IETF Logo Mail Archive

Re: [Idr] [sidr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Tue, 05 May 2015 23:02 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7956C1A896C; Tue, 5 May 2015 16:02:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hM3yvrNvWT6; Tue, 5 May 2015 16:02:55 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0132.outbound.protection.outlook.com [207.46.100.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3231C1A894C; Tue, 5 May 2015 16:02:55 -0700 (PDT)
Received: from CY1PR09MB0793.namprd09.prod.outlook.com (10.163.43.143) by CY1PR09MB0793.namprd09.prod.outlook.com (10.163.43.143) with Microsoft SMTP Server (TLS) id 15.1.154.19; Tue, 5 May 2015 23:02:53 +0000
Received: from CY1PR09MB0793.namprd09.prod.outlook.com ([10.163.43.143]) by CY1PR09MB0793.namprd09.prod.outlook.com ([10.163.43.143]) with mapi id 15.01.0154.018; Tue, 5 May 2015 23:02:53 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Iljitsch van Beijnum <iljitsch@muada.com>
Thread-Topic: [sidr] Levels of BGPsec/RPKI validation, was: Re: [Idr] wglc for draft-ietf-sidr-bgpsec-protocol-11
Thread-Index: AQHQg23hvPefCdVsC0+PANQ5UDQxHp1mBKmAgAF9bICAAAl4AIABfEbjgATaiQCAAAzNsA==
Date: Tue, 05 May 2015 23:02:52 +0000
Message-ID: <CY1PR09MB0793CD0DC7DC1187CD357C3E84D10@CY1PR09MB0793.namprd09.prod.outlook.com>
References: <4C184296-F426-40EF-9DB6-3AE87C42B516@tislabs.com> <91148102-DADB-42E8-96A0-E89120642894@tislabs.com> <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com> <CANTg3aC4EurFpEP9S+5v4L5mz4zO2TLf9jOn+biCv0knms=8=Q@mail.gmail.com> <3637DF28-CFC8-46FF-8929-DF88BB91D3AB@muada.com> <CANTg3aDwkSEEGN_7TotJUu-d8eZS8eBaE-J4XbT+QpGxjPR60Q@mail.gmail.com> <CA587941-7279-44A0-B447-0E307C3D52D3@muada.com> <1430621496060.84229@nist.gov> <C5D81662-54D1-4E8C-8914-C5971849AC1B@muada.com>
In-Reply-To: <C5D81662-54D1-4E8C-8914-C5971849AC1B@muada.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: muada.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [129.6.140.100]
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR09MB0793;
x-microsoft-antispam-prvs: <CY1PR09MB0793322A50938371DDA6995D84D10@CY1PR09MB0793.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:CY1PR09MB0793; BCL:0; PCL:0; RULEID:; SRVR:CY1PR09MB0793;
x-forefront-prvs: 0567A15835
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(51704005)(99286002)(86362001)(76576001)(2950100001)(92566002)(50986999)(2900100001)(33656002)(54356999)(76176999)(46102003)(93886004)(106116001)(15975445007)(102836002)(40100003)(122556002)(62966003)(77156002)(77096005)(110136002)(5001960100002)(74316001)(19580395003)(87936001)(66066001)(2656002)(230783001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR09MB0793; H:CY1PR09MB0793.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2015 23:02:52.9802 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR09MB0793
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/NG5G278Iu4PcZnrtscUg3ljsaL4>
Cc: "idr@ietf.org wg" <idr@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [Idr] [sidr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2015 23:02:57 -0000

>In practice, what will happen very soon is that there will be a
>BGPsec core with non-BGPsec leaves and branches.

That is a possibility. To encourage leaves (stub ASes) to get on board with BGPsec, the specification 
allows for BGPsec capability to be negotiated independently in each direction (send and receive).
This means that a stub AS can negotiate with its upstream to send signed updates (to the upstream) 
but receive only unsigned updates (i.e. trusts its upstream).
Thus it avoids processing and memory costs associated with processing signed updates and storing them. 
This facilitates the stub AS to avoid expensive HW upgrade, but still benefit from BGPsec.
Please see Section 2 of the BGPsec specification. Also see Sections 6.5 and 6.6 in the 
BGPSEC design discussion document:
http://tools.ietf.org/html/draft-sriram-bgpsec-design-choices-07#page-21 

>Sure. But what if one of those BGPsec-capable ASes has a customer that doesn't
>run BGPsec? So:
>
>5+ 4+ 3+ 2+ 1-
>
>(where + is BGPsec and - is no BGPsec)
>
>In this case the entire path will be unprotected, even though four of the five
>ASes in the path are capable of using BGPsec. I fair argument can be made that
>if it's only the origin AS that's non-BGPsec, the protection afforded is very nearly
>as good as in the case where the complete path is BGPsec-protected.
>

Steve Kent summed it up nicely (in his most recent post on the SIDR list) about the pitfalls 
of allowing partial path signing. 
In your specific example above, let us say, there is also an 8+ who is *malicious* and a BGPsec neighbor of 5+.
8+ does not peer with 1-, but nevertheless sends an update with the following malicious AS path to 5+:

8+ 1-  (for the same NLRI as in your example above)

8+ is basically faking that it got an unsigned update from 1- and 
it is forwarding the same to 5+ with a signature (i.e. 8+ signing to 5+).
How will 5+ know that the partially signed update with AS path of {4+ 3+ 2+ 1-} is legitimate 
and that the other partially signed update with AS path {8+ 1-} is malicious? 
It has no way of knowing that.

Sriram

v2.23.0 | Report a Bug | By Email