Re: Autonomous System Sanity Protocol

Tony Li <tli@jnx.com> Sun, 27 April 1997 02:05 UTC

Received: from cnri by ietf.org id aa03875; 26 Apr 97 22:05 EDT
Received: from murtoa.cs.mu.OZ.AU by CNRI.Reston.VA.US id aa18433; 26 Apr 97 22:05 EDT
Received: from mailing-list by murtoa.cs.mu.OZ.AU (8.6.9/1.0) id LAA10277; Sun, 27 Apr 1997 11:57:53 +1000
Received: from munnari.OZ.AU by murtoa.cs.mu.OZ.AU (8.6.9/1.0) with SMTP id LAA10248; Sun, 27 Apr 1997 11:54:35 +1000
Received: from red.jnx.com by munnari.OZ.AU with SMTP (5.83--+1.3.1+0.56) id BA13086; Sun, 27 Apr 1997 11:54:33 +1000 (from tli@jnx.com)
Received: from chimp.jnx.com (chimp.jnx.com [208.197.169.6]) by red.jnx.com (8.8.5/8.8.5) with ESMTP id SAA04667; Sat, 26 Apr 1997 18:54:31 -0700 (PDT)
Received: (from tli@localhost) by chimp.jnx.com (8.7.6/8.7.3) id SAA00750; Sat, 26 Apr 1997 18:54:19 -0700 (PDT)
To: RADIA PERLMAN <RADIA_PERLMAN@novell.com>
Cc: big-internet@munnari.oz.au
Subject: Re: Autonomous System Sanity Protocol
References: <s36208f0.063@novell.com>
From: Tony Li <tli@jnx.com>
Date: 26 Apr 1997 18:54:18 -0700
In-Reply-To: RADIA_PERLMAN@novell.com's message of 26 Apr 97 17:52:53 GMT
Message-Id: <82u3kt6xit.fsf@chimp.jnx.com>
Lines: 23
X-Mailer: Gnus v5.3/Emacs 19.34
Precedence: bulk

RADIA_PERLMAN@novell.com (RADIA PERLMAN) writes:

> BGP is actually somewhat like a link state protocol, in that the entire
> path is given. If each router signs its path to D, then when router R
> chooses among the routes given by each of its neighbors, it chooses one,
> and can preserve that neighbor's signature, and then add its own. So
> there would be a signature for each BGP-hop. I don't think that solves
> too much, though, since the problem is a legitimate router being
> misconfigured rather than having malicious people inject messages.

Exactly so.  What's truly needed is a delegation of authority to advertise
prefixes.  We'd also need a means of verifying that authority.  What Radia
describes is sufficient to guarantee that the path advertised matches
reality, which is necessary if we're out to secure the protocol against
liars and bad guys.  

However, if we assume that the basic protocol machinery is correct and are
out to protect us against ourselves, the delegation problem is the correct
one to solve.  Note that any practical solution probably requires some type
of key management solution already deployed.  One then needs to be able to
see a hierarchy of signed and trusted address space delegations.

Tony