Re: [Idr] Preventing BGP Route leak (Hijack) for Management Channel BGP session

Jeff Tantsura <jefftant.ietf@gmail.com> Fri, 17 August 2018 21:51 UTC

Return-Path: <jefftant.ietf@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AF48130E07; Fri, 17 Aug 2018 14:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.008
X-Spam-Level:
X-Spam-Status: No, score=-0.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZ3KIy_n7HBy; Fri, 17 Aug 2018 14:51:39 -0700 (PDT)
Received: from mail-pl0-x242.google.com (mail-pl0-x242.google.com [IPv6:2607:f8b0:400e:c01::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61D86130FCA; Fri, 17 Aug 2018 14:51:39 -0700 (PDT)
Received: by mail-pl0-x242.google.com with SMTP id d5-v6so4284896pll.4; Fri, 17 Aug 2018 14:51:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=bSRR+vJ8kdJDGdjAk7lZDlb9Td6U4YE5FLM5KnB/KBM=; b=IZaXebFsb2Kyot4VXeAbLiA3E5UBsRVvhRqs3ZjoKZPIGYyWKKJ7fkSPpmlyY4rDuI Pd5QiTQAtd2NkwxEfiyWKrZX+z6TjE+rM3cqhtYrG1y/jv2GdF2PUJBHZ2hOdOgQSvsb l0ltIzqBJK8RKExGz25U56GxZDpJxkY+34mQWC7hD3eOX2cKy8uxZT9VHdPsPBlbjlDX 6uwNUtXcWPrRJC7/sbZzkxhFaZS1ixDBqGhitUQqhv11HRgWuEAQXm/JU00wnNeWEbrQ iaiYjvmxeJX4B4yYZYN26rH6izSwcuCSMLaRRJil8CjmDMBTPtWkNX/jcoDOGWSvkyaM 6hoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=bSRR+vJ8kdJDGdjAk7lZDlb9Td6U4YE5FLM5KnB/KBM=; b=nwnrIp/wLDSmTee9owLADpXOdN4kg0cgae3t+i8M+zX5I3A4+quIF2BqP/cdUsV/vy fMuBncf+RtG0KfD0JcyGn2aD9299ey7PmasvIKkIjgrC2xoUQYc9bg4eLpbT/Kjhz9v4 prDcPHWCztjcnLk3bLhtoilsDBIJMM69wxCWN45yEnDocMZYHXcnRA5I1sMlXIpgILyV 7CLgjTHln6NpnrlTrprkrED/8TFNquJ00Mc2+P4PxMsYQo/WoKg+A6Vf82gHtrEF/Aqc JZ+njqRnqvY15JCK8XHWyZVdqwXRJlgkrcxINT0KmxmcteFJF8eKCosGAlYqzuGiMpvU UHRA==
X-Gm-Message-State: AOUpUlGthGsR7tVcJOvl0Xf4CuvsmHQsZ6jhc2InE7O7kFOkTCvyzzCp A54DtiQLZsW3F9Ql+k4Vmjo=
X-Google-Smtp-Source: AA+uWPydJryffuY5T0/2lWZ92DDxcYSSdW2waDWLMiUU8G25owy+C+MiA48RKKHLs1902a8TckaXOg==
X-Received: by 2002:a17:902:227:: with SMTP id 36-v6mr35818688plc.103.1534542698946; Fri, 17 Aug 2018 14:51:38 -0700 (PDT)
Received: from [192.168.1.17] ([2601:647:5801:7388:6c90:cd33:9b26:703e]) by smtp.gmail.com with ESMTPSA id l84-v6sm6103664pfg.3.2018.08.17.14.51.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Aug 2018 14:51:38 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/10.f.0.180709
Date: Fri, 17 Aug 2018 14:51:37 -0700
From: Jeff Tantsura <jefftant.ietf@gmail.com>
To: Linda Dunbar <linda.dunbar@huawei.com>, Robert Raszuk <robert@raszuk.net>
CC: "idr@ietf.org" <idr@ietf.org>, RTGWG <rtgwg@ietf.org>
Message-ID: <571B830A-5265-49CA-8646-1F7B17461F55@gmail.com>
Thread-Topic: Preventing BGP Route leak (Hijack) for Management Channel BGP session
References: <4A95BA014132FF49AE685FAB4B9F17F66B0DAE87@sjceml521-mbx.china.huawei.com> <d6d522ea-f555-9344-0dee-732bb9983ef9@juniper.net> <4A95BA014132FF49AE685FAB4B9F17F66B0DC48F@sjceml521-mbx.china.huawei.com> <CAOj+MMH-LmcnB60qWftf1fPjLXpFt1MdVRJKw4CLg6qyBef9Zg@mail.gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B0DCC00@sjceml521-mbx.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B0DCC00@sjceml521-mbx.china.huawei.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3617362297_1312349409"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Wwxvjh7hM2dJc2agLo7kZqpxXSc>
Subject: Re: [Idr] Preventing BGP Route leak (Hijack) for Management Channel BGP session
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2018 21:51:43 -0000

