Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening

Stephen Kent <> Thu, 29 March 2012 09:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BDD6221F8A1F for <>; Thu, 29 Mar 2012 02:16:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.407
X-Spam-Status: No, score=-106.407 tagged_above=-999 required=5 tests=[AWL=0.191, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8QoJACrO6lbO for <>; Thu, 29 Mar 2012 02:16:20 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 829DE21F8A17 for <>; Thu, 29 Mar 2012 02:16:19 -0700 (PDT)
Received: from ([]:51600 helo=[]) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1SDBSd-000EdZ-5y; Thu, 29 Mar 2012 05:16:03 -0400
Mime-Version: 1.0
Message-Id: <p06240803cb99d283e548@[]>
In-Reply-To: <>
References: <>
Date: Thu, 29 Mar 2012 05:07:38 -0400
To: Shane Amante <>
From: Stephen Kent <>
Content-Type: multipart/alternative; boundary="============_-879109920==_ma============"
Cc: sidr wg list <>
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Mar 2012 09:16:21 -0000


>To expand on my comments at the mic earlier today on this draft, I 
>think there is universal acknowledgment that there should be 
>statements that attacks involving path shortening should be 
>acknowledged as a "threat" in this document.

Section 4.2, near the top of page 12,  addresses this attack, in the 
BGPSEC context:

       Secure Path Downgrade: A router might remove signatures from a
       BGPSEC update that it receives, when forwarding this update to a
       BGPSEC-enabled neighbor.  This behavior violates the BGPSEC spec
       and thus is considered an attack.

This is the path shortening attack, expressed in terms of an attack 
against a BGPSEC-protected path.

>OTOH, with respect to path-lengthening, my comment was NOT aimed at 
>the normal, operation practice of AS_PATH prepending for the 
>purposes of Traffic Engineering.

Section 4.2, bottom of page 11, says:

       AS Insertion: A router might insert one or more ASNs, other than
       its own ASN, into an update message.  This violates the BGP spec
       and thus is considered an attack.

This seems to address the K/P attack, in the BGPSEC context.

>The larger point here is that documenting, preferably in this I-D, 
>the Kapela/Pilsov threat and other threats related to 
>upgrade/downgrade threats discussed at the Prague IETF allows us to 
>more holistically consider whether, or not, BGPSEC addresses it.

So, ignoring the "threat" vs. "attack" terminology issue that we 
discussed at the mic :-), I could add some text to describe classes 
of attacks in terms of vanilla BGP, as well as BGPSEC.  But, RFC 4272 
already did this in a fair level of detail, so I didn't see the need 
for this doc to include an attack enumeration for BGP.

When discussing security, it is generally preferable to define what 
constitutes secure or "correct" operation for a protocol, rather than 
trying to enumerate attacks against the protocol. If one wants to be 
more specific, then one can
describe classes of attacks, and provide some illustrative examples. 
That's what we have tried to do here.

Not sure I understand you last comment:

>d)  Further, what if an attacker did this to valid, BGPSEC-signed 
>paths that he/she was originating and/or receiving and propagating 
>downstream toward other ASN's?