Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening

Andrew Chi <achi@bbn.com> Fri, 06 April 2012 16:20 UTC

Return-Path: <achi@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B378E21F853E for <sidr@ietfa.amsl.com>; Fri, 6 Apr 2012 09:20:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vu+eM0e3O6eu for <sidr@ietfa.amsl.com>; Fri, 6 Apr 2012 09:20:44 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id D5B6E21F851E for <sidr@ietf.org>; Fri, 6 Apr 2012 09:20:43 -0700 (PDT)
Received: from dhcp89-089-139.bbn.com ([128.89.89.139]:64899 helo=[127.0.0.1]) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <achi@bbn.com>) id 1SGBtd-0009lY-6h; Fri, 06 Apr 2012 12:20:21 -0400
Message-ID: <4F7F17D0.7020901@bbn.com>
Date: Fri, 06 Apr 2012 12:20:32 -0400
From: Andrew Chi <achi@bbn.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Shane Amante <shane@castlepoint.net>
References: <64B29EFD-5C6E-4D0C-8E4F-92A2B5A86279@castlepoint.net> <p06240803cb99d283e548@[10.108.69.44]> <8D2985D4-07C3-42EE-A694-DAF24D34F84A@castlepoint.net> <4F7EFD25.5020709@bbn.com> <6D97C133-3EFD-4FD5-98B3-942530BD543C@castlepoint.net>
In-Reply-To: <6D97C133-3EFD-4FD5-98B3-942530BD543C@castlepoint.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2012 16:20:44 -0000

On 4/6/2012 11:21 AM, Shane Amante wrote:
> a)  BGP performs loop detection on the AS_PATH attribute *before* verifying any BGPSEC_Path_Signature, in which case you drop the UPDATE, thus causing a DoS because you're not propagating what *may* be legitimate reachability info further downstream.

Right, I'm familiar with loop detection and K/P.

If someone has modified AS_PATH to cause another AS to drop it, then 
they inserted someone else's AS.  This no longer counts as "legitimate 
reachability info", and therefore it should be dropped, and the sooner 
the better.

It sounds like there's another issue mixed up in here (but perhaps not 
in scope of the -bgpsec-threats document): you're trying to resolve the 
ambiguity on what to do with AS_PATH, as Matt notes at the end of the 
following section.

http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-02#section-5

    EDITOR'S NOTE: Text will be inserted here for dealing with the
    AS_PATH attribute.  Note that the BGPGSEC_Path_Signatures attribute
    now contains all of the information needed to construct the AS_PATH
    attribute.  Therefore, there seem to be two options.  One option the
    BGPSEC speaker checks the AS_PATH attribute against the information
    in the BGPSEC_Path_Signatures attribute and returns "Not Good" if the
    two do not match.  The other option is that the BGPSEC speaker
    discards anything in the AS_PATH attribute and reconstructs the
    AS_PATH from the data in the BGPSEC_Path_Signatures attribute.  I
    believe that there are no interoperability problems if the choice
    between these two options is left up to the BGPSEC speaker.


> b)  BGP performs loop detection on the AS_PATH attribute only /after/ verifying the BGPSEC_Path_Signature is valid, in which case there is a /potential/ for another type of DoS, because there will always be a limited amount of crypto verifications/sec that can be performed.  There's also the concern that this will slow down propagation of reachability information, because it first needs to be crypto-verified before it's used/propagated.  Note, this is unlikely to be a problem during "steady-state", but is more likely to appear during some amount of churn in BGP due to link and/or router failures, for example.

Yes, this is true -- there's always DoS by feeding garbage to your 
neighbor, BGPSEC or not, but crypto lets you waste more CPU.  DoS on a 
BGP router is mentioned briefly at the end of 4.1 -- would you like more 
text?