IETF Logo Mail Archive

[sidr] Key learning procedures in BGPsec?

Eric Osterweil <eosterweil@verisign.com> Tue, 17 January 2012 23:36 UTC

Return-Path: <eosterweil@verisign.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4615E1F0C40 for <sidr@ietfa.amsl.com>; Tue, 17 Jan 2012 15:36:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eACdeVpAjtNb for <sidr@ietfa.amsl.com>; Tue, 17 Jan 2012 15:36:54 -0800 (PST)
Received: from exprod6og112.obsmtp.com (exprod6og112.obsmtp.com [64.18.1.29]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2F21F0C35 for <sidr@ietf.org>; Tue, 17 Jan 2012 15:36:53 -0800 (PST)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob112.postini.com ([64.18.5.12]) with SMTP ID DSNKTxYGCNkSaZB/ldmyLJz7nOkS5TJheuIl@postini.com; Tue, 17 Jan 2012 15:36:53 PST
Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id q0HNaeoX013293 for <sidr@ietf.org>; Tue, 17 Jan 2012 18:36:40 -0500
Received: from dul1eosterwe-m1.vcorp.ad.vrsn.com ([10.88.30.33]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 17 Jan 2012 18:36:40 -0500
From: Eric Osterweil <eosterweil@verisign.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 17 Jan 2012 18:36:39 -0500
Message-Id: <13269421-8A36-4628-9F1A-30E02B922AE1@verisign.com>
To: "sidr@ietf.org list" <sidr@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
X-OriginalArrivalTime: 17 Jan 2012 23:36:40.0317 (UTC) FILETIME=[DCBA92D0:01CCD570]
Subject: [sidr] Key learning procedures in BGPsec?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2012 23:36:55 -0000

Hey everyone,

I was walking through the thought exercise of figuring out how BGPsec might be planning to do its crypto key learning (which I see as a two pronged problem that I outline below), and I couldn't seem to find any clear text on this matter in the current drafts.  I think I'm up to date on most of the drafts, but perhaps not?  Can someone point me to the the treatises that clarify:
1 - How are routers in BGPsec going to learn and onboard the crypto certs (ROAs/AOAs/xOAs?) needed to verify the routing updates that they receive from peers?  These certs are clearly going to need to be maintained and updated somewhere in each router's extended memory hierarchy, right?  Without these, updates from other ASes can not be verified...
- and -
2 - How do we envision the process of an AS getting its own private key information installed on all of its routers?*  Without _these_, updates cannot be signed...

*Note: I think this is a subtle, but very critical issue.  If we consider (for example) that multinational ASes have routers all over the world, and that these routers need to be upgraded/replaced/etc sometimes, and that the ASes' private keys are essentially critical secrets (which also will change periodically), then how do we envision addressing the _ongoing_ issue of getting private keys onto routers in faraway places?  For instance, we wouldn't press a private key onto a CD, give it to a FedEx delivery person, and then let it work its way through customs in a foreign country that may (or may not) host entities with a vested interest in acquiring or intercepting such a critical enabling secret, right?  For that matter, what do people think about the issue that a private key could simply be covertly extracted from an AS' routers that are deployed in far off lands?  Wouldn't this kind of compromise be a terrifying security threat to most ISPs?  afaict, this threat directly elevates the importance the vulnerability period that comes between compromise, detection, revocation/reissuing, and the lag that occurs until other routers throughout the routing system learn of the changes to certs.   fwiw, I don't think we can punt on this and claim it is anything other than a first order architectural issue, because of the online nature of BGPsec's signing process.

That said, I'm really hoping that I've just missed/misread some text that addresses these issues.  If that's the case, please forgive the rambling noise, and tia for the pointers... :-}

Eric

v2.23.0 | Report a Bug | By Email