meaning of the origin of this phrase before looking it up just now, I had just thought it meant "conflict". It does seem appropo in context of the working-group-that-shall-not-be-named. [2] Probably my biggest failover problem is that links to cable modems stay up, even when the cable modem is down. I need to beat on babel-pinger harder. -- Dave Täht We CAN make better hardware, ourselves, beat bufferbloat, and take back control of the edge of the internet! If we work together, on making it: https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hard… _______________________________________________ Babel-users mailing list Babel-users(a)lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users