Re: a draft that missed the deadline
Sandy Murphy <sandy@tis.com> Mon, 01 December 1997 16:46 UTC
Received: from merit.edu (merit.edu [198.108.1.42]) by nic.merit.edu (8.8.7/8.8.7) with ESMTP id LAA29131 for <idr-archive@nic.merit.edu>; Mon, 1 Dec 1997 11:46:45 -0500 (EST)
Received: (from majordom@localhost) by merit.edu (8.8.7/8.8.5) id LAA19370 for idr-outgoing; Mon, 1 Dec 1997 11:39:41 -0500 (EST)
Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by merit.edu (8.8.7/8.8.5) with ESMTP id LAA19366 for <idr@merit.edu>; Mon, 1 Dec 1997 11:39:37 -0500 (EST)
Received: by relay.hq.tis.com; id LAA16457; Mon, 1 Dec 1997 11:38:46 -0500 (EST)
Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (4.0a) id xma016438; Mon, 1 Dec 97 11:38:01 -0500
Received: (from sandy@localhost) by clipper.hq.tis.com (8.7.5/8.7.3) id LAA01103; Mon, 1 Dec 1997 11:35:31 -0500 (EST)
Date: Mon, 01 Dec 1997 11:35:31 -0500
From: Sandy Murphy <sandy@tis.com>
Message-Id: <199712011635.LAA01103@clipper.hq.tis.com>
To: tli@juniper.net
Subject: Re: a draft that missed the deadline
Cc: idr@merit.edu, sandy@tis.com
Sender: owner-idr@merit.edu
Precedence: bulk
>I was quite disappointed to see no mention of >draft-heffernan-tcp-md5-02.txt.gz (admittedly, it has expired) or its >methods. You alude to the benefits, but seem completely oblivious to the >fact that it's already in shipping code. I am well aware of Andy Heffernan's work (which I thought you also had a hand in, judging by our conversations about TCP RST's). I did not mention it because, as you said, the work had been dropped from the IETF working group active consideration. I thought that the reason those drafts were allowed to expire was because the protection provided by IPSEC is at least as good as the protection provided by doing MD5 protection at the TCP level. Given the limited amount of option space in the TCP packet and the recent concerns about MD5 potential vulnerabilities by itself (leading the IPSEC group to recommend the HMAC approach), the IPSEC solution might even be better. Be that as it may, I saw several messages in September between Ran Atkinson and Jeff Schiller about that draft, suggesting that it might be resurrected for publication as an Informational RFC. Do you know anything more about that? On a side note, I've been trying to come up with good reasons why keyed crypto hash protection at the application level might still be useful when IPSEC is fully deployed. Given the number of protocols that have defined their own protection while waiting for IPSEC, it is a question with some broad applicability. One might say that protecting at the application level prevents other processes in the same host from horning in. Can you see that as a valid concern to keep application level protection when IPSEC protection is available? >I was also hoping for more of a recommendation for the internal sources >solution. The problem there is of the most theoretical interest and the >one that we would appreciate the assistance on. I was asked, not for a recommendation, but for a discussion of the possibilities and the costs. I think that the business environment plays such a large part in determining what level of protection you need as well as how much you're willing to do to protect yourself that it may take a community decision to make a recommendation. If the usual environment was such that a valid sequence of BGP peers was almost certainly also a valid AS_PATH (i.e., the policy decisions would let traffic through), then Brad Smith's proposal to insert link state information is attractive. The frequency of signatures (I think) can be reduced and therefore the number of verifications. You do have to check each AS_PATH against the link state information to see if it is a valid sequence of adjacent AS's, though. If the usual environment was such that valid sequences of BGP peers were NOT likely to be valid AS_PATH (because of peering agreements and their effect on the traffic that will be transited, etc.), then you need assurance that the *path* is valid, which can mean assurance that your neighbor came by the determination of the path he/she/it sent you honestly - which means some sort of proof that your neighbor based its path on information IT received from a neighbor - which means passing on to you some sort of token from the neighbor's neighbor. And so forth. As I said, the Internet registries can provide some of this assurance. They certainly collect the sort of information that would provide assurance that the hops represented in the AS_PATH are valid. They might also collect the detailed information about policies that would help determine that AS_PATHs are valid. The business environment sticks its nose in that as well, as the policy information needed to determine the validity of AS_PATH might be sensitive and something the ISPs would not want published to the world. >Finally, I was really hoping to see more discussion of the prefix >assignment problem. Again, you allude to it briefly in section 3.3, but >the authenticated delegation of prefixes is a serious problem that we could >use help with. When you say "prefix assignment" problem, you're talking about some AS announcing a prefix that actually belongs to someone else? especially when it's in the middle of someone else's CIDR block? Unfortunately, asking for that sort of protection is asking for assurance that someone is *authorized* (not just authenticated) to speak the information they are providing. Authorization is always something that one is given by someone else. So authorizing the advertisement of a network implies an infrastructure for assigning networks to AS's. That means, for example, an authenticatable token from IANA proving you are allowed to announce this network (maybe given to you when you acquire the address), or some verification from some Internet registry (which implies an infrastructure that would make sure the registry itself had the correct info and got the info to you securely, etc). This is more than just a protocol question. Do you think the idr group (and maybe the rps working group) could take on recommending an infrastructure like this? (I suppose you point to DNS as an example of a working group that set up a ownership infrastructure.) Then there's the problem of aggregation of information. If you have aggregated several pieces of properly authorized information, how do you show that you are authorized to speak the aggregate? Include all the individual authorization tokens? That would pretty much undo the benefits of aggregation. And de-aggregation is a problem as well. As long as BGP contains features to allow de-aggregation (a necessity, I think) of the addresses received, there will be the possibility of mis-use. I actually came to a full stop in early May on this work when I realized that the MAI-Sprint problem was a fully legal use of the protocol, just an extremely unwise one. Maybe the proof-of-originable-address infrastructure could prevent AS's from announcing class-ful addresses that they weren't directly connected to. I think that would mean the protocol would have to know when an address was being advertised as a direct connection, different from the ORIGIN attribute. This message is long enough. I'll quit for now. --Sandy
- Re: a draft that missed the deadline Tony Li
- a draft that missed the deadline Sandy Murphy
- Re: a draft that missed the deadline Curtis Villamizar
- Re: a draft that missed the deadline Curtis Villamizar
- Re: a draft that missed the deadline Tony Li
- Re: a draft that missed the deadline Andy Heffernan
- Re: [jnx.ext.ietf.idr] Re: a draft that missed th… Bruce Cole
- Re: a draft that missed the deadline Tony Li
- Re: a draft that missed the deadline Andy Heffernan
- Re: a draft that missed the deadline Randy Bush
- Re: a draft that missed the deadline Andrew Partan
- Re: a draft that missed the deadline Tony Li
- Re: a draft that missed the deadline Sandy Murphy