Re: [Sidr] [OPSEC] pccw as17557 leak...

Sandra Murphy <sandy@sparta.com> Thu, 28 February 2008 21:13 UTC

Return-Path: <sidr-bounces@ietf.org>
X-Original-To: ietfarch-sidr-archive@core3.amsl.com
Delivered-To: ietfarch-sidr-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B91A3A6AE1; Thu, 28 Feb 2008 13:13:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.743
X-Spam-Level:
X-Spam-Status: No, score=-0.743 tagged_above=-999 required=5 tests=[AWL=-0.306, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsVraoyN6jvf; Thu, 28 Feb 2008 13:13:24 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A18A228C0F8; Thu, 28 Feb 2008 13:13:23 -0800 (PST)
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3FF428C1BE; Thu, 28 Feb 2008 13:13:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CTALd5LDcs4L; Thu, 28 Feb 2008 13:13:21 -0800 (PST)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id F2A7428C776; Thu, 28 Feb 2008 13:12:43 -0800 (PST)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id m1SLCEn0013681; Thu, 28 Feb 2008 15:12:14 -0600
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id m1SLCE9i031585; Thu, 28 Feb 2008 15:12:14 -0600
Received: from SANDYM-LT.columbia.ads.sparta.com ([157.185.81.104]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 28 Feb 2008 16:12:14 -0500
Date: Thu, 28 Feb 2008 16:12:13 -0500
From: Sandra Murphy <sandy@sparta.com>
To: Vishwas Manral <vishwas.ietf@gmail.com>
In-Reply-To: <77ead0ec0802281102o3e2efedl479ff6351dca0f63@mail.gmail.com>
Message-ID: <Pine.WNT.4.64.0802281604190.2416@SANDYM-LT.columbia.ads.sparta.com>
References: <47C4E38E.1070105@bogus.com> <77ead0ec0802271913u2c032ec2y2d03b73cb36de37f@mail.gmail.com> <p06240509c3ebe4459c93@169.223.13.71> <77ead0ec0802272031j6d958279tf3028c4096093020@mail.gmail.com> <p0624050cc3ebfc54fb15@169.223.13.71> <77ead0ec0802280649k66671fc9s9fc24314963c68a0@mail.gmail.com> <Pine.WNT.4.64.0802281109260.2416@SANDYM-LT.columbia.ads.sparta.com> <77ead0ec0802280956s3dcff81cx25fd152ea1c798fb@mail.gmail.com> <Pine.WNT.4.64.0802281259530.2416@SANDYM-LT.columbia.ads.sparta.com> <77ead0ec0802281056y2862d71dt8b753f5f3f3b0df9@mail.gmail.com> <77ead0ec0802281102o3e2efedl479ff6351dca0f63@mail.gmail.com>
X-X-Sender: sandy@nemo.columbia.sparta.com
MIME-Version: 1.0
X-OriginalArrivalTime: 28 Feb 2008 21:12:14.0275 (UTC) FILETIME=[97324130:01C87A4E]
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (M4.sparta.com [157.185.61.2]); Thu, 28 Feb 2008 15:12:14 -0600 (CST)
Cc: Roland Dobbins <rdobbins@cisco.com>, opsec wg mailing list <opsec@ietf.org>, sidr@ietf.org
Subject: Re: [Sidr] [OPSEC] pccw as17557 leak...
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sidr-bounces@ietf.org
Errors-To: sidr-bounces@ietf.org


On Thu, 28 Feb 2008, Vishwas Manral wrote:

> Hi Sandra,
>
> To further clarify,
>>  The only point I want to add to the discussion is because we have to
>>  verify the Origin only in the first hop peer, we do not need a global
>>  database (as I mentioned we are not saving against malicious attacks
>>  in any case).
> This would mean for someone who gets the information from RIPE does
> not need to necessarily use the mechanism the way it currently stands.
>


As long as:

(a) you were interested in protecting only those prefixes that are managed 
by RIPE - data in RIPE about other prefixes doesn't fall under the 
protection of their security model, and the RIPE database does not 
contain all prefixes,

and

(b) you were comfortable with the trust model of RIPE (they authenticate 
the upload of the data with varying strength of authentication and you 
must get the data, whose aussurance you can not yourself verify, from them 
and only them with a protected transport they support).

As an additional wrinkle, I believe that RIPE does allocate prefixes to 
LIRs.  I do not know if the LIRs are required to maintain the RIPE 
security model in their allocations.

--Sandy
_______________________________________________
Sidr mailing list
Sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr