Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
"Montgomery, Douglas (Fed)" <dougm@nist.gov> Wed, 04 January 2017 20:00 UTC
Return-Path: <dougm@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A917129ACD; Wed, 4 Jan 2017 12:00:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zx8mfzlD5rNQ; Wed, 4 Jan 2017 12:00:18 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0101.outbound.protection.outlook.com [23.103.200.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABCA2129ADE; Wed, 4 Jan 2017 12:00:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=X/RRNlguF/W1FTuktM+3IS3YyEVVNwU9wCbwy90qKLk=; b=tC2dQ3j/lC1c6BuZq0TIkJgmAkcaYet7BIsr2THeVeDzQMENzbiFeRgCpfI8KFqwZfiMvT19QFNgCamGX9HyFzRTZJ8qXFSja0Ydrd9wf1s0yd+670XWuWxG54aEjUtJri+fGc5qQwNUVZR/HFVPdxwKY/eHIvHORYaKpP2X22I=
Received: from BN6PR09MB1426.namprd09.prod.outlook.com (10.173.202.14) by BN6PR09MB1425.namprd09.prod.outlook.com (10.173.202.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.817.10; Wed, 4 Jan 2017 20:00:14 +0000
Received: from BN6PR09MB1426.namprd09.prod.outlook.com ([10.173.202.14]) by BN6PR09MB1426.namprd09.prod.outlook.com ([10.173.202.14]) with mapi id 15.01.0829.003; Wed, 4 Jan 2017 20:00:13 +0000
From: "Montgomery, Douglas (Fed)" <dougm@nist.gov>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Russ Housley <housley@vigilsec.com>
Thread-Topic: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
Thread-Index: AQHSZpHm+sFsRlTcAUq59z5oqx6cVKEosxWAgAACfgD//7O6AA==
Importance: low
X-Priority: 5
Date: Wed, 04 Jan 2017 20:00:13 +0000
Message-ID: <D492BBD6.6F422%dougm@nist.gov>
References: <148353798879.13011.5291414579598073386.idtracker@ietfa.amsl.com> <B659D894-672F-4059-A001-5C4D1D602470@vigilsec.com> <3ae7d707-3229-2508-7aeb-2cd617aa97fd@cs.tcd.ie>
In-Reply-To: <3ae7d707-3229-2508-7aeb-2cd617aa97fd@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dougm@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.140.29]
x-microsoft-exchange-diagnostics: 1; BN6PR09MB1425; 7:GRC7guWASnerbXE1JbbfImeqxPEfkBIYZPizbC5k3fx0OSHqFLGXlxLJ12e+catPmZMIJgquutpon47ROkoqL41UKrLlzlpqgBnlaAgQwm6FYqiqbSFWZo6LBZ+TkJtE8ZzSxmKn3Kp7aZDlXF9otVOmtrDkhRiVFEUxRrw4Zf64/dy5xH+/0d12U6pD3knjddYfaoaYCxittiKcYdQdN3zl5H2CC9HoXEodd75Jpg2v5/IkBkYso+Ly4nRbi9qqyB8BIFu/TlfRk1Kwa2cLibnVH0joHqzxD5D0Nafurg5Wxq/4dGky5zT5Gn76+MbQoRv3Q/ojEgAAo3yf2G8gIQZXIOwGrVRH4dYPA8x1lA328ALdY2yMaVr39wlexaapwps3jDL2lPmRtw6/HnW58Al1QkWz0jSAzjT4rBDmoVWAMR7Rx1/ZZJN5/bLoenru2bIYGByes7Y0qxBHK6l1hg==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39850400002)(39450400003)(39410400002)(39860400002)(39840400002)(54094003)(377454003)(189002)(24454002)(199003)(2950100002)(6486002)(5660300001)(101416001)(4326007)(2900100001)(2906002)(83506001)(5001770100001)(3280700002)(81156014)(7736002)(81166006)(8676002)(122556002)(229853002)(68736007)(4001350100001)(50986999)(3846002)(102836003)(25786008)(81686999)(92566002)(6436002)(6116002)(54356999)(54906002)(8936002)(66066001)(76176999)(97736004)(36756003)(189998001)(230783001)(106356001)(86362001)(99286003)(105586002)(106116001)(38730400001)(6506006)(305945005)(77096006)(3660700001)(6512006); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR09MB1425; H:BN6PR09MB1426.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
x-ms-office365-filtering-correlation-id: 0f62757b-a93e-4d04-6c27-08d434dc4bfe
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BN6PR09MB1425;
x-microsoft-antispam-prvs: <BN6PR09MB1425963404107DF33791852EDE610@BN6PR09MB1425.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123562025)(20161123564025)(20161123558021)(20161123555025)(20161123560025)(6072148); SRVR:BN6PR09MB1425; BCL:0; PCL:0; RULEID:; SRVR:BN6PR09MB1425;
x-forefront-prvs: 0177904E6B
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <C8E798E15B4F634DB4608331B5343296@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jan 2017 20:00:13.6815 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR09MB1425
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/A-7xhQ4CjYVHvqY1ETOCvu59fas>
Cc: IESG <iesg@ietf.org>, IETF SIDR <sidr@ietf.org>
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 20:00:21 -0000