/as working group contributor

 

Linda,

 

I disagree with “already support BGP” point as the right argument to use BGP for key distribution.

In most cases, after booting up  1st time, CPE would “call back home” to activate and obtain right SW, config, etc

BGP session(s) would be configured/activated later

 

Cheers,

Jeff

 

From: rtgwg <rtgwg-bounces@ietf.org> on behalf of Linda Dunbar <linda.dunbar@huawei.com>
Date: Friday, August 17, 2018 at 13:37
To: Robert Raszuk <robert@raszuk.net>
Cc: "idr@ietf.org" <idr@ietf.org>, RTGWG <rtgwg@ietf.org>
Subject: RE: Preventing BGP Route leak (Hijack) for Management Channel BGP session

 

Robert, 

 

Actually IPsec Public key being hijacked doesn’t pose any issue to IPsec because the IPsec key is generated by Public & Private key, like IKEv2 is exchanged over public internet, while anyone can see it. 

 

Using BGP’s RR to exchange the Public key is to avoid the Peer Authentication requirement on the Resource Constraint CPEs & virtual CPEs. 

Of cause, we can use some kind Registration protocols, such as NHRP, to do the job. 

Since those CPEs already support BGP, leveraging BGP update is less processing on those resource constraint CPEs than supporting another new protocol. 

 

Linda

 

From: Robert Raszuk [mailto:robert@raszuk.net] 
Sent: Friday, August 17, 2018 4:20 AM
To: Linda Dunbar <linda.dunbar@huawei.com>
Cc: Eric C Rosen <erosen@juniper.net>; idr@ietf.org; RTGWG <rtgwg@ietf.org>
Subject: Re: Preventing BGP Route leak (Hijack) for Management Channel BGP session

 

Hi Linda,

 

> requiring Data Plan BGP session to be completely separate from the Management Plane BGP session, is it Okay? 

 

As I mentioned offline there is no distinction in BGP for data plane BGP session vs Mgmt Plane BGP session. 

 

BGP session is a BGP session - pure TCP stream of packets which is pretty trivial to intercept, decode, hijack, etc .... 

 

Moreover BGP messages are designed to be flooded everywhere in a p2mp fashion. Even if you add "NO-ADVERTISE" BGP community to it - communities can get stripped automatically on any BGP speaker. Hence you clean your sole safety protection. 

 

The question I would like to state and understood - why are you trying so hard to use BGP for IPSec secret key distribution ? Is this only due to the fact that you have it there ? Wasn't IKE and now improved IKEv2 specifically designed to do just that ? Any reason you don't want to use it ? 

 

Thx,

R.

 

 

 

On Fri, Aug 17, 2018 at 12:59 AM, Linda Dunbar <linda.dunbar@huawei.com> wrote:

Eric, 

 

Thank you very much for the detailed explanation. 

 

I meant to ask about using BGP UPDATEs of a unique AFI/SAFI to distribute the “Public Keys” and individual “Nonce” to all the CPEs. Just like IKE (where peers exchange public key over internet), now the Public keys are exchanged between peers via RR (Controller). With this approach, the CPEs can offload the Peer Authentication job to Controller. 

 

IPsec’s  Diffie-Hellman algorithm use “Public Key” and CPE’s Private Key to compute the actual Security Association. 

 

In your draft-rosen-bess-secure-l3vpn-01, you have BLACK BGP session and RED BGP session, and emphasized on how BLACK BGP not leaking routes to RED BGP. I want to know if we can do the same for Management BGP session, i.e. requiring Data Plan BGP session to be completely separate from the Management Plane BGP session, is it Okay? 

 

Thanks, Linda Dunbar

 

 

 

From: Eric C Rosen [mailto:erosen@juniper.net] 
Sent: Thursday, August 16, 2018 2:59 PM
To: Linda Dunbar <linda.dunbar@huawei.com>; shares@ndzh.com; idr@ietf.org; Jeff Tantsura <jefftant.ietf@gmail.com>; RTGWG <rtgwg@ietf.org>
Subject: Re: Preventing BGP Route leak (Hijack) for Management Channel BGP session

 

On 8/13/2018 3:26 PM, Linda Dunbar wrote:

One of the comments to https://datatracker.ietf.org/doc/draft-dm-net2cloud-gap-analysis/ the In RTGwg session of IETF102 is that using BGP session to pass configuration keys for IPsec can be risky even if the path between RR & node is secure (say via TLS) due to BGP route leak (Hijack). 

But the BGP session to carry IPsec configurations is via BGP management session, which is completely isolated form the dataplane BGP sessions.. 


I'm not sure I have the whole context, but the question seems to be whether it could ever be safe to use BGP to distribute secret keys.

Presumably:

- The keys would be carried in an attribute that can only be attached by UPDATEs of a specified AFI/SAFI, where the specified AFI/SAFI is only used to carry management/configuration information.

- UPDATEs of that AFI/SAFI would only be sent on BGP sessions that are adequately secured so as to provide privacy, integrity and authentication.

- The UPDATEs would carry the NO_ADVERTISE community (to make sure they are not propagated further).

- None of the BGP systems involved would allow any sort of "BGP monitoring" that might expose the unencrypted contents of the UPDATEs.

In this scenario, I don't think it matters whether the secure BGP session also carries other AFI/SAFIs.

The privacy properties of this scenario are pretty good, in theory, but I don't think they are really good enough for distributing secret keys.

- Once you're using BGP to distribute information, it is inevitable that someone will decide to remove the "NO_ADVERTISE" and allow the information to be propagated through intermediate nodes (RRs or ASBRs) to the actual target node.  After all, one of the main values of using BGP to distribute stuff is that you get a big distribution system.  Even if all the intermediate nodes are trusted and all the intermediate BGP sessions have adequate privacy/integrity/authentication, you still wouldn't want to expose the secret keys to those nodes.  You might trust those nodes to see all the routing information, and even to see most of the management information, but you probably don't want them to see all the secret keys.  And you probably don't want the secret keys stored in the clear on those intermediate nodes.

- I would worry about BGP monitoring procedures creating a backdoor through which the secret keys would be exposed.  

- No matter how careful you are, when you use BGP you can be pretty sure that your UPDATEs will end up somewhere they're not supposed to go.  It's just too easy to make mistakes.  
So I don't think I'd try to do dynamic keying by attaching the actual keys to BGP UPDATEs.  At most I'd use BGP to distribute parameters that could then be used by something like IKEv2 to actually fetch the secret keys.


_______________________________________________
rtgwg mailing list
rtgwg@ietf.org
https://www.ietf.org/mailman/listinfo/rtgwg

 

_______________________________________________ rtgwg mailing list rtgwg@ietf.org https://www.ietf.org/mailman/listinfo/rtgwg