Re: [Idr] Preventing BGP Route leak (Hijack) for Management Channel BGP session
Jeff Tantsura <jefftant.ietf@gmail.com> Thu, 16 August 2018 22:23 UTC
Return-Path: <jefftant.ietf@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 154CC130DF3; Thu, 16 Aug 2018 15:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.01
X-Spam-Level:
X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eqVyRPSj4DfG; Thu, 16 Aug 2018 15:23:48 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 363B8130DEA; Thu, 16 Aug 2018 15:23:48 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id f23-v6so3503807edr.11; Thu, 16 Aug 2018 15:23:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J69/U6cFH3uO6q1ZlBlOIddtfrgzCpuoahIMUx2TcI4=; b=KHZCBv56h1wWoXdW3m4wNesq0S4cIqlQ4ANVc251oy//oXLlwuGSMf+AIA04sIncxj Wyi1nNGIPGvDhb4tf1Ya3hYDVb1v/adzRE3rNGEWXCVKqli4b2NN7hrVGGReD4L+oiWi EBCtUW6NUI78OVQcYlkRaL3ySvtNuufO6Qsf7C2Ax89dYdnGSA2nXz6SrRMOqywIzS5H SmqyZLvPwgsPsSYSLvALGo3+vqPKNboe2k7bBOL1HHXtkWCgtBAe7JpIiuJ0+iWQ7Tya KbQ0uSavQ9/K64145s8oywxcLGsvOASAW4P/pxkscKiRf4HAmFRgqRNo2C7lOsdKjjFT k/ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J69/U6cFH3uO6q1ZlBlOIddtfrgzCpuoahIMUx2TcI4=; b=jMIbad2CtOEUTT/td+FuBnRknRwxgucBUoWAbudu3LcWQapV58jrancvucWoFdBmcR v4iuWEB0wvO+7iROOpmV3XZvL6KV5c10KQW9Sbl6hZ8oeDaQMk6wx+D8+agGk8p/6RL3 8OYDW/EdWh/fMrGA3mOYCTNxA9mFSl/Jqqlmg5ioBuXOMMjnu3xdCuYWw2klKB7nz8tA 4NGorYb2pf2OBgEE8qKikFjSi2ReI01H/huwzVWM4pzZeTd0PkEEfoUdWiM6Aj+5y3s1 i1rTHnqQmiJhy6c+8CERB0Ks7O8xH2rtaJ3xmaNekMJ4e5RjDMNOuUpOERDCgn1Ht6eS ARlw==
X-Gm-Message-State: AOUpUlG2nSgMYl+8XXopw6Ey0gJeJu2T/HiovKrukCBX0HfqAm+IAHCa HeLl3Combr58uddiNYRvI3T0PBAblLpMww50qNU=
X-Google-Smtp-Source: AA+uWPxdkEXM0PAEBVCYlsmSVeXhABqg0YkcVVPl31asSx0JJ6SXlUOXzNP+ew7mrkpC4/jv9e5Ia3MLHupMQ7f85Sk=
X-Received: by 2002:a50:94c4:: with SMTP id t4-v6mr37790048eda.128.1534458226817; Thu, 16 Aug 2018 15:23:46 -0700 (PDT)
MIME-Version: 1.0
References: <4A95BA014132FF49AE685FAB4B9F17F66B0DAE87@sjceml521-mbx.china.huawei.com> <d6d522ea-f555-9344-0dee-732bb9983ef9@juniper.net>
In-Reply-To: <d6d522ea-f555-9344-0dee-732bb9983ef9@juniper.net>
From: Jeff Tantsura <jefftant.ietf@gmail.com>
Date: Thu, 16 Aug 2018 15:23:35 -0700
Message-ID: <CAFAzdPWQcDFDB1jFJgtWDGOnRsJVkqg01gFSkfqzi_0XmofdCg@mail.gmail.com>
To: Eric C Rosen <erosen@juniper.net>
Cc: Linda Dunbar <linda.dunbar@huawei.com>, "shares@ndzh.com" <shares@ndzh.com>, "idr@ietf.org" <idr@ietf.org>, RTGWG <rtgwg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000883f90057394e575"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Zu4_IU-nn3IP30t8ABIzNF8jiHk>
Subject: Re: [Idr] Preventing BGP Route leak (Hijack) for Management Channel BGP session
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2018 22:23:52 -0000
Thanks Eric for your analysis! Linda - Eric confirmed wg feedback and explained in great details why using BGP for key distribution (while appealing) is not a great idea, you could add to that use of group keys, so in case of a breach, whole group becomes compromised (obviously there’s more to that, greatly generalized statement). Let’s move on. Thanks, Jeff On Thu, Aug 16, 2018 at 12:59 Eric C Rosen <erosen@juniper.net> wrote: > On 8/13/2018 3:26 PM, Linda Dunbar wrote: > > One of the comments to > https://datatracker.ietf.org/doc/draft-dm-net2cloud-gap-analysis/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Ddm-2Dnet2cloud-2Dgap-2Danalysis_&d=DwMFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=-DXB84eU9m4cIlq2OOcCJCQQAwJXQQswyu3F0kG0VNo&m=RToh0UhV7F8cp3q2ud1LmU6GZtypPTJdboL4dgpRzr0&s=9xbKYj5fP6Jv93coe5g-lfzpp0L0bK0GyrlB91Ry3Sw&e=> > the In RTGwg session of IETF102 is that using BGP session to pass > configuration keys for IPsec can be risky even if the path between RR & > node is secure (say via TLS) due to BGP route leak (Hijack). > > But the BGP session to carry IPsec configurations is via BGP management > session, which is completely isolated form the dataplane BGP sessions. > > > I'm not sure I have the whole context, but the question seems to be > whether it could ever be safe to use BGP to distribute secret keys. > > Presumably: > > - The keys would be carried in an attribute that can only be attached by > UPDATEs of a specified AFI/SAFI, where the specified AFI/SAFI is only used > to carry management/configuration information. > > - UPDATEs of that AFI/SAFI would only be sent on BGP sessions that are > adequately secured so as to provide privacy, integrity and authentication. > > - The UPDATEs would carry the NO_ADVERTISE community (to make sure they > are not propagated further). > > - None of the BGP systems involved would allow any sort of "BGP > monitoring" that might expose the unencrypted contents of the UPDATEs. > > In this scenario, I don't think it matters whether the secure BGP session > also carries other AFI/SAFIs. > > The privacy properties of this scenario are pretty good, in theory, but I > don't think they are really good enough for distributing secret keys. > > - Once you're using BGP to distribute information, it is inevitable that > someone will decide to remove the "NO_ADVERTISE" and allow the information > to be propagated through intermediate nodes (RRs or ASBRs) to the actual > target node. After all, one of the main values of using BGP to distribute > stuff is that you get a big distribution system. Even if all the > intermediate nodes are trusted and all the intermediate BGP sessions have > adequate privacy/integrity/authentication, you still wouldn't want to > expose the secret keys to those nodes. You might trust those nodes to see > all the routing information, and even to see most of the management > information, but you probably don't want them to see all the secret keys. > And you probably don't want the secret keys stored in the clear on those > intermediate nodes. > > - I would worry about BGP monitoring procedures creating a backdoor > through which the secret keys would be exposed. > > - No matter how careful you are, when you use BGP you can be pretty sure > that your UPDATEs will end up somewhere they're not supposed to go. It's > just too easy to make mistakes. > So I don't think I'd try to do dynamic keying by attaching the actual keys > to BGP UPDATEs. At most I'd use BGP to distribute parameters that could > then be used by something like IKEv2 to actually fetch the secret keys. > >
- [Idr] Preventing BGP Route leak (Hijack) for Mana… Linda Dunbar
- Re: [Idr] Preventing BGP Route leak (Hijack) for … Eric C Rosen
- Re: [Idr] Preventing BGP Route leak (Hijack) for … Jeff Tantsura
- Re: [Idr] Preventing BGP Route leak (Hijack) for … Linda Dunbar
- Re: [Idr] Preventing BGP Route leak (Hijack) for … Robert Raszuk
- Re: [Idr] Preventing BGP Route leak (Hijack) for … Linda Dunbar
- Re: [Idr] Preventing BGP Route leak (Hijack) for … Jeff Tantsura