IETF Logo Mail Archive

Re: [sidr] BGPSEC Threat Model ID

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 07 November 2011 19:08 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BF5211E80A3 for <sidr@ietfa.amsl.com>; Mon, 7 Nov 2011 11:08:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.589
X-Spam-Level:
X-Spam-Status: No, score=-3.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hTSSIbX4qSDr for <sidr@ietfa.amsl.com>; Mon, 7 Nov 2011 11:08:45 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id B5ACA11E80A0 for <sidr@ietf.org>; Mon, 7 Nov 2011 11:08:44 -0800 (PST)
Received: by faas12 with SMTP id s12so6498615faa.31 for <sidr@ietf.org>; Mon, 07 Nov 2011 11:08:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=us6ksHH/QCfM9qgeJxvXccD/JSz2TV1YNwMNpFTWIjA=; b=adDvFR3se78pme51WW+xrZJNpwalnq1Shs5+eLRNys0YYI2K85xoKocjTFXpduiLGC 8oyj5+7C2pInx9sc3yE/8mjReeH2lkSR1A1tGTJh7LqW4MODlMpWe0sk6M1JcmHYiy43 dDIFA68QWomoHDzXKfhxORPmiFwEXoi4U9yxA=
MIME-Version: 1.0
Received: by 10.223.76.27 with SMTP id a27mr48778145fak.12.1320692923671; Mon, 07 Nov 2011 11:08:43 -0800 (PST)
Received: by 10.223.54.15 with HTTP; Mon, 7 Nov 2011 11:08:43 -0800 (PST)
In-Reply-To: <m2sjm31hzw.wl%randy@psg.com>
References: <E96517DD-BAC7-4DD8-B345-562F71788C6A@tcb.net> <p06240807cad42f85eb7d@193.0.26.186> <32744.216.168.239.87.1320175657.squirrel@webmail.tcb.net> <p06240801cad6ab773279@193.0.26.186> <D9A38669-883D-4090-9F95-BC5C63220950@tcb.net> <p06240801cad800485596@193.0.26.186> <EEBF68E0-FAD9-4AF3-B81B-78760D200D9B@tcb.net> <p06240808cad85ff73d61@193.0.26.186> <080F8FFF-D2C7-4414-B53A-233F88D2009F@vpnc.org> <CAFU7BATC-6DUDNuadakwSa5wj0ryy0=49=XveBXD5Wv=5JL-ag@mail.gmail.com> <m2aa8c489s.wl%randy@psg.com> <53FA9B4A-552C-4998-8F69-592A0F5AA13B@verisign.com> <CAL9jLaZj1wcmDnbm1f9=csUv2Uuq_w3rS6UEYmUHAQDPWT9zFg@mail.gmail.com> <CAH1iCiqmRjPTX7RFK+q=CJRWv9qwdMGdRc_G7GhKrV57dM-K3w@mail.gmail.com> <m2sjm31hzw.wl%randy@psg.com>
Date: Mon, 07 Nov 2011 14:08:43 -0500
Message-ID: <CAH1iCir8pNM8zUWXCf5CXW9BzrqTEcRrgz=+_38vqpdBvv2WpQ@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Randy Bush <randy@psg.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] BGPSEC Threat Model ID
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2011 19:08:45 -0000

On Fri, Nov 4, 2011 at 9:21 PM, Randy Bush <randy@psg.com> wrote:
>> I suspect that it is a case of "accidental back-up transit via a
>> peer".  (I have seen this personally, where it was "malicious" instead
>> of "accidental".)
>
> and i have seen it intentional and pre-agreed.  life is not just simple
> customer, peer, upstream.
>
> randy

I think many of us have seen "special" arrangements, either first-hand,
or involving our customer(s) as one or more of the parties to such an
arrangement.

I think if we categorize neighbors as "customer, transit, peer,
special", that is still useful.

Here's why:
- as a general rule, "special" is negotiated between parties (two, or
more-than-two, doesn't matter)
- it is fine to have "customer" include "customer's customer et al",
and even "customer's special neighbor" iff the customer wants
- except when all the parties are part of a single "special"
arrangements, "special" is non-transitive.
- there can be many pools of "special", even with overlapping membership
- pretty much by definition, "special" pools are contiguous
- outside of that contiguous area, the boundary to that special area
can be treated as a normal AS (by non-participants)
- in fact, special pools could almost be treated like an AS Confederation

The last two points basically say, if we ignore the goings-on within
such a region, applying the simple rules (customer/transit/peer) are
sufficient to prevent leaks crossing any boundary other than between
region members.

Take as a whole, this is more than sufficient benefit to employ, so
long as it is possible for members of such regions to "remove the
safeties".

The exposure is strictly intra-region at that point, which is a lot
better than it is today.

Mechanisms for preventing route leaks don't have to necessarily be
perfect to be useful, IMHO.

Keeping the mechanics themselves simple, and the semantics clear, is
the second most important part. Sensible defaults is the most
important. Third is allowing network admins to disable them as needed.
Kind of analogous to the three laws of robotics, now that I think about it...

Brian

v2.23.0 | Report a Bug | By Email