[Idr] Issues with SIDR
"Vishwas Manral" <vishwas.ietf@gmail.com> Thu, 28 February 2008 04:04 UTC
Return-Path: <idr-bounces@ietf.org>
X-Original-To: ietfarch-idr-archive@core3.amsl.com
Delivered-To: ietfarch-idr-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA4753A6E7D; Wed, 27 Feb 2008 20:04:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.637
X-Spam-Level:
X-Spam-Status: No, score=-0.637 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99KS2Ryt9iMw; Wed, 27 Feb 2008 20:04:35 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AAE543A6E60; Wed, 27 Feb 2008 20:04:35 -0800 (PST)
X-Original-To: idr@core3.amsl.com
Delivered-To: idr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7320C3A6E7D for <idr@core3.amsl.com>; Wed, 27 Feb 2008 20:04:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6dMEdTYC+NN for <idr@core3.amsl.com>; Wed, 27 Feb 2008 20:04:28 -0800 (PST)
Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.181]) by core3.amsl.com (Postfix) with ESMTP id 65DAE3A68C8 for <idr@ietf.org>; Wed, 27 Feb 2008 20:04:28 -0800 (PST)
Received: by el-out-1112.google.com with SMTP id j27so4239431elf.25 for <idr@ietf.org>; Wed, 27 Feb 2008 20:04:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=jTHtWARk74wlSqaqfFsE+NyYnn7NxweLKG0NFDtMsIo=; b=w0Vz+YwTeAfvq3sIY7tQgS0eujZ63jw7O0zBDPVfrbi5oKRAgh13h/+2jd4WQCCo0KWGJ5czTSu4FGTabKBkR+bj6eqVrFRJTfuargalW8mS2R1mpWyx39292KtjZi4/4izfTqVePjAQu3mvFNxzm2lYxxhwO4I5RV0zsPhcxno=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=nPX5LHKWZF4BdOKoCqZJ9s32QXhqYpyHIx9vB3Gle69wpga/TaZH7Jd9ZAbT9xEZTclWGQAmseFxzOkQ5hpVrZ93Dzdy4/7biPLjy4mWOWIMyb5ekSHZNk60IiJciXZYfrO8j79+PtpsGvT2C6d42aozTUuB1Pg5/2jv5xL1j+0=
Received: by 10.114.81.1 with SMTP id e1mr8567734wab.11.1204171455879; Wed, 27 Feb 2008 20:04:15 -0800 (PST)
Received: by 10.114.241.4 with HTTP; Wed, 27 Feb 2008 20:04:15 -0800 (PST)
Message-ID: <77ead0ec0802272004r776fec76yb80df62b8f7b684b@mail.gmail.com>
Date: Wed, 27 Feb 2008 20:04:15 -0800
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: idr <idr@ietf.org>, sidr <sidr@ietf.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_31239_5771214.1204171455873"
Subject: [Idr] Issues with SIDR
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
Sender: idr-bounces@ietf.org
Errors-To: idr-bounces@ietf.org
Hi folks, As part of the discussion in OPSEC with Stephen Kent and others, I looked at the SIDR infrastructure as well as soBGP document. I found easy ways to just get over all the security infrastructure(PKI) and still being able to do all the attacks as we can currently. Please have a look at the discussion below and let me know your comments. Thanks, Vishwas ---------- Forwarded message ---------- From: Vishwas Manral <vishwas.ietf@gmail.com> Date: Wed, Feb 27, 2008 at 7:13 PM Subject: Re: [OPSEC] pccw as17557 leak... To: Stephen Kent <kent@bbn.com> Cc: Roland Dobbins <rdobbins@cisco.com>, opsec wg mailing list <opsec@ietf.org> Hi Steve, Thanks a lot for the comments. I agree it can be a good first step but not sure what the future holds. I am not sure if a heavy solution like this is required which only gives reasonable security. What about the CPU DoS attacks that can be result when new random routes are injected into a domain. Thanks again, Vishwas On Wed, Feb 27, 2008 at 7:07 PM, Stephen Kent <kent@bbn.com> wrote: > At 5:12 PM -0800 2/27/08, Vishwas Manral wrote: > >Hi folks, > > > >I looked at the SIDR documents in brief. It can probably be used to > >help prevent any attacks caused due to non-malicious intent. > > > >I found easy ways to get over the SIDR security when done with a > >malicious intent. SIDR just tells the mapping between AFI, AF and AS > >number which can originate the same. However the choosing of a route > >by BGP does not depend on these fields alone. So if a malicious router > >changed the attributes attached to an NLRI update so that it becomes > >the chosen AS to the prefix (of course without changing the > >originating AS field). It can still redirect all the traffic to itself > >for the prefix and then do whatever malicious it wants to do, > >including just drop the packet. > > > >In this way still achieving the attack, but this time for sure with > >malicious intent. > > > >Thanks, > >Vishwas > > > Your example of how an AS can tamper with a route, without changing > the origin AS assertion is correct. I think the SIDR WG participants > understand that. > The work so far i SIDR focuses on establishing an infrastructure that > will enable more comprehensive routing security capabilities in the > future. Both the soBGP and SBGP proposal need this sort of > infrastructure, so it is viewed as a reasonable initial effort. > > I also agree with your observation that the infrastructure makes it > potentially easier to distinguish between some forms of attacks vs. > accidental routing errors, and that, in itself, seems valuable too. > > Steve >
_______________________________________________ Idr mailing list Idr@ietf.org https://www.ietf.org/mailman/listinfo/idr
- [Idr] Issues with SIDR Vishwas Manral