Re: [Sidr] [OPSEC] pccw as17557 leak...

Stephen Kent <kent@bbn.com> Thu, 28 February 2008 11:35 UTC

Return-Path: <sidr-bounces@ietf.org>
X-Original-To: ietfarch-sidr-archive@core3.amsl.com
Delivered-To: ietfarch-sidr-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F81028C80B; Thu, 28 Feb 2008 03:35:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.017
X-Spam-Level:
X-Spam-Status: No, score=-0.017 tagged_above=-999 required=5 tests=[AWL=-0.580, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, HTML_MESSAGE=1, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rlqz6batlhr9; Thu, 28 Feb 2008 03:35:57 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B7AFB28C7DA; Thu, 28 Feb 2008 03:35:43 -0800 (PST)
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6C1AB3A6847; Thu, 28 Feb 2008 03:35:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aR1uWm5mUucH; Thu, 28 Feb 2008 03:35:41 -0800 (PST)
Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id 14FB028C730; Thu, 28 Feb 2008 03:35:33 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[169.223.13.71]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1JUh2q-0000CD-4F; Thu, 28 Feb 2008 06:35:25 -0500
Mime-Version: 1.0
Message-Id: <p0624050cc3ebfc54fb15@[169.223.13.71]>
In-Reply-To: <77ead0ec0802272031j6d958279tf3028c4096093020@mail.gmail.com>
References: <47C4E38E.1070105@bogus.com> <77ead0ec0802262134q6ac2e497m91ca3e8237e021e4@mail.gmail.com> <158FF097-65BB-49BF-B8A1-1191281F2F93@cisco.com> <77ead0ec0802262229wd5e695ag95021040d7492828@mail.gmail.com> <E54F9525-AE5E-4F96-A044-FCEBEBCA6DB3@tcb.net> <3DD63532-9442-4B12-B1DF-5EA70A66C87D@cisco.com> <77ead0ec0802271712m53e8a1d4sc9cae09ee75686f7@mail.gmail.com> <p06240500c3ebd2c48236@192.168.101.9> <77ead0ec0802271913u2c032ec2y2d03b73cb36de37f@mail.gmail.com> <p06240509c3ebe4459c93@169.223.13.71> <77ead0ec0802272031j6d958279tf3028c4096093020@mail.gmail.com>
Date: Thu, 28 Feb 2008 06:35:20 -0500
To: Vishwas Manral <vishwas.ietf@gmail.com>
From: Stephen Kent <kent@bbn.com>
Cc: Roland Dobbins <rdobbins@cisco.com>, opsec wg mailing list <opsec@ietf.org>, sidr@ietf.org
Subject: Re: [Sidr] [OPSEC] pccw as17557 leak...
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1993930803=="
Sender: sidr-bounces@ietf.org
Errors-To: sidr-bounces@ietf.org

At 8:31 PM -0800 2/27/08, Vishwas Manral wrote:
>Hi Stephen,
>
>The point I raise is that there is a cost associated with this, using
>certificates has a CPU cost associated with it.
>
>I may be missing the point but even if you leave aside the cost of an
>off line server to do this check but if the checks are done on each
>new prefix we can still overload the off line server. If we do things
>like rate limiting we can still have an attacks, or cause delays in
>the convergence times.
>
>Thanks,
>Vishwas

I think you are missing the point. So long as the processing is done 
as an offline operation, not as a gating item in routing, it does not 
strike me as a DoS concern. The initial use of the infrastructure is 
analogous to downloading IRR databases and processing the RPSL 
assertions, an operation many ISPs perform today on a daily basis.

More to the point, folks have implemented the necessary software and 
tested it with about 20K certs and CRLs and 10K ROAs, a reasonable 
starting point. I don't have the precise figures in front of me now, 
but I believe their results show that the time to do all the 
processing (on a laptop) is about 20-30 minutes, and the time is 
dominated by the retrieval of the data from online repositories, not 
by the crypto operations per se. For a once daily, offline 
operations, this seems quite reasonable.

Steve
_______________________________________________
Sidr mailing list
Sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr