Re: [sidr] BGPSEC Threat Model ID
Danny McPherson <danny@tcb.net> Thu, 03 November 2011 12:06 UTC
Return-Path: <danny@tcb.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F51C1F0C89 for <sidr@ietfa.amsl.com>; Thu, 3 Nov 2011 05:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.261
X-Spam-Level:
X-Spam-Status: No, score=-101.261 tagged_above=-999 required=5 tests=[AWL=-1.121, BAYES_00=-2.599, FB_YOU_CAN_BECOME=1.258, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, J_CHICKENPOX_32=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YM4iqTUvU9rm for <sidr@ietfa.amsl.com>; Thu, 3 Nov 2011 05:06:25 -0700 (PDT)
Received: from dog.tcb.net (dog.tcb.net [64.78.150.133]) by ietfa.amsl.com (Postfix) with ESMTP id 8F5761F0C70 for <sidr@ietf.org>; Thu, 3 Nov 2011 05:06:25 -0700 (PDT)
Received: by dog.tcb.net (Postfix, from userid 0) id 110D13780E3; Thu, 3 Nov 2011 06:06:25 -0600 (MDT)
Received: from dul1dmcphers-m1.home (pool-98-118-240-226.clppva.fios.verizon.net [98.118.240.226]) (authenticated-user smtp) (TLSv1/SSLv3 AES128-SHA 128/128) by dog.tcb.net with SMTP; Thu, 03 Nov 2011 06:06:24 -0600 (MDT) (envelope-from danny@tcb.net)
X-Avenger: version=0.7.8; receiver=dog.tcb.net; client-ip=98.118.240.226; client-port=58078; syn-fingerprint=65535:48:1:64:M1460,N,W3,N,N,T,S MacOS 10.4.8; data-bytes=0
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary="Apple-Mail-1-564869998"
From: Danny McPherson <danny@tcb.net>
In-Reply-To: <p06240801cad800485596@[193.0.26.186]>
Date: Thu, 03 Nov 2011 08:06:09 -0400
Message-Id: <EEBF68E0-FAD9-4AF3-B81B-78760D200D9B@tcb.net>
References: <E96517DD-BAC7-4DD8-B345-562F71788C6A@tcb.net> <p06240807cad42f85eb7d@[193.0.26.186]> <32744.216.168.239.87.1320175657.squirrel@webmail.tcb.net> <p06240801cad6ab773279@[193.0.26.186]> <D9A38669-883D-4090-9F95-BC5C63220950@tcb.net> <p06240801cad800485596@[193.0.26.186]>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1084)
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] BGPSEC Threat Model ID
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 12:06:27 -0000
On Nov 3, 2011, at 7:09 AM, Stephen Kent wrote: > Having been motived to reread the SIDR charter by Brian's message, there is a simple answer to the in/out of scope question, but it's one you will not like :-). The charter for SIDR states that the secruity goals for the WG are to address two vulnerabilities: authorization for prefix origination and path validation. Relative to the charter, route leaks are out of scope. I will add text to the intro for the threat model to state that the scope of the model is defined by the charter, and include the relevant charter text. I hope you'll forgive me for taking the easy path here. I do not... The charter is temporal and the product of the WG in the form of RFCs will be much more persistent, I'm concerned by a line of reasoning that says "Let's ignore and not even enumerate or concern ourselves with these obvious threats because the current charter [deliberately] says all we have to do is provide semantic validation of the AS_PATH" [and doing anything more would quite possibly NOT be conducive to expedited publication of BGPSEC]. > I agree that the integrity that would result from including this attribute under the sig applied by the first AS would provide the secruity you cited. That may make it worthwhile to protect via the sig. However, the accuracy of the assertion being made by this attribute is unverifiable by any of the ASes along the path, and that was what worried me. But, again, the charter makes this out of scope, i.e., it is not relevant to the origin authorization or path accuracy vulnerabilities cited there. NIce, another threat that shouldn't be listed because it's not in the charter as written or addressed via BGPSEC as is. If that's the case, then all the drafts should include the current revision of the charter and explicit text about ignoring all other threats under these auspices. > That sig provides integrity, which is valuable, but it does not provide a way to verify the accuracy of the assertion by the origin AS. Your concern is that an AS along the route can change the value of the attribute. One might also be concerned that the origin set the value incorrectly. Ultimately, I think this is a bad example for us to argue about, as it is a vestigial part of BGP, from EGP days, that is the penultimate basis for route decisions. No, it is used today and opens up traffic attraction attacks, please don't brush it aside because it's 'penultimate' in the decision process - it is there and it impacts traffic today. > It is up to each RP to decide whether to rely on assertions made by an expired cert, or to act as though the cert does not exist. In the routing context, there appears to be some agreement that relying on expired certs is more desirable > than treating the resources as not certified. But, this is a per-RP decision. There is only room for two states, right? Valid and not valid. Stale == not valid. > Many folks do. This is probably because an expired cert often indicates that > the cert