Re: [GROW] I-D Action: draft-ietf-grow-simple-leak-attack-bgpsec-no-help-03.txt
Nick Hilliard <nick@inex.ie> Sun, 24 November 2013 22:45 UTC
Return-Path: <nick@inex.ie>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0EC21AE383 for <grow@ietfa.amsl.com>; Sun, 24 Nov 2013 14:45:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z2_zdv48z1NE for <grow@ietfa.amsl.com>; Sun, 24 Nov 2013 14:45:05 -0800 (PST)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) by ietfa.amsl.com (Postfix) with ESMTP id 9F8F41AE2DC for <grow@ietf.org>; Sun, 24 Nov 2013 14:45:03 -0800 (PST)
X-Envelope-To: <grow@ietf.org>
Received: from cupcake.foobar.org ([IPv6:2001:4d68:2002:100::126]) (authenticated bits=0) by mail.netability.ie (8.14.7/8.14.5) with ESMTP id rAOMirKG061888 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <grow@ietf.org>; Sun, 24 Nov 2013 22:44:53 GMT (envelope-from nick@inex.ie)
X-Authentication-Warning: cheesecake.netability.ie: Host [IPv6:2001:4d68:2002:100::126] claimed to be cupcake.foobar.org
Message-ID: <52928164.7030906@inex.ie>
Date: Sun, 24 Nov 2013 22:44:52 +0000
From: Nick Hilliard <nick@inex.ie>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: grow@ietf.org
References: <20131118230146.22016.28407.idtracker@ietfa.amsl.com> <77143901-5DA3-4937-8162-509B62A61594@apnic.net> <CAL9jLabPjvXaAUaSEyQXdFvSDPZ_bJX4rjGxOGd0BqYhQcQYdg@mail.gmail.com> <FDFB46E9-ECD0-4CFF-A846-2E6FE9F8C9D7@apnic.net>
In-Reply-To: <FDFB46E9-ECD0-4CFF-A846-2E6FE9F8C9D7@apnic.net>
X-Enigmail-Version: 1.6
X-Company-Info-1: Internet Neutral Exchange Association Limited. Registered in Ireland No. 253804
X-Company-Info-2: Registered Offices: 1-2, Marino Mart, Fairview, Dublin 3
X-Company-Info-3: Internet Neutral Exchange Association Limited is limited by guarantee
X-Company-Info-4: Offices: 4027 Kingswood Road, Citywest, Dublin 24.
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [GROW] I-D Action: draft-ietf-grow-simple-leak-attack-bgpsec-no-help-03.txt
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Nov 2013 22:45:07 -0000
On 22/11/2013 09:47, Geoff Huston wrote: > so we get back to RPSL. I wouldn't look to RPSL as being the solution to a whole lot. > But I am still wondering:... > > Why are we using GROW to host this discussion? because the WG has got a nice operator-friendly feel to the name and there is no other document in the accumulated tomes of ietf lore which explicitly states that prefix origin validation in its current form is operationally limited in scope and that if there are organisations out there who feel that they'll get a kwik-fix sticky plaster solution for their routing security concerns by turning on rpki, they need to think again. It's probably not a bad idea to have a document like this although I'm not much interested in the politics of whether it belongs in grow or even the ietf. > And if we are ready to reopen this consideration of requirements for > securing the operation of BGP, just how much of this are we willing to > re-consider? Is it all the way back to RPSL and RPSS? draft-ietf-sidr-bgpsec-reqs is a good start. Re: your comparison with dnssec, the latter has the interesting property that it is fully hierarchical with a single root and therefore the object relationship model is relatively easy to handle - particularly when attempting to retrofit it with a hierarchical trust model. With bgp we have a highly fluid peer to peer relationship mechanism which rpsl attempted to document, and here we are trying to determine whether a top-down hierarchical pki could form part of a trust mechanism to determine the validity of prefixes and paths so that we dumb operators can reach the holy grail of being able to believe what we see when we type "show bgp blah". RPKI can work for prefix origin validation because prefixes are assigned hierarchically. AS paths - transit and peering relationships - are not assigned hierarchically, so there seems little reason to think that a hierarchical trust model would be the most appropriate mechanism to use for securing this. Or am I being naive here? Nick
- [GROW] I-D Action: draft-ietf-grow-simple-leak-at… internet-drafts
- [GROW] I-D Action: draft-ietf-grow-simple-leak-at… Geoff Huston
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Christopher Morrow
- [GROW] I-D Action: draft-ietf-grow-simple-leak-at… Geoff Huston
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Geoff Huston
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Christopher Morrow
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Smith, Donald
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Christopher Morrow
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Geoff Huston
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Jakob Heitz
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Geoff Huston
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Jakob Heitz
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Christopher Morrow
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Christopher Morrow
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Geoff Huston
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Geoff Huston
- Re: [GROW] [sidr] I-D Action: draft-ietf-grow-sim… Randy Bush
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Nick Hilliard
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Christopher Morrow
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Geoff Huston
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Russ White
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Danny McPherson
- Re: [GROW] I-D Action: draft-ietf-grow-simple-lea… Jared Mauch