IETF Logo Mail Archive

RE: [RPSEC] FW: AS 8437 announced a quarter of the net for half ofan hour

"Barry Greene \(bgreene\)" <bgreene@cisco.com> Tue, 15 August 2006 16:26 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GD1kc-0006T1-BR; Tue, 15 Aug 2006 12:26:46 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GD1ka-0006Pg-Tw for rpsec@ietf.org; Tue, 15 Aug 2006 12:26:44 -0400
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GD1kZ-0006fu-DU for rpsec@ietf.org; Tue, 15 Aug 2006 12:26:44 -0400
Received: from sj-dkim-8.cisco.com ([171.68.10.93]) by sj-iport-4.cisco.com with ESMTP; 15 Aug 2006 09:26:43 -0700
X-IronPort-AV: i="4.08,128,1154934000"; d="scan'208"; a="1847189869:sNHT467188702"
Received: from sj-core-3.cisco.com (sj-core-3.cisco.com [171.68.223.137]) by sj-dkim-8.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k7FGQgJ2011533; Tue, 15 Aug 2006 09:26:42 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id k7FGQdSn017187; Tue, 15 Aug 2006 09:26:42 -0700 (PDT)
Received: from xmb-sjc-227.amer.cisco.com ([128.107.191.43]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 15 Aug 2006 09:26:39 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [RPSEC] FW: AS 8437 announced a quarter of the net for half ofan hour
Date: Tue, 15 Aug 2006 09:25:54 -0700
Message-ID: <C35ADD020AEBD04383C1F7F644227FDF0233E47D@xmb-sjc-227.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [RPSEC] FW: AS 8437 announced a quarter of the net for half ofan hour
Thread-Index: AcbAJhBGn3166a9AQpOvrpqXKehZfwAYLEiA
From: "Barry Greene \(bgreene\)" <bgreene@cisco.com>
To: "william\(at\)elan.net" <william@elan.net>, <tony.li@tony.li>
X-OriginalArrivalTime: 15 Aug 2006 16:26:39.0918 (UTC) FILETIME=[962B5CE0:01C6C087]
DKIM-Signature: a=rsa-sha1; q=dns; l=4412; t=1155659202; x=1156523202; c=relaxed/relaxed; s=sjdkim8002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bgreene@cisco.com; z=From:=22Barry=20Greene=20\(bgreene\)=22=20<bgreene@cisco.com> |Subject:RE=3A=20[RPSEC]=20FW=3A=20AS=208437=20announced=20a=20quarter=20of=20the =20net=20for=20half=20ofan=20hour=20; X=v=3Dcisco.com=3B=20h=3DkUSszVnr5XvWQQLxW9SRV6Rjr/A=3D; b=eX9oug3ML0qR+fMf2OuA797/NPttbvvi1xE9aTXZC5XQ3GQBtJdX48Tekg5TWE/BJfJpNlYS M3P97U3FuMJViUHkLsvoi9kN9wSnkDShmL1lySVOAH9fBnO1iFXDl+Q7;
Authentication-Results: sj-dkim-8.cisco.com; header.From=bgreene@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5011df3e2a27abcc044eaa15befcaa87
Cc: rpsec@ietf.org, Iljitsch van Beijnum <iljitsch@muada.com>
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

This isn't the real problem. The "real" problem - as it applies to this
scenario - is that SIDR has to develop something that is operationally
simpler to maintain than what we have today. 

The leak would be blocked is you used an ingress filter template (see
http://www.cymru.com/Bogons/index.html). So if the current practice is
too operationally expensive for SPs to deploy and maintain, any thing
that SIDR builds/designs must be better than maintaining filters. This
is a really simple metric to scope out - although difficult to meet.

 

> -----Original Message-----
> From: william(at)elan.net [mailto:william@elan.net] 
> Sent: Monday, August 14, 2006 9:48 PM
> To: tony.li@tony.li
> Cc: rpsec@ietf.org; 'Iljitsch van Beijnum'
> Subject: RE: [RPSEC] FW: AS 8437 announced a quarter of the 
> net for half ofan hour 
> 
> 
> On Mon, 14 Aug 2006, Tony Li wrote:
> 
> >> I think Tony's point is that no one should be accepting these.  
> >> Almost all cases of bogus routing that has done damage was 
> >> accidental.  There have been some incidents of intentional bogus 
> >> routes injected as an attack that I know of but these are 
> (or used to be) far less common.
> >
> > Correct.  The difference between these 'mistakes' and an attack is 
> > only one of intent, and a functional security system should render 
> > both ineffective.
> 
> Ok. Lets look at this problem then...
> 
> Currently we have proposal being worked on at SIDR WG to 
> provide allow verification of routing cryptographic identity. 
> Ultimately if deployed we'll have information about all 
> assigned/allocated ip blocks.  In such a case if routing 
> announcement comes in and it does not have an 
> allocation->routing certificate available then a router can 
> discard such an announcement.
> 
> However this is ultimately 20+ years from now (I maybe even a 
> bit too optimistic), more likely is that after this begin to 
> get deployed, we'll see only few ip blocks that can be 
> cryptographically verified. So the questions that come to mind are:
> 
>   1. What happens if an ip block has cryptographic identity in the
>      repository but announcement is smaller then this block?
>        - My current answer is to block it but this may not work
>          since it maybe block for large ISP that has allocated parts
>          to smaller ISPs that did not yet get their routing
>  	announcements signed.
> 
>   2. What happens if the announcement is larger then the ip block
>      with cryptographic identity in the repository?
>         - Again I'd prefer to block this but it is always possible
>  	 this maybe an aggregation and its possible that the
>  	 cryptographic identity is for smaller ISP or end-user
>  	 where as larger ISP that ownes ip block has not yet
>  	 deployed the extensions (this is probably impossible
>  	 if we take hierarchical approach with RIRs being root,
>  	 then direct allocation, etc; however my understanding
>  	 is that SIDR does not require hierarchical approach and
>  	 so in practice this maybe possible).
> 
>   3. What happens if the announcement is from the is space that
>      has not been allocated (such as what happened with AS8437
>      and that started this thread)?
>         - For this I've heard on last WG meeting an idea that
>  	 IANA would sign special CERT stating that no announcements
>  	 would come from the ip block. I don't know how likely
>  	 is it however that IANA would do it and how soon
>  	 (i.e. consider what IANA [has not] done on DNSSEC).
> 
> Also I don't have a clear idea if SIDR WG would add new 
> extensions to BGP or not (if I understood not) like S-BGP was 
> supposed to do.
> Because if it does not happen we can still have cases when ip 
> block with proper route in the repository and listed origin 
> AS1 would be improperly announced by AS2 with path "AS2 AS1" 
> and this would appear to be ok. The only way I see where this 
> can be noticed if we have additional attribute as part of BGP 
> route that is actually data signed by public key of AS1 (and 
> this should be real-time data including timestamp so it could 
> not be replayed).
> 
> --
> William Leibzon
> Elan Networks
> william@elan.net
> 
> _______________________________________________
> RPSEC mailing list
> RPSEC@ietf.org
> https://www1.ietf.org/mailman/listinfo/rpsec
> 

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email