Re: Autonomous System Sanity Protocol

[Noel Chiappa <jnc@ginger.lcs.mit.edu>]

    From: Tony Li <tli@jnx.com>

    > If each router signs its path to D, then when router R chooses among
    > the routes given by each of its neighbors, it chooses one, and can
    > preserve that neighbor's signature, and then add its own.

    What's truly needed is a delegation of authority to advertise prefixes.

Yes. (But see my message about how that's more efficient, in practise, in
an MD system! :-)

    What Radia describes is sufficient to guarantee that the path advertised
    matches reality, which is necessary if we're out to secure the protocol
    against liars and bad guys.

Uhh, not quite. As I pointed out in a previous message, there's nothing to
stop someone taking the path X->Y->Z, signed at each stage, and stripping off
some elements and sending out what looks like a perfectly legitimate X->P.

However, I think I have come up with a way of signing routes to prevent
stripping by downstream sites, but I want to run it by some security whizzes
before I say more.

(Of course, to the extent that P can open a direct TCP connection to X, and
get it's database, this is a way of avoiding that. A fix would be to modify
BGP so it will only give signed routes to routers to which it has a direct
connection - and do so in a way which *includes* the next-hop router in the
signed route the NHR gets, to prevent the NHR collaborating with someone
else to give them a partial route.)

But this is all just intellectual fun - fixing any DV system is a waste of
time, I think.


	Noel