It seemed like there would be little appetite for discussing next steps in routing infrastructure authentication and verification after the DDoS attack on Dyn (October 2016), when it became clear that large scale attacks are feasible without spoofing IP addresses, hijacking prefixes, or otherwise falsifying Internet infrastructure numbers and routing. Already a tough sell to get operators to consider incremental (let alone architectural) updates to do origin authentication and some manner of routing announcement verification, the Dyn attack provided a clear and present danger that would not be addressed by such updates, so why bother with them?
Category Archives: URSA
Last Wednesday, in the hallways of the NANOG 68 meetings in Dallas, I started asking a question that goes to the heart of prioritizing work to improve Internet security; on Friday, with the DDoS attack on Dyn’s infrastructure, we got some searing insight into why it is quite possibly an urgent question.
Trust is in the eye of the beholder – but it has to be based on something. In different contexts, crypto may be more relevant than heuristics, and vice versa. Traditionally, in Internetworking, business relationships have had a big role in determining whether or not to trust information being offered by another part, whether for routing information or for other network operations.