Stephen, If I understand your question, I don’t think one can infer anything about the BGP feeds or route selection processes of an AS based upon the traffic a validating cache sends to RPKI repositories. The design of RPKI validating caches (and all implementations that I know of) prefetch and validate RPKI objects independent of BGP traffic processing. That is, they are background processing the entire RPKI, and are not event driven by BGP traffic. As a matter of fact, the RPKI validating cache’s are typically on systems that have no reason to implement BGP at all. Also the RPKI-to-Rtr protocol between the cache and router is batch driven (roughly) by the validation process, not BGP event driven. I.e., the RPKI traffic to a validating cache in an AS with no BGP feeds and one with full BGP feeds is the same, and both independent of BGP event processing. If that was not the supposition of your question … please ignore. dougm — Doug Montgomery, Mgr Internet & Scalable Systems Research at NIST/ITL/ANTD On 1/4/17, 2:33 PM, "sidr on behalf of Stephen Farrell" <sidr-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote: > > >On 04/01/17 19:24, Russ Housley wrote: >> >>> ---------------------------------------------------------------------- >>> >>> >DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> >>> >I have a couple of fairly straightforward things I'd >>> like to briefly discuss... >>> >>> [snip] >>> >>> (3) section 8: Is there a potential exposure here in that a relying >>> party who emits e.g. certificate status checks or cert retrieval >>> queries for an RPKI cert they've not previously seen is exposing >>> something about the set of paths its traffic is likely to follow. >>> (This is similar to why we have OCSP stapling in the web.) IIRC the >>> RPKI specs may cover this but I suspect it'd be worth noting here >>> as well even if so as this represents exposing something about BGP >>> announcement content to off-path parties which I think is new for >>> BGP. Is that a new thing for BGP? (I think the new aspect to the >>> attack is that a bad actor who has already compromised some AS >>> could more easily spot that traffic from the relying party's AS is >>> likely to transit the compromised AS.) >> >> I am not sure what you mean by a "compromised AS,” but it may not >> matters … > >More or less if traffic to/from ASxxxx is visible to an >attacker and/or can be modified by an attacker. That could >be due to collusion between the AS and an attacker for >example, or because an attacker has compromised some routers >within a transit AS. > >> >> If a link goes down, > >I'm not sure this is only if a link goes down. I'd guess the same >risk would exist when any BGPsec path is first seen at a relying >party and where that RP doesn't have all the necessary RPKI stuff >cached before signature validation. > >. and that causes an alternative path to be >> selected, that forces the validation a new path which might involve a >> previously unvalidated AS. If an OCSP responder or repository that >> provides RPKI objects is contacted as part of that validation, then >> some external entities can detect that something is changing. That >> is, stuff not normally validated because it is associated with a >> unselected path gets fetched. > >Right. Sorry to not be clearer on what might become visible to >the network outside the RP's AS - I'm afraid I just don't have all >the RPKI details in my head;-) > >> >> That said, the NOC could fetch a snapshot of the RPKI, then the >> exposure of the switch to a new path can be limited to that AS. This >> assumes that the snapshot uses CRLs, which seems like a very >> reasonable choice in the RPKI. > >Right, I think all that'd be needed for this would be to ack that >there's this (normally fairly minor) new risk and that you can >avoid it if you pre-fetch enough stuff. (As a separate question, >I wonder if the amount of stuff involved in the RPKI is such that >it'd be fairly easy to pre-fetch it all frequently enough to >nearly never hit this problem.) > >Cheers, >S. > >> >> Russ >> >
- [sidr] Stephen Farrell's Discuss on draft-ietf-si… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sean Turner
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Russ Housley
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Mehmet Adalier (Antara Teknik)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Montgomery, Douglas (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Montgomery, Douglas (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Randy Bush