Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-validate-02.txt

Pradosh Mohapatra <> Sat, 20 August 2011 06:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3F0A821F8574 for <>; Fri, 19 Aug 2011 23:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.399
X-Spam-Status: No, score=-3.399 tagged_above=-999 required=5 tests=[AWL=-0.800, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gLKbizRx-2H4 for <>; Fri, 19 Aug 2011 23:47:17 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4038D21F8568 for <>; Fri, 19 Aug 2011 23:47:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2485; q=dns/txt; s=iport; t=1313822896; x=1315032496; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=qFg0q89JwrUb+l/65SSzsN6621Aelr5PM15O13j0flE=; b=R22XY2gNol6HMpmRn7smwwHqtgIRthRHs4p/Qh68GOuzJmKcAxcbr75t VLPJD02GfQIENYbYzxhnOBUURUV/m3TcmLQj1a1rLrq75207ynaLRX1hL ACVS4l/KKiqpyFo93EroJB45fxG8MJ8x5vssG+3oJMwcfKgmet0/wDkhn g=;
X-IronPort-AV: E=Sophos;i="4.68,254,1312156800"; d="scan'208";a="14891998"
Received: from ([]) by with ESMTP; 20 Aug 2011 06:48:15 +0000
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id p7K6mFN9016669; Sat, 20 Aug 2011 06:48:15 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Pradosh Mohapatra <>
In-Reply-To: <>
Date: Fri, 19 Aug 2011 23:53:34 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <>
To: Roque Gagliano <>
X-Mailer: Apple Mail (2.1084)
Cc: " wg" <>
Subject: Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-validate-02.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 20 Aug 2011 06:47:18 -0000

Hi Roque,

>>> Security Consideration:
>>> I think you need to consider what you already mentioned in section 4, if the connectivity to the local-caches is lost, invalid routes will be classified as "not-found", which could have a different set of local policies.
>> Is this different from current behavior?
> Not sure what do you refer for "current behavior". My point was that in the security considerations you should point to the analysis in Section 4 on loosing connectivity to the cache servers.
> Example:
> 	Router set loc-pref 100 for "valid" and loc-pref 50 for "not-found".
> 	If the router looses connectivity with caches, either by operational issues or by malicious event (on the cache/ the router or the network between the two), the set of prefixes that should be "valid" based on RPKI will be classified as "not found" and loc-pref set to 50.

Does the following suffice for the security considerations section? Note the added sentence in emphasis  "_Similarly..."

   Although this specification discusses one portion of a system to
   validate BGP routes, it should be noted that it relies on a database
   (RPKI or other) to provide validation information.  As such, the
   security properties of that database must be considered in order to
   determine the security provided by the overall solution.  If
   "invalid" routes are blocked as this specification suggests, the
   overall system provides a possible denial-of-service vector, for
   example if an attacker is able to inject one or more spoofed records
   into the validation database which lead a good route to be declared
   invalid.  _Similarly, if the connection to the cache is lost for whatever
   reason, the integrity of the database is no longer maintained. This
   may result in undesired behavior._ In addition, this system is only able 
   to provide limited protection against a determined attacker -- the 
   attacker need only prepend the "valid" source AS to a forged BGP 
   route announcement in order to defeat the protection provided by  
   this system.  This mechanism does not protect against "AS in the 
   middle attacks" or provide any path validation.  It only attempts to 
   verify the origin. In general, this system should be thought of more 
   as a protection against misconfiguration than as true "security" in 
   the strong sense.

- Pradosh