Re: Autonomous System Sanity Protocol
Tony Li <tli@jnx.com> Sun, 27 April 1997 09:26 UTC
Received: from cnri by ietf.org id aa15522; 27 Apr 97 5:26 EDT
Received: from murtoa.cs.mu.OZ.AU by CNRI.Reston.VA.US id aa05529; 27 Apr 97 5:26 EDT
Received: from mailing-list by murtoa.cs.mu.OZ.AU (8.6.9/1.0) id TAA10862; Sun, 27 Apr 1997 19:16:41 +1000
Received: from munnari.OZ.AU by murtoa.cs.mu.OZ.AU (8.6.9/1.0) with SMTP id SAA10833; Sun, 27 Apr 1997 18:55:28 +1000
Received: from red.jnx.com by munnari.OZ.AU with SMTP (5.83--+1.3.1+0.56) id IA21093; Sun, 27 Apr 1997 18:55:27 +1000 (from tli@jnx.com)
Received: from chimp.jnx.com (chimp.jnx.com [208.197.169.6]) by red.jnx.com (8.8.5/8.8.5) with ESMTP id BAA21349; Sun, 27 Apr 1997 01:55:24 -0700 (PDT)
Received: (from tli@localhost) by chimp.jnx.com (8.7.6/8.7.3) id BAA01355; Sun, 27 Apr 1997 01:55:12 -0700 (PDT)
Date: Sun, 27 Apr 1997 01:55:12 -0700
Message-Id: <199704270855.BAA01355@chimp.jnx.com>
From: Tony Li <tli@jnx.com>
To: jnc@ginger.lcs.mit.edu
Cc: jnc@ginger.lcs.mit.edu, tli@jnx.com, big-internet@munnari.oz.au, jnc@ginger.lcs.mit.edu
In-Reply-To: <9704270527.AA22472@ginger.lcs.mit.edu> (jnc@ginger.lcs.mit.edu)
Subject: Re: Autonomous System Sanity Protocol
Precedence: bulk
However, the fundamental difference between *connectivity* information and *reachability* information comes into play - the latter is not useful to you *until* it has been processed (i.e. not just replicated) through someone else (i.e. path selection is *inherently* a distributed computation, in which you use someone else's partial computation results), whereas connectivity information is only used *without* being touched in any way be the people who pass it on - so there is no way any errors/malice on their part can mess it up. Either you have it as the source sent it - or you don't. True. However, let's recall the problem that we're trying to solve. We are _NOT_ trying to solve Radia's Byzantine failures. [Not that it's not a worthy and interesting problem in its own right. It's just not the failure at hand.] How you find out, authoritatively, the public key for X is definitely a hard one. Agreed. Unfortunately, that's a basic requirement for ANY of these schemes. I don't claim to know enough about security to solve that problem. But it isn't impossible - in fact (admittedly, without working out the details) in a top-down system, the same framework that works for DNS should work for addresses too, no? The architecture is believably the same. It's not clear that the mechanisms would suffice. Note that top-down or bottom-up assignment generally doesn't seem to make a difference as far as I can tell. It looks like the leaf has some address space and to authenticate that, you have to be able to walk delegations back to a well known root. > It can certainly prevent all unilateral bad information, > i.e. based on someone incorrectly configuring their routers (or > software/hardware bugs). How? Because routing data is never modified/updated/added-to on its way to you, merely copied. You can be *guaranteed* that what you get is what the original sender sent. So there's no way anyone between you and the source can mess the data up, right? Again, it's irrelevant to the problem at hand. You lack the delegation information. The other thing a single site, either confused/malicious, can try and do is inject bogus data (i.e. saying "I'm X and I'm connected to A, B, C ... <ad infinitum>"). But this doesn't work because the data will not match up - i.e. A is not also reporting that they are connected to X. So you can trivially filter that out. Again true. Again not relevant. it's trivial to inject bad information and have it propagate throughout the immediate map. Well, it would depend on the protocol design. If you can't have a link between X and Y unless each end reports connectivity to the other, you can't have unilateral announcements. (I don't know enough details of, e.g. OSPF to know if it would work to have only one end of a link announce it - anyone know?) You are correct: you cannot fake bilateral connectivity and unilateral connections should be ignored in the SPF. However, you can still trivially fake the prefixes in the LSA and then sign the LSA. Game over. Are you sure you understand the problem Noel? Let's take a clear example. This is the LSA for MIT: Hi, we're MIT, we have connectivity to BBN Planet, Harvard and Cerfnet. We have prefixes 18/8, 36.0/9 and 36.128/9. Signed, Jeff Schiller Now, you're correct, the connectivity information would show up as bogus because the other sides wouldn't claim connectivity. However, what authenticates the prefix assignments? Just because it appears to be correctly signed by Jeff, do you take it verbatim? I don't. That would subvert all of Stanford. [You may argue that this is a good thing. ;-)] For security, I want to see MIT is assigned 18/8. Signed, Jon Postel Until then, there's no protection. Tony
- Re: Autonomous System Sanity Protocol Bill Manning
- Re: Autonomous System Sanity Protocol Noel Chiappa
- Re: Autonomous System Sanity Protocol Per Gregers Bilse
- Re: Autonomous System Sanity Protocol Pedro Marques
- Re: Autonomous System Sanity Protocol Tony Li
- Re: Autonomous System Sanity Protocol Noel Chiappa
- Re: Autonomous System Sanity Protocol Michael Dillon
- Re: Autonomous System Sanity Protocol RADIA PERLMAN
- Re: Autonomous System Sanity Protocol Noel Chiappa
- Re: Autonomous System Sanity Protocol Tony Li
- Re: Autonomous System Sanity Protocol Jeremy Porter
- Re: Autonomous System Sanity Protocol Noel Chiappa
- Re: Autonomous System Sanity Protocol Valdis.Kletnieks
- Re: Autonomous System Sanity Protocol Andrew Partan
- Re: Autonomous System Sanity Protocol Tony Li
- Re: Autonomous System Sanity Protocol Jeff Young
- Re: Autonomous System Sanity Protocol Bill Manning
- Re: Autonomous System Sanity Protocol Tony Li
- Re: Autonomous System Sanity Protocol Donald E. Eastlake 3rd
- Re: Autonomous System Sanity Protocol Jon Crowcroft
- Re: Autonomous System Sanity Protocol Noel Chiappa
- Re: Autonomous System Sanity Protocol Noel Chiappa
- Re: Autonomous System Sanity Protocol Donald E. Eastlake 3rd
- Re: Autonomous System Sanity Protocol Noel Chiappa
- Re: Autonomous System Sanity Protocol Noel Chiappa
- Re: Autonomous System Sanity Protocol Noel Chiappa
- Re: Autonomous System Sanity Protocol Andrew Partan
- Re: Autonomous System Sanity Protocol Noel Chiappa
- Re: Autonomous System Sanity Protocol William Allen Simpson
- Re: Autonomous System Sanity Protocol William Allen Simpson
- Re: Autonomous System Sanity Protocol Tim Bass
- Re: Autonomous System Sanity Protocol Jon Crowcroft