Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening
Andrew Chi <achi@bbn.com> Fri, 06 April 2012 16:20 UTC
Return-Path: <achi@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B378E21F853E for <sidr@ietfa.amsl.com>; Fri, 6 Apr 2012 09:20:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vu+eM0e3O6eu for <sidr@ietfa.amsl.com>; Fri, 6 Apr 2012 09:20:44 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id D5B6E21F851E for <sidr@ietf.org>; Fri, 6 Apr 2012 09:20:43 -0700 (PDT)
Received: from dhcp89-089-139.bbn.com ([128.89.89.139]:64899 helo=[127.0.0.1]) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <achi@bbn.com>) id 1SGBtd-0009lY-6h; Fri, 06 Apr 2012 12:20:21 -0400
Message-ID: <4F7F17D0.7020901@bbn.com>
Date: Fri, 06 Apr 2012 12:20:32 -0400
From: Andrew Chi <achi@bbn.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Shane Amante <shane@castlepoint.net>
References: <64B29EFD-5C6E-4D0C-8E4F-92A2B5A86279@castlepoint.net> <p06240803cb99d283e548@[10.108.69.44]> <8D2985D4-07C3-42EE-A694-DAF24D34F84A@castlepoint.net> <4F7EFD25.5020709@bbn.com> <6D97C133-3EFD-4FD5-98B3-942530BD543C@castlepoint.net>
In-Reply-To: <6D97C133-3EFD-4FD5-98B3-942530BD543C@castlepoint.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2012 16:20:44 -0000
On 4/6/2012 11:21 AM, Shane Amante wrote: > a) BGP performs loop detection on the AS_PATH attribute *before* verifying any BGPSEC_Path_Signature, in which case you drop the UPDATE, thus causing a DoS because you're not propagating what *may* be legitimate reachability info further downstream. Right, I'm familiar with loop detection and K/P. If someone has modified AS_PATH to cause another AS to drop it, then they inserted someone else's AS. This no longer counts as "legitimate reachability info", and therefore it should be dropped, and the sooner the better. It sounds like there's another issue mixed up in here (but perhaps not in scope of the -bgpsec-threats document): you're trying to resolve the ambiguity on what to do with AS_PATH, as Matt notes at the end of the following section. http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-02#section-5 EDITOR'S NOTE: Text will be inserted here for dealing with the AS_PATH attribute. Note that the BGPGSEC_Path_Signatures attribute now contains all of the information needed to construct the AS_PATH attribute. Therefore, there seem to be two options. One option the BGPSEC speaker checks the AS_PATH attribute against the information in the BGPSEC_Path_Signatures attribute and returns "Not Good" if the two do not match. The other option is that the BGPSEC speaker discards anything in the AS_PATH attribute and reconstructs the AS_PATH from the data in the BGPSEC_Path_Signatures attribute. I believe that there are no interoperability problems if the choice between these two options is left up to the BGPSEC speaker. > b) BGP performs loop detection on the AS_PATH attribute only /after/ verifying the BGPSEC_Path_Signature is valid, in which case there is a /potential/ for another type of DoS, because there will always be a limited amount of crypto verifications/sec that can be performed. There's also the concern that this will slow down propagation of reachability information, because it first needs to be crypto-verified before it's used/propagated. Note, this is unlikely to be a problem during "steady-state", but is more likely to appear during some amount of churn in BGP due to link and/or router failures, for example. Yes, this is true -- there's always DoS by feeding garbage to your neighbor, BGPSEC or not, but crypto lets you waste more CPU. DoS on a BGP router is mentioned briefly at the end of 4.1 -- would you like more text?
- [sidr] draft-ietf-sidr-bgpsec-threats-02: Path sh… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Stephen Kent
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Jakob Heitz
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Murphy, Sandra
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Sriram, Kotikalapudi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Robert Raszuk
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Jakob Heitz
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Sriram, Kotikalapudi
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Murphy, Sandra
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Montgomery, Douglas
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Murphy, Sandra
- [sidr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Stephen Kent
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Stephen Kent
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Stephen Kent
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] No BGPSEC intradomain ? Warren Kumari
- Re: [sidr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Warren Kumari
- Re: [sidr] [Idr] No BGPSEC intradomain ? Montgomery, Douglas
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jakob Heitz
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jakob Heitz
- Re: [sidr] [Idr] No BGPSEC intradomain ? Randy Bush
- Re: [sidr] [Idr] No BGPSEC intradomain ? Randy Bush
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Paul Jakma
- [sidr] iBGP, BGPSEC and incremental deployment (w… Jeffrey Haas
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jakob Heitz
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Brian Dickson
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? George, Wes
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… George, Wes
- Re: [sidr] [Idr] No BGPSEC intradomain ? George, Wes
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Christopher Morrow
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] [Idr] No BGPSEC intradomain ? George, Wes
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jeffrey Haas
- Re: [sidr] [Idr] No BGPSEC intradomain ? Paul Jakma
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jakob Heitz
- Re: [sidr] [Idr] iBGP, BGPSEC and incremental dep… Brian Dickson