IETF Logo Mail Archive

Re: [Idr] Preventing BGP Route leak (Hijack) for Management Channel BGP session

Jeff Tantsura <jefftant.ietf@gmail.com> Thu, 16 August 2018 22:23 UTC

Return-Path: <jefftant.ietf@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 154CC130DF3; Thu, 16 Aug 2018 15:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.01
X-Spam-Level:
X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eqVyRPSj4DfG; Thu, 16 Aug 2018 15:23:48 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 363B8130DEA; Thu, 16 Aug 2018 15:23:48 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id f23-v6so3503807edr.11; Thu, 16 Aug 2018 15:23:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J69/U6cFH3uO6q1ZlBlOIddtfrgzCpuoahIMUx2TcI4=; b=KHZCBv56h1wWoXdW3m4wNesq0S4cIqlQ4ANVc251oy//oXLlwuGSMf+AIA04sIncxj Wyi1nNGIPGvDhb4tf1Ya3hYDVb1v/adzRE3rNGEWXCVKqli4b2NN7hrVGGReD4L+oiWi EBCtUW6NUI78OVQcYlkRaL3ySvtNuufO6Qsf7C2Ax89dYdnGSA2nXz6SrRMOqywIzS5H SmqyZLvPwgsPsSYSLvALGo3+vqPKNboe2k7bBOL1HHXtkWCgtBAe7JpIiuJ0+iWQ7Tya KbQ0uSavQ9/K64145s8oywxcLGsvOASAW4P/pxkscKiRf4HAmFRgqRNo2C7lOsdKjjFT k/ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J69/U6cFH3uO6q1ZlBlOIddtfrgzCpuoahIMUx2TcI4=; b=jMIbad2CtOEUTT/td+FuBnRknRwxgucBUoWAbudu3LcWQapV58jrancvucWoFdBmcR v4iuWEB0wvO+7iROOpmV3XZvL6KV5c10KQW9Sbl6hZ8oeDaQMk6wx+D8+agGk8p/6RL3 8OYDW/EdWh/fMrGA3mOYCTNxA9mFSl/Jqqlmg5ioBuXOMMjnu3xdCuYWw2klKB7nz8tA 4NGorYb2pf2OBgEE8qKikFjSi2ReI01H/huwzVWM4pzZeTd0PkEEfoUdWiM6Aj+5y3s1 i1rTHnqQmiJhy6c+8CERB0Ks7O8xH2rtaJ3xmaNekMJ4e5RjDMNOuUpOERDCgn1Ht6eS ARlw==
X-Gm-Message-State: AOUpUlG2nSgMYl+8XXopw6Ey0gJeJu2T/HiovKrukCBX0HfqAm+IAHCa HeLl3Combr58uddiNYRvI3T0PBAblLpMww50qNU=
X-Google-Smtp-Source: AA+uWPxdkEXM0PAEBVCYlsmSVeXhABqg0YkcVVPl31asSx0JJ6SXlUOXzNP+ew7mrkpC4/jv9e5Ia3MLHupMQ7f85Sk=
X-Received: by 2002:a50:94c4:: with SMTP id t4-v6mr37790048eda.128.1534458226817; Thu, 16 Aug 2018 15:23:46 -0700 (PDT)
MIME-Version: 1.0
References: <4A95BA014132FF49AE685FAB4B9F17F66B0DAE87@sjceml521-mbx.china.huawei.com> <d6d522ea-f555-9344-0dee-732bb9983ef9@juniper.net>
In-Reply-To: <d6d522ea-f555-9344-0dee-732bb9983ef9@juniper.net>
From: Jeff Tantsura <jefftant.ietf@gmail.com>
Date: Thu, 16 Aug 2018 15:23:35 -0700
Message-ID: <CAFAzdPWQcDFDB1jFJgtWDGOnRsJVkqg01gFSkfqzi_0XmofdCg@mail.gmail.com>
To: Eric C Rosen <erosen@juniper.net>
Cc: Linda Dunbar <linda.dunbar@huawei.com>, "shares@ndzh.com" <shares@ndzh.com>, "idr@ietf.org" <idr@ietf.org>, RTGWG <rtgwg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000883f90057394e575"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Zu4_IU-nn3IP30t8ABIzNF8jiHk>
Subject: Re: [Idr] Preventing BGP Route leak (Hijack) for Management Channel BGP session
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2018 22:23:52 -0000

Thanks Eric for your analysis!

