IETF Logo Mail Archive

Re: [Idr] [sidr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11

Iljitsch van Beijnum <iljitsch@muada.com> Wed, 29 April 2015 20:35 UTC

Return-Path: <iljitsch@muada.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A9DB1A6F5D; Wed, 29 Apr 2015 13:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s222OUedZOkV; Wed, 29 Apr 2015 13:35:43 -0700 (PDT)
Received: from sequoia.muada.com (sequoia.muada.com [IPv6:2001:1af8:3100:a006:1::]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CD5C1A6EF2; Wed, 29 Apr 2015 13:35:42 -0700 (PDT)
Received: from global-hq.muada.nl (global-hq.muada.nl [IPv6:2001:470:1f15:8b5:995e:8e8e:2b66:a875] (may be forged)) (authenticated bits=0) by sequoia.muada.com (8.13.3/8.13.3) with ESMTP id t3TKZQ7w011005 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Apr 2015 22:35:27 +0200 (CEST) (envelope-from iljitsch@muada.com)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: <CY1PR09MB079302CC52C7791F3C0C512984D70@CY1PR09MB0793.namprd09.prod.outlook.com>
Date: Wed, 29 Apr 2015 22:35:37 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <CF9FE7BA-C934-401C-B2F4-0CE4AF062ECC@muada.com>
References: <4C184296-F426-40EF-9DB6-3AE87C42B516@tislabs.com> <91148102-DADB-42E8-96A0-E89120642894@tislabs.com> <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com> <EF4348D391D0334996EE9681630C83F02D173BEB@xmb-rcd-x02.cisco.com> <B1EDF7B6-1E42-440E-BD3F-29723AD7E4A4@muada.com> <986c7f50a5300c46ad05afb643be3a1d@mail.mandelberg.org> <4C80F9CE-06F9-4FB7-852B-BF1B205738FC@muada.com> <CY1PR09MB079302CC52C7791F3C0C512984D70@CY1PR09MB0793.namprd09.prod.outlook.com>
To: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/45yQaIzKNLIcnKUHP-Qn2aSERSo>
Cc: "idr@ietf.org" <idr@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>, David Mandelberg <david@mandelberg.org>
Subject: Re: [Idr] [sidr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2015 20:35:46 -0000

On 29 Apr 2015, at 20:46, Sriram, Kotikalapudi <kotikalapudi.sriram@nist.gov> wrote:

> The validation in the BGPsec draft is only about the AS path signatures in signed updates.
> It is talking about the validity of the Secure_Path.   
> If all the signatures in a Signature_Block are valid, then the Signature_Block (and hence Secure_Path) is 'Valid';
> Else, the Signature_Block is 'Not Valid'.

So how does this work when a certificate expires without a new one in place?

Then the signature over a hop in the path and therefore the path and therefore one or more prefixes are now "Not Valid". This presents us with two choices:

1. we accept those prefixes in our forwarding tables
2. we don't accept those prefixes in our forwarding tables

Obviously 1. can't be the answer, because then BGPsec is pretty much a NOP.

But 2. is not so great either, because now a mistake or delay in generating and propagating certificates can cause unreachability.

So what we need is a third option, that provides better security than 1. and better reachability than 2.

In other words, "couldn't validate because of certificate lifetime" and "validation failed because of a bad signature or bad certificate chain" are different enough that we need them to have different effects on the forwarding tables.

v2.23.0 | Report a Bug | By Email