Re: [Sidr] [OPSEC] pccw as17557 leak...
Sandra Murphy <sandy@sparta.com> Tue, 04 March 2008 16:36 UTC
Return-Path: <sidr-bounces@ietf.org>
X-Original-To: ietfarch-sidr-archive@core3.amsl.com
Delivered-To: ietfarch-sidr-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EBEE828C62F; Tue, 4 Mar 2008 08:36:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.636
X-Spam-Level:
X-Spam-Status: No, score=-0.636 tagged_above=-999 required=5 tests=[AWL=-0.199, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gviiZSpmkyw2; Tue, 4 Mar 2008 08:36:36 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE74F28C481; Tue, 4 Mar 2008 08:35:43 -0800 (PST)
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 62AEF28C6F5; Tue, 4 Mar 2008 08:35:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCRMZmcwWFjy; Tue, 4 Mar 2008 08:35:36 -0800 (PST)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id CE26A28C6F4; Tue, 4 Mar 2008 08:34:38 -0800 (PST)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id m24GYJdG026841; Tue, 4 Mar 2008 10:34:19 -0600
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id m24GYJd8029474; Tue, 4 Mar 2008 10:34:19 -0600
Received: from localhost ([157.185.81.106]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 4 Mar 2008 11:34:19 -0500
Date: Tue, 04 Mar 2008 11:34:18 -0500
From: Sandra Murphy <sandy@sparta.com>
To: Vishwas Manral <vishwas.ietf@gmail.com>
In-Reply-To: <77ead0ec0803040759p4fad1726m9e175625a13d04a6@mail.gmail.com>
Message-ID: <Pine.WNT.4.64.0803041119370.4228@SANDYM-LT.columbia.ads.sparta.com>
References: <47C4E38E.1070105@bogus.com> <77ead0ec0802281102o3e2efedl479ff6351dca0f63@mail.gmail.com> <Pine.WNT.4.64.0802281604190.2416@SANDYM-LT.columbia.ads.sparta.com> <77ead0ec0803020837s16bccee8ledbc9ae1bb60e117@mail.gmail.com> <7C9DBE28-7B7A-4053-85AE-4B954FFEEC57@ca.afilias.info> <77ead0ec0803040714v4235cff2u65bd247694e30570@mail.gmail.com> <5B7F4259-8CAB-4895-8F26-8BFD0CE7C56B@ca.afilias.info> <77ead0ec0803040727n24b68e0fm5650e8fb6c1b1dc@mail.gmail.com> <77ead0ec0803040736t55871ebex445e6fe31d6ac129@mail.gmail.com> <6AAD8CE4-1A16-4C8D-A883-EC5D4D80D2FD@ca.afilias.info> <77ead0ec0803040759p4fad1726m9e175625a13d04a6@mail.gmail.com>
X-X-Sender: sandy@nemo.columbia.sparta.com
MIME-Version: 1.0
X-OriginalArrivalTime: 04 Mar 2008 16:34:19.0190 (UTC) FILETIME=[9822F560:01C87E15]
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (M4.sparta.com [157.185.61.2]); Tue, 04 Mar 2008 10:34:19 -0600 (CST)
Cc: opsec wg mailing list <opsec@ietf.org>, sidr@ietf.org
Subject: Re: [Sidr] [OPSEC] pccw as17557 leak...
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sidr-bounces@ietf.org
Errors-To: sidr-bounces@ietf.org
On Tue, 4 Mar 2008, Vishwas Manral wrote: > Hi Joe, > > If you saw the mail exchange between Sandra and I, you will notice she > mentioned the reason they have to go ahead with SIDR even though we > have tools available from RIPE. What I have been trying to do is to > figure out weaknesses. in the current infrastructure to get a secure > behavior. As a first step I found out this weakness and updated RIPE/ > Daniel about the same. Please keep in mind that RIPE is not the only IRR. And RIPE can not verify authorization for prefixes and ASs outside its range. So improving RIPE does not buy you what you want. > > As we discussed earlier SIDR does not provide a totally secure > infrastructure. The point here is that SIDR is giving some very basic > improvements in the security, generally in the non-malicious case. Please keep in mind that I have said SIDR does most definitely protect against malicious attacks for those attacks it is addressing. SIDR makes no difference between maliciousness or carelessness in the attacks it counters. There are plenty of malicious and accidental ways to attack routers that are not in the realm of what SIDR is considering now. Maliciousness is not the distinguisher here. To be plain, to say SIDR addresses only non-malicious cases is flat out WRONG. (And sorry for not having pointed that out before, I thought I did.) > The > idea is can we get a similar security with the current infrastructure, > by doing minor improvements. There is a certain cost involved with the > SIDR infrastructure. No, we cannot get similar security with current infrastructure, even with MAJOR improvements to the security of the current infrastructure. The structure of the current infrastructure does not permit similar security to what the RPKI provides. Unless, of course, you want to add all RPKI features to the IRR model, so that the IRR becomes the same as the RPKI. Of course, you adopt the cost as well. --Sandy > > I do not think the SSL channel has not been done because it is > unnecessary. I guess there hasn't been an attack on that side of the > infrastructure yet, but these are well known issues/ attacks in other > fields. > > Thanks, > Vishwas > <snip> _______________________________________________ Sidr mailing list Sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
- Re: [Sidr] [OPSEC] pccw as17557 leak... Stephen Kent
- Re: [Sidr] [OPSEC] pccw as17557 leak... Vishwas Manral
- Re: [Sidr] [OPSEC] pccw as17557 leak... Sandra Murphy
- Re: [Sidr] [OPSEC] pccw as17557 leak... Sandra Murphy
- Re: [Sidr] [OPSEC] pccw as17557 leak... Vishwas Manral
- Re: [Sidr] [OPSEC] pccw as17557 leak... Sandra Murphy
- Re: [Sidr] [OPSEC] pccw as17557 leak... Sandra Murphy
- Re: [Sidr] [OPSEC] pccw as17557 leak... Vishwas Manral
- Re: [Sidr] [OPSEC] pccw as17557 leak... Vishwas Manral
- Re: [Sidr] [OPSEC] pccw as17557 leak... Sandra Murphy
- Re: [Sidr] [OPSEC] pccw as17557 leak... Sandra Murphy
- Re: [Sidr] [OPSEC] pccw as17557 leak... Vishwas Manral
- Re: [Sidr] [OPSEC] pccw as17557 leak... Joe Abley
- Re: [Sidr] [OPSEC] pccw as17557 leak... Vishwas Manral
- Re: [Sidr] [OPSEC] pccw as17557 leak... Joe Abley
- Re: [Sidr] [OPSEC] pccw as17557 leak... Vishwas Manral
- Re: [Sidr] [OPSEC] pccw as17557 leak... Vishwas Manral
- Re: [Sidr] [OPSEC] pccw as17557 leak... Joe Abley
- Re: [Sidr] [OPSEC] pccw as17557 leak... Vishwas Manral
- Re: [Sidr] [OPSEC] pccw as17557 leak... Sandra Murphy
- Re: [Sidr] [OPSEC] pccw as17557 leak... Vishwas Manral
- Re: [Sidr] [OPSEC] pccw as17557 leak... Curtis Villamizar
- Re: [Sidr] [OPSEC] pccw as17557 leak... Curtis Villamizar
- Re: [Sidr] [OPSEC] pccw as17557 leak... Stephen Kent
- Re: [Sidr] [OPSEC] pccw as17557 leak... Jeffrey Haas