IETF Logo Mail Archive

Re: [RPSEC] BGP Security Requirements v08

Russ White <riw@cisco.com> Wed, 18 July 2007 22:42 UTC

Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBIDr-0005p7-VG; Wed, 18 Jul 2007 18:42:20 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43) id 1IBIDn-0005ol-2A for rpsec-confirm+ok@megatron.ietf.org; Wed, 18 Jul 2007 18:42:15 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBIDm-0005od-NT for rpsec@ietf.org; Wed, 18 Jul 2007 18:42:14 -0400
Received: from xmail06.myhosting.com ([168.144.250.220]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IBIDm-0001vO-8N for rpsec@ietf.org; Wed, 18 Jul 2007 18:42:14 -0400
Received: (qmail 28555 invoked from network); 18 Jul 2007 22:42:11 -0000
Received: from unknown (HELO [192.168.100.205]) (Authenticated-user:_russ@riw.us@[65.190.218.139]) (envelope-sender <riw@cisco.com>) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for <curtis@occnc.com>; 18 Jul 2007 22:42:11 -0000
Message-ID: <469E9735.4080703@cisco.com>
Date: Wed, 18 Jul 2007 18:41:57 -0400
From: Russ White <riw@cisco.com>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: curtis@occnc.com
Subject: Re: [RPSEC] BGP Security Requirements v08
References: <200707182000.l6IK0570030774@harbor.brookfield.occnc.com>
In-Reply-To: <200707182000.l6IK0570030774@harbor.brookfield.occnc.com>
X-Enigmail-Version: 0.95.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52f7a77164458f8c7b36b66787c853da
Cc: rpsec@ietf.org, Sandy Murphy <sandy@tislabs.com>
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>> o The authentication information may be passed between authenticating
>>>> implementations outside the BGP protocol.
>>> Is this practical?  Pass information out of band to every far distant
>>> BGP speaker rather than just to peers.
>>>
>>> This seems to break the "must be scalable" requirement for everything
>>> related to routing.
>>  
>> Aren't the ROAs already being transmitted that way?
> 
> The ROAs do not provide authentication information to accompany a
> packet or that pert of an AS path might be legitimate.  It just serves
> to verify that a route could be originated at all by a given AS.

Whether a BGP packet is "authentic" is only a question hop by hop, and
hence, anything transitive you carry within the packet doesn't help you
much.

Whether an AS Path is valid is a long discussion, and we've had it many
times before. Suffice it to say I believe it's possible in many ways
without carrying anything in the BGP packet.

> If you want to authenticate a routing packet you need a signature over
> the packet or a digest.  Its fine to then provide the public keys OOB.

You're treating this like IPsec, where a packet originates at one end of
a connection, and ends up on the other side of the Internet at the other
end of that connection. Wrong. There's no way to know if a BGP "packet"
is "valid," beyond a single hop. You can validate the information
contained within the packet, but "validating" the packet across
"multiple hops," is only one possible way to do it.

:-)

Russ

> 
> For example, if the AS Path is A X Y Z and I trust my peer A but not X
> and Y, the ROA only tells me that its OK for Z to have originated this
> route and nothing about whether this could have legitimately passed
> through Y and Z.  An authentication would be Z signature, Y signing
> that, X signing that, and A passing along the signatures.  If 128
> bytes are used per signature that is 384 bytes.
> 
> OTOH if some OOB mechanism also addressed whether a peering might be
> legitimate, then requirements would be met.  So maybe its just that
> the current ROA scheme (or schema) is inadequate.
> 
> Curtis

- --
riw@cisco.com CCIE <>< Grace Alone

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGnpc1ER27sUhU9OQRAtgLAJwO7/Q/n6jjdFLDs/tA93HI74ZFywCgzJXU
12xxdMHHt2SAQRX2bAgCSLk=
=7vX4
-----END PGP SIGNATURE-----


_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email