holder was sloppy, and failed to renew the cert, i.e., pay the CA. Expiration is not as negative an indication as revocation. Or because a CA was compromised - we've seen this in the real world with increased frequency, as you well know. > There is a subtly here, and thanks for pointing it out. The idea is that if an RP has a cert, and it was not revoked, then the RP can continue to rely on it, after the cert expires, if the RP is unable to acquire fresh data from the pub point for that cert. If the cert had been revoked, it should not be un-revoked because it expired. And therefore we MUST NOT rely on expired certificates, period. > I think the phrase "undermines the entire system" is melodramatic. How about "you actual assurance may vary?" :-) "house of cards", "village of cards"... > I would prefer more centralization of RPKI data. My original model called for each RIR to aggregate the data for every member, and act as a mirror for the data for every other RIR. But other folks wanted greater distribution. One can argue that wider distribution may offer potentially greater resilience, so ... Yeah, I get it -- until you get to the point where you have to use expired certificates in a PKI and they may have been revoked or may no longer be valid or intended for use but because you can't pick certificates up from some remote portion of the Internet then you relay on stale (i.e., NOT valid) data. Even if "more distributed", I'm not sure that's added resilience, particularly when PKI is employed. > OCSP is an optimization of the CRL mechanism, designed to efficiently answer a revocation status query for a single cert. Since every RP needs to know the revocation status of everycert, OCSP (or an analogous mechanism) does not seem to be a good match. For many years folks have thought that very fast dissemination of revocation status data was important for PKIs. In reality, revocation is an administrative procedure for which the major delays will be > created by people deciding whether to revoke a cert, vs. the time it takes to disseminate the CRL. And I'm saying that if we're going to employ a PKI solution on a distributed loosely coherent resource certification infrastructure that's going to be employed by RPs in a non-determinsitc manner and result in "periodic updates" in the routing system in order to minimize exposure windows, then we ought to look at what architectural approaches can be considered or what new elements invented to minimize unneeded state and churn in the network and maximize resiliency without introducing the possibly for any array of new attacks. We've already seen issues where such an approach has been problematic with DNSSEC in the wake of portions of the Internet being fragmented and causing issues and inability to update certificates in the system at root, TLD and SLD levels, and what you're proposing here is far far more troubling. > There are two types of certs: CA certs and EE certs. > > Because revoking a CA cert has major implications, so such a decision will not be taken lightly. Thus I expect relatively few revocations of CA certs and the principle delay will be procedural. Yes, just as with SSL certificates today - but when they do happen, the more quickly you can become aware of that revocation the better off you;re going to be -- and it's all still inherently reactive from a controls perspective. > All of the EE certs defined so far (not counting router certs for BGPSEC, which have yet to be agreed upon) are embedded in RPKI objects: manifests, ROAs, and GB records. > > A new manifest MUST be published whenever any file at a pub point changes. The CPS template recommends daily CRL issuance, and that seems to be what the RIRs are doing for the pub points that they maintain . Thus it is likely that a new manifest will be issued every day. So, I doubt that many manifest cert will be revoked. But when they are, you better get'm fast... If you're intended to play the "charter says .." card then we're wasting our time. At least I've got my concerns on record for broader reference.. This is unfortunate. -danny
- [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Paul Hoffman
- Re: [sidr] BGPSEC Threat Model ID George, Wes
- Re: [sidr] BGPSEC Threat Model ID Shane Amante
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Eric Osterweil
- Re: [sidr] BGPSEC Threat Model ID George, Wes
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Jen Linkova
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Sriram, Kotikalapudi
- Re: [sidr] BGPSEC Threat Model ID Eric Osterweil
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Jakob Heitz
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Eric Osterweil
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Shane Amante
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Shane Amante
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Geoff Huston
- Re: [sidr] BGPSEC Threat Model ID Jakob Heitz
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Geoff Huston
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson