RE: [RPSEC] FW: AS 8437 announced a quarter of the net for half of an hour
"william(at)elan.net" <william@elan.net> Tue, 15 August 2006 04:48 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1GCqqe-0006uV-Tq; Tue, 15 Aug 2006 00:48:16 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1GCqqd-0006uQ-Pb
for rpsec@ietf.org; Tue, 15 Aug 2006 00:48:15 -0400
Received: from sokol.elan.net ([216.151.192.200])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GCqqc-0001IW-Bl
for rpsec@ietf.org; Tue, 15 Aug 2006 00:48:15 -0400
Received: from sokol.elan.net (sokol [127.0.0.1])
by sokol.elan.net (8.13.1/8.13.1) with ESMTP id k7F4mAti024327;
Mon, 14 Aug 2006 21:48:10 -0700
Received: from localhost (william@localhost)
by sokol.elan.net (8.13.1/8.13.1/Submit) with ESMTP id k7F4mA0A024324;
Mon, 14 Aug 2006 21:48:10 -0700
X-Authentication-Warning: sokol.elan.net: william owned process doing -bs
Date: Mon, 14 Aug 2006 21:48:09 -0700 (PDT)
From: "william(at)elan.net" <william@elan.net>
To: tony.li@tony.li
Subject: RE: [RPSEC] FW: AS 8437 announced a quarter of the net for half of
an hour
In-Reply-To: <00a101c6c020$3ec08a50$807d14ac@tropos.com>
Message-ID: <Pine.LNX.4.62.0608142112140.12655@sokol.elan.net>
References: <00a101c6c020$3ec08a50$807d14ac@tropos.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
Cc: rpsec@ietf.org, 'Iljitsch van Beijnum' <iljitsch@muada.com>
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,
<mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,
<mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org
On Mon, 14 Aug 2006, Tony Li wrote:
>> I think Tony's point is that no one should be accepting these. Almost
>> all cases of bogus routing that has done damage was accidental. There
>> have been some incidents of intentional bogus routes injected as an
>> attack that I know of but these are (or used to be) far less common.
>
> Correct. The difference between these 'mistakes' and an attack is only
> one of intent, and a functional security system should render both
> ineffective.
Ok. Lets look at this problem then...
Currently we have proposal being worked on at SIDR WG to provide
allow verification of routing cryptographic identity. Ultimately
if deployed we'll have information about all assigned/allocated
ip blocks. In such a case if routing announcement comes in and
it does not have an allocation->routing certificate available then
a router can discard such an announcement.
However this is ultimately 20+ years from now (I maybe even a bit
too optimistic), more likely is that after this begin to get
deployed, we'll see only few ip blocks that can be cryptographically
verified. So the questions that come to mind are:
1. What happens if an ip block has cryptographic identity in the
repository but announcement is smaller then this block?
- My current answer is to block it but this may not work
since it maybe block for large ISP that has allocated parts
to smaller ISPs that did not yet get their routing
announcements signed.
2. What happens if the announcement is larger then the ip block
with cryptographic identity in the repository?
- Again I'd prefer to block this but it is always possible
this maybe an aggregation and its possible that the
cryptographic identity is for smaller ISP or end-user
where as larger ISP that ownes ip block has not yet
deployed the extensions (this is probably impossible
if we take hierarchical approach with RIRs being root,
then direct allocation, etc; however my understanding
is that SIDR does not require hierarchical approach and
so in practice this maybe possible).
3. What happens if the announcement is from the is space that
has not been allocated (such as what happened with AS8437
and that started this thread)?
- For this I've heard on last WG meeting an idea that
IANA would sign special CERT stating that no announcements
would come from the ip block. I don't know how likely
is it however that IANA would do it and how soon
(i.e. consider what IANA [has not] done on DNSSEC).
Also I don't have a clear idea if SIDR WG would add new extensions
to BGP or not (if I understood not) like S-BGP was supposed to do.
Because if it does not happen we can still have cases when ip block
with proper route in the repository and listed origin AS1 would be
improperly announced by AS2 with path "AS2 AS1" and this would
appear to be ok. The only way I see where this can be noticed if
we have additional attribute as part of BGP route that is actually
data signed by public key of AS1 (and this should be real-time data
including timestamp so it could not be replayed).
--
William Leibzon
Elan Networks
william@elan.net
_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec
- [RPSEC] FW: AS 8437 announced a quarter of the ne… Tony Li
- Re: [RPSEC] FW: AS 8437 announced a quarter of th… Iljitsch van Beijnum
- Re: [RPSEC] FW: AS 8437 announced a quarter of th… Curtis Villamizar
- RE: [RPSEC] FW: AS 8437 announced a quarter of th… Tony Li
- RE: [RPSEC] FW: AS 8437 announced a quarter of th… william(at)elan.net
- RE: [RPSEC] FW: AS 8437 announced a quarter of th… Tony Li
- Re: [RPSEC] FW: AS 8437 announced a quarter of th… Curtis Villamizar
- Re: [RPSEC] FW: AS 8437 announced a quarter of th… Iljitsch van Beijnum