IETF Logo Mail Archive

Re: [RPSEC] BGP Security Requirements v08

Curtis Villamizar <curtis@occnc.com> Wed, 18 July 2007 19:18 UTC

Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBF2I-0003ds-KL; Wed, 18 Jul 2007 15:18:10 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43) id 1IBF2H-0003dl-74 for rpsec-confirm+ok@megatron.ietf.org; Wed, 18 Jul 2007 15:18:09 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBF2G-0003dd-Si for rpsec@ietf.org; Wed, 18 Jul 2007 15:18:08 -0400
Received: from 69.37.59.172.adsl.snet.net ([69.37.59.172] helo=harbor.brookfield.occnc.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IBF2G-0003kL-9d for rpsec@ietf.org; Wed, 18 Jul 2007 15:18:08 -0400
Received: from harbor.brookfield.occnc.com (harbor.brookfield.occnc.com [69.37.59.172]) by harbor.brookfield.occnc.com (8.13.6/8.13.6) with ESMTP id l6IJIr3X029859; Wed, 18 Jul 2007 15:18:53 -0400 (EDT) (envelope-from curtis@harbor.brookfield.occnc.com)
Message-Id: <200707181918.l6IJIr3X029859@harbor.brookfield.occnc.com>
To: Stephen Kent <kent@bbn.com>
From: Curtis Villamizar <curtis@occnc.com>
Subject: Re: [RPSEC] BGP Security Requirements v08
In-reply-to: Your message of "Wed, 18 Jul 2007 14:10:18 EDT." <p06240515c2c4060958e4@[128.89.89.71]>
Date: Wed, 18 Jul 2007 15:18:53 -0400
X-Spam-Score: 1.7 (+)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Cc: rpsec@ietf.org, Russ White <riw@cisco.com>
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: curtis@occnc.com
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

In message <p06240515c2c4060958e4@[128.89.89.71]>
Stephen Kent writes:
>  
> At 12:14 PM -0400 7/18/07, Curtis Villamizar wrote:
> >In message <F1A1D21DA394814E824AC89F5A005BA312CCE59D@zcarhxm0.corp.nortel.com>
> >"James Ko" writes:
> >> 
> >> 
> >>  Indeed, ideally incoming data should be "authentic" and "verifiable",
> >>  otherwise we are back to square one and this work is no different but to
> >>  give bad guys a window of opportunity to run man-in-the-middle attacks,
> >>  or inject bogus routes.
> >
> >
> >So why does Internet routing work at all today?  Rhetorical question.
> >
> >It does work by the way.  Not always perfectly.
> >
> >Curtis
> >
> >
> >ps - The answer is because the DOS would be short lived and very
> >traceable (ie: not much damage and they'd get caught).  The reason for
> >this is the bogus information would have to be injected from within an
> >ISP and ISP security of their own infrastructure is reasonably good.
>  
> Curtis,
>  
> a few observations:
> 	- as I just noted in a prior response, DoS is not the only issue here.
>  
> 	- the fact that routing does generally work today is not a 
> good basis for deciding on security requirements.  If we turn back 
> the clock a few years we could say that DDoS attacks never happen and 
> thus one need not make provisions to deter such attacks.  As they say 
> in the financial sector "performance data shown represents past 
> performance and is no guarantee of future results" :-).

I think you mean turn back the clock a decade.

DDOS attacks are more than a decade old.  DDOS is exactly the sort of
practical problem that the security theorists ignored while the
Internet practitioners advocated hardenning.  The hardenning had
nothing to do with cryptography and in fact cryptography was
impractical.  The security theorists had a very hard time accepting
this and still do, hence our recent discussion on GTSM.  I can dig up
plenty of back email dating from the mid-1990s on DOS hardenning and
DDOS hardenning and *practial* and *deployable* protection against
injection of false routing information.

> 	- active attacks against BGP sessions are possible. not all 
> BGP sessions make use of extant protection mechanisms like the TCP 
> MD5 checksum, and among those that do there are reports of key 
> management that leave s a lot ot be desired
>  
> Steve

TCP MD5 is of limited value with GTSM and packet filtering being the
preferred methods of providing such protection.  GTSM for EBGP
peerings.  Filtering for IBGP peerings.

I would also point out that GTSM had very strong ISP support
particularly from AOL (Vijay Gill) because it did solve a practical
problem and vendors had no choice but to implement it promptly, even
before the IETF had acted.  In contranst this work may drag on for
(many more) years and (continue to) yield nothing if practical
problems are not addressed.

Curtis


_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email