IETF Logo Mail Archive

Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security

"Smith, Donald" <Donald.Smith@CenturyLink.com> Mon, 02 June 2014 19:43 UTC

Return-Path: <Donald.Smith@CenturyLink.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E5F1A0369 for <opsec@ietfa.amsl.com>; Mon, 2 Jun 2014 12:43:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P7AkTBaIj0Lg for <opsec@ietfa.amsl.com>; Mon, 2 Jun 2014 12:43:36 -0700 (PDT)
Received: from sudnp799.qwest.com (sudnp799.qwest.com [155.70.32.99]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A62D1A0275 for <opsec@ietf.org>; Mon, 2 Jun 2014 12:43:36 -0700 (PDT)
Received: from lxdenvmpc030.qintra.com (lxdenvmpc030.qintra.com [10.1.51.30]) by sudnp799.qwest.com (8.14.4/8.14.4) with ESMTP id s52JhQhP028772 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 2 Jun 2014 13:43:26 -0600 (MDT)
Received: from lxdenvmpc030.qintra.com (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id 6DCD21E006E; Mon, 2 Jun 2014 13:43:21 -0600 (MDT)
Received: from suomp61i.qintra.com (unknown [151.119.91.93]) by lxdenvmpc030.qintra.com (Postfix) with ESMTP id 32FB31E0060; Mon, 2 Jun 2014 13:43:21 -0600 (MDT)
Received: from suomp61i.qintra.com (localhost [127.0.0.1]) by suomp61i.qintra.com (8.14.4/8.14.4) with ESMTP id s52JhKaT026873; Mon, 2 Jun 2014 14:43:20 -0500 (CDT)
Received: from vddcwhubex502.ctl.intranet (vddcwhubex502.ctl.intranet [151.119.128.29]) by suomp61i.qintra.com (8.14.4/8.14.4) with ESMTP id s52JhJpS026855 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 2 Jun 2014 14:43:20 -0500 (CDT)
Received: from PDDCWMBXEX503.ctl.intranet ([fe80::9033:ef22:df02:32a9]) by vddcwhubex502.ctl.intranet ([2002:9777:801d::9777:801d]) with mapi id 14.03.0158.001; Mon, 2 Jun 2014 13:43:18 -0600
From: "Smith, Donald" <Donald.Smith@CenturyLink.com>
To: 'Ronald Bonica' <rbonica@juniper.net>, "'Gunter Van de Velde (gvandeve)'" <gvandeve@cisco.com>, 'opsec wg mailing list' <opsec@ietf.org>
Thread-Topic: Start of 2nd WGLC for draft-ietf-opsec-bgp-security
Thread-Index: Ac9TCpCty6WW3UV9Rc+t1rBkEBAqQQGX/bdQAAN0kZAACQ/0gA==
Date: Mon, 02 Jun 2014 19:43:18 +0000
Message-ID: <68EFACB32CF4464298EA2779B058889D1249A9C8@PDDCWMBXEX503.ctl.intranet>
References: <67832B1175062E48926BF3CB27C49B24113958CB@xmb-aln-x12.cisco.com> <c8822f998646410f8404b9e59c02a13f@CO1PR05MB442.namprd05.prod.outlook.com>
In-Reply-To: <c8822f998646410f8404b9e59c02a13f@CO1PR05MB442.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [151.119.128.8]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/MwgTdaVFOVAmY3x2OyY_zl-tG1c
Cc: "'draft-ietf-opsec-bgp-security@tools.ietf.org'" <draft-ietf-opsec-bgp-security@tools.ietf.org>, "'kk@dropbox.com'" <kk@dropbox.com>
Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2014 19:43:39 -0000

Assuming this is discussing the "slipping in the tcp window" tcp reset attack.

4.1.  Protection of TCP sessions used by BGP

   Attacks on TCP sessions used by BGP (ex: sending spoofed TCP
   RST packets) could bring down the TCP session.  Following a
   successful ARP spoofing attack (or other similar Man-in-the-Middle
   attack), the attacker might even be able to inject packets into
   the TCP stream (routing attacks).

You do NOT have to do arp spoofing to inject packets into the bgp session.
The same "guessing the sequence number within the window" trick works for packet injection not just resets.

It is possible to blindly inject bgp updates into a bgp stream without doing any kind of MITM.
You have to know more about the bgp session such as BGP ID etc... but it is possible.


This is mostly true:
4.2.  BGP TTL security (GTSM)

   BGP sessions can be made harder to spoof with the Generalized TTL
   Security Mechanisms (aka TTL security) [9].  Instead of sending TCP
   packets with TTL value = 1, the routers send the TCP packets with TTL
   value = 255 and the receiver checks that the TTL value equals 255.
   Since it's impossible to send an IP packet with TTL = 255 to a non-
   directly-connected IP host, BGP TTL security effectively prevents all
   spoofing attacks coming from third parties not directly connected to
   the same subnet as the BGP-speaking routers.  Network administrators
   SHOULD implement TTL security on directly connected BGP peerings.

   Note: Like MD5 protection, TTL security has to be configured on both
   ends of a BGP session.

Many routers today actually do ttl decrement on the line card while GTSM is likely further up the cpu/npu stack. So depending on vendor and router you probably need to allow 254 for a directly connected router.




"Pampers use multiple layers of protection to prevent leakage. Rommel used defense in depth to defend European fortresses." (A.White) Donald.Smith@CenturyLink.com


>-----Original Message-----
>From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Ronald Bonica
>Sent: Wednesday, April 16, 2014 7:34 AM
>To: Gunter Van de Velde (gvandeve); opsec wg mailing list
>Cc: draft-ietf-opsec-bgp-security@tools.ietf.org; kk@dropbox.com
>Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security
>
>Folks,
>
>
>
>This document is very comprehensive and well-written. Kudos to the authors.
>
>
>
>However, please take a look at the Forward.
>
>
>
>                                                Ron
>
>
>
>
>
>From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Gunter Van de Velde
>(gvandeve)
>Sent: Wednesday, April 16, 2014 7:56 AM
>To: opsec wg mailing list
>Cc: draft-ietf-opsec-bgp-security@tools.ietf.org; kk@dropbox.com
>Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security
>
>
>
>Please find this reminder to query for your feedback.
>
>
>
>Brgds,
>
>G/
>
>
>
>From: Gunter Van de Velde (gvandeve)
>Sent: 08 April 2014 11:18
>To: opsec wg mailing list
>Cc: KK (kk@google.com); draft-ietf-opsec-bgp-security@tools.ietf.org
><mailto:draft-ietf-opsec-bgp-security@tools.ietf.org>
>Subject: Start of 2nd WGLC for draft-ietf-opsec-bgp-security
>
>
>
>Dear OpSec WG,
>
>
>
>This starts a 2nd Working Group Last Call for draft-ietf-opsec-bgp-security.
>
>Due to the time taken to integrate all comments from the first WGLC this 2nd
>WGLC is initiated.
>
>
>
>All three authors have replied, stating that they do not know of any IPR
>associated with this draft.
>
>
>
>The draft is available here: https://datatracker.ietf.org/doc/draft-ietf-opsec-
>bgp-security/ <https://datatracker.ietf.org/doc/draft-ietf-opsec-lla-only/>
>
>
>
>Please review this draft to see if you think it is ready for publication and
>comments to the list, clearly stating your view.
>
>
>
>This WGLC ends 22-April-2014.
>
>
>
>Thanks,
>
>G/
>
>

v2.23.0 | Report a Bug | By Email