More in IPsec and BGP

| Comments (1) |
In the comments section, Roland Dobbins writes:
With regards to the CPU impact of IPSEC, it's important to realize that even larger routers in many cases don't process IPSEC (and the requisite GRE tunnels inside the IPSEC) in hardware, but ratehr in software on the main system route processor - and even on platforms which offer hardware IPSEC and GRE processing, this functionality requires additional modules or blades which a) increase platform cost and b) often occupy a slot which could be used to terminate customer circuits or for other, more directly revenue-generating functions. So, the operational impact of doing this is also prohibitive in many cases.

So, this is an issue about symmetric key processing rather than asymmetric. My understanding is that TCP-MD5 is also done in the route processor, so replacing TCP-MD5 with IPsec should be more or less a wash, modulo the key management, which, as I argue, is a small cost.

One other comment - advocates of encryption for BGP (or any of the various IGPs, for that matter) haven't really made a clear case as to what the actual benefits of doing so really are. After all, if a miscreant is in a posiiton to listen to (and perhaps alter or inject) routing-protocol announcements in the first place, the network operator has bigger problems which simply encrypting the routing-protocol sessions won't address.

I mostly agree with this: BGP information isn't really that sensitive in a confidentiality sense. I was assuming IPsec with an integrity-only mode such as ESP-NULL or AH. That's why I expect the cost to be commensurate with TCP-MD5.

1 Comments

I think that it is clear that IPSEC is a sensible replacement for the TCP-MD5 hack and that the costs of doing PKI are completely overblown. My WiFi box seems happy doing a rekey every 3600 secs.

Sure there is real pain in rekey when you use a Checkpoint VPN, thats the fault of the noobs who did their UI design, not the protocol.

Looking at the Cisco router O/S it is clear that there is some processing welly in the boxes somewhere, plenty enough to do an RSA rekey during the startup process. It might delay the machine comming up by a fraction of a second worst case.

What is less clear to me is that this actually does anything to address the real security issues of BGP such as spoofed routes being injected from hijacked routers.

Leave a comment