Re: [GROW] WGLC: draft-ietf-grow-simple-leak-attack-bgpsec-no-help
Christopher Morrow <christopher.morrow@gmail.com> Tue, 20 May 2014 21:42 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13F161A02BC for <grow@ietfa.amsl.com>; Tue, 20 May 2014 14:42:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZSI9kL336Xmr for <grow@ietfa.amsl.com>; Tue, 20 May 2014 14:42:12 -0700 (PDT)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E7101A03AB for <grow@ietf.org>; Tue, 20 May 2014 14:42:12 -0700 (PDT)
Received: by mail-lb0-f181.google.com with SMTP id q8so906670lbi.12 for <grow@ietf.org>; Tue, 20 May 2014 14:42:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=EiH0SJDgQPQ/uCD9QyEg59FBbjWOt2wE4iYqRBovFn8=; b=gc3C2Mq4IVAMicVKDo1u/wGNnm+IItmbaOOtc5G6wFoT6CuFYJdyrYa+YxjmY3tOE5 Yzm9GUnsLoVrdjEiJ7WA3HFvQ6FoBMzFhehnipbq3MC62PkS/WhaIJ2Myo0s4OCDR3Z5 cOMwk14Of9q14pPQENlPBYyaA5rBNoj0h1A+izfFhlKEejG/9ICr/uvmHXqUWxKECxX0 VWKGlZ8OWOOjTi0itQjTqq+2Hh/FdjDzHNBAHfQp2jwkAkD6iQlzWXpWljIRrNyPxkN6 0DrHmbzSUYiBztNZInHalOIaywzk/6fiXq94Fd3Eiy7IoOr8QDvTv6TbA7v0c4/vOGz3 PtIA==
MIME-Version: 1.0
X-Received: by 10.152.234.229 with SMTP id uh5mr4504691lac.56.1400622130292; Tue, 20 May 2014 14:42:10 -0700 (PDT)
Received: by 10.153.5.161 with HTTP; Tue, 20 May 2014 14:42:10 -0700 (PDT)
In-Reply-To: <537B2375.7080408@inex.ie>
References: <CAL9jLabRKA2gezfRdzND1TSYMJO+a_4mVV+M302cLBFTUwYmTQ@mail.gmail.com> <CF96AEDB.1B684%wesley.george@twcable.com> <CAL9jLaZ9J52Dt5n1Wk2KYTqwzmefGxvq-bRcfMfhWBNwf_6ZGg@mail.gmail.com> <EFD759C6-6F35-4397-A27E-BF1E650663BC@tislabs.com> <34076248-B77A-418F-9ED2-E5A607D39B51@tcb.net> <CD783686-9D5B-4D0B-92CC-3D4ACF1A6D07@puck.nether.net> <537B2375.7080408@inex.ie>
Date: Tue, 20 May 2014 17:42:10 -0400
Message-ID: <CAL9jLabsRFg9+W-oemKh4=fSHaFfekqJeMmHiyr1gsVRO-wNig@mail.gmail.com>
From: Christopher Morrow <christopher.morrow@gmail.com>
To: Nick Hilliard <nick@inex.ie>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/grow/yE9zsa-6JRbC8Z6HBKkPT_KtcY0
Cc: "grow@ietf.org grow@ietf.org" <grow@ietf.org>
Subject: Re: [GROW] WGLC: draft-ietf-grow-simple-leak-attack-bgpsec-no-help
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2014 21:42:15 -0000
On Tue, May 20, 2014 at 5:42 AM, Nick Hilliard <nick@inex.ie> wrote: > On 20/05/2014 02:11, Jared Mauch wrote: >> Is there a need for this to be explicitly documented within the IETF? I >> certainly agree there is a problem, but this feels like operational >> guidance or perhaps a BCP or similar document? (eg: Filter your peer >> ASNs from your other peers). > > Well-maintained prefix / asn filters work well up to a certain size, but no > further. Poorly maintained filters break connectivity in ways which > surprise and amaze. Operationally there is an intersection of operator > clue, network size and peer network size where prefix filters can work > really well, but thar be dragons outside that intersection. one point of the draft (perhaps not the point people are hoping for) is that 'bgpsec + rpki do not stop valley-free breakage'. I don't know that this was ever a goal for bgpsec/rpki though. One goal which I think people (me too) were hoping for with a draft in GROW was: "Define what a route leak is" followed by: "Tell me if this is a problem for operations of networks" I think 'is this a problem" is fairly well coverved by: o increased latency (unplanned long paths) o increased loss (paths not properly sized/planned/capacity-ready) There MAY be MiTM problems, but one argument is that there are whenever a packet crosses out of your administrative control. I don't know that the hyperbolic argument (everything is a mitm chance!) is helpful here, so I'd skip that. I would say that there are certainly cases where a well planned leak can cause traffic inspection to be possible (and MiTM) where the network operators were previously unaware of such hazards. The draft with it's current goal, I think, is easily summed up by: "If you don't police the routes in/out of your network bad things could happen. BGPSEC/RPKI do not inherently police the routes in/out of your network." so in like 2 sentences the point made by the authors is clear... Still no definition of 'route leak' though. -chris
- [GROW] WGLC: draft-ietf-grow-simple-leak-attack-b… Christopher Morrow
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Christopher Morrow
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… George, Wes
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Danny McPherson
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Christopher Morrow
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… George, Wes
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… George, Wes
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Danny McPherson
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Jeffrey Haas
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Danny McPherson
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Jeffrey Haas
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Danny McPherson
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… George, Wes
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Christopher Morrow
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Sandra Murphy
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Danny McPherson
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Jared Mauch
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Danny McPherson
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Jared Mauch
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Nick Hilliard
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Christopher Morrow
- Re: [GROW] WGLC: draft-ietf-grow-simple-leak-atta… Tony Tauber