Linda - Eric confirmed wg feedback and explained in great details why using
BGP for key distribution (while appealing) is not a great idea, you could
add to that use of group keys, so in case of a breach, whole group becomes
compromised (obviously there’s more to that, greatly generalized
statement). Let’s move on.

Thanks,
Jeff


On Thu, Aug 16, 2018 at 12:59 Eric C Rosen <erosen@juniper.net> wrote:

> On 8/13/2018 3:26 PM, Linda Dunbar wrote:
>
> One of the comments to
> https://datatracker.ietf.org/doc/draft-dm-net2cloud-gap-analysis/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Ddm-2Dnet2cloud-2Dgap-2Danalysis_&d=DwMFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=-DXB84eU9m4cIlq2OOcCJCQQAwJXQQswyu3F0kG0VNo&m=RToh0UhV7F8cp3q2ud1LmU6GZtypPTJdboL4dgpRzr0&s=9xbKYj5fP6Jv93coe5g-lfzpp0L0bK0GyrlB91Ry3Sw&e=>
> the In RTGwg session of IETF102 is that using BGP session to pass
> configuration keys for IPsec can be risky even if the path between RR &
> node is secure (say via TLS) due to BGP route leak (Hijack).
>
> But the BGP session to carry IPsec configurations is via BGP management
> session, which is completely isolated form the dataplane BGP sessions.
>
>
> I'm not sure I have the whole context, but the question seems to be
> whether it could ever be safe to use BGP to distribute secret keys.
>
> Presumably:
>
> - The keys would be carried in an attribute that can only be attached by
> UPDATEs of a specified AFI/SAFI, where the specified AFI/SAFI is only used
> to carry management/configuration information.
>
> - UPDATEs of that AFI/SAFI would only be sent on BGP sessions that are
> adequately secured so as to provide privacy, integrity and authentication.
>
> - The UPDATEs would carry the NO_ADVERTISE community (to make sure they
> are not propagated further).
>
> - None of the BGP systems involved would allow any sort of "BGP
> monitoring" that might expose the unencrypted contents of the UPDATEs.
>
> In this scenario, I don't think it matters whether the secure BGP session
> also carries other AFI/SAFIs.
>
> The privacy properties of this scenario are pretty good, in theory, but I
> don't think they are really good enough for distributing secret keys.
>
> - Once you're using BGP to distribute information, it is inevitable that
> someone will decide to remove the "NO_ADVERTISE" and allow the information
> to be propagated through intermediate nodes (RRs or ASBRs) to the actual
> target node.  After all, one of the main values of using BGP to distribute
> stuff is that you get a big distribution system.  Even if all the
> intermediate nodes are trusted and all the intermediate BGP sessions have
> adequate privacy/integrity/authentication, you still wouldn't want to
> expose the secret keys to those nodes.  You might trust those nodes to see
> all the routing information, and even to see most of the management
> information, but you probably don't want them to see all the secret keys.
> And you probably don't want the secret keys stored in the clear on those
> intermediate nodes.
>
> - I would worry about BGP monitoring procedures creating a backdoor
> through which the secret keys would be exposed.
>
> - No matter how careful you are, when you use BGP you can be pretty sure
> that your UPDATEs will end up somewhere they're not supposed to go.  It's
> just too easy to make mistakes.
> So I don't think I'd try to do dynamic keying by attaching the actual keys
> to BGP UPDATEs.  At most I'd use BGP to distribute parameters that could
> then be used by something like IKEv2 to actually fetch the secret keys.
>
>

v2.23.0 | Report a Bug | By Email