Re: [sidr] Some comments on draft-ietf-sidr-bgpsec-threats-02
Stephen Kent <kent@bbn.com> Tue, 28 August 2012 09:33 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 319BD21F84D2 for <sidr@ietfa.amsl.com>; Tue, 28 Aug 2012 02:33:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.326
X-Spam-Level:
X-Spam-Status: No, score=-105.326 tagged_above=-999 required=5 tests=[AWL=-1.142, BAYES_40=-0.185, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dpgocIZvReK8 for <sidr@ietfa.amsl.com>; Tue, 28 Aug 2012 02:33:08 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id B088121F849C for <sidr@ietf.org>; Tue, 28 Aug 2012 02:33:07 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:58180 helo=fritz.local) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1T6IAT-000ByZ-EY; Tue, 28 Aug 2012 05:33:06 -0400
Message-ID: <503C904F.2040609@bbn.com>
Date: Tue, 28 Aug 2012 05:33:03 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: sidr@ietf.org, danny@tcb.net
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F5604B@Hermes.columbia.ads.sparta.com> <CAH1iCiorpj6N55B9RQCvWcTgEbUZ+Vgcr4Hhc-+h8A93U8HbHA@mail.gmail.com> <F849E612-7B72-47B2-B578-CC43EEE67510@tcb.net>
In-Reply-To: <F849E612-7B72-47B2-B578-CC43EEE67510@tcb.net>
Content-Type: multipart/alternative; boundary="------------030800060803080209010501"
Subject: Re: [sidr] Some comments on draft-ietf-sidr-bgpsec-threats-02
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2012 09:33:20 -0000
Danny, here are replies to the issues you raised wrt the threats doc. Steve -------- I am surprised that external systems (e.g., NTP) are not mentioned at all in this document? *I will add some text to note that the use of certificates, CRLs, and other RPKI signed products requires access to a reliable (though not highly precise) time source by the devices that process them. For the RPKI, the current deployment model calls for such processing to be performed by servers, not routers. For BGPSEC, the need for a reliable time source may extend to routers, if BGPSEC path signatures carry an expiration time. * Also, this document makes no distinction between eBGP and iBGP speakers, yet there are certainly places where text and context would suggest it is certainly necessary. Some hints of this below. *I will add text noting that the focus of the doc is eBGP, not iBGP.* I believe this document needs a major overhaul before publication as a WG document. More comments below.. -danny ===== ABSTRACT 1) Regarding "Intended Status: Standards Track", I'd expect any standalone Threat Model draft would be should be Informational. *Agree. Fixed.* 2) " Enabling an AS to verify that the AS-PATH represented in a route matches the path travelled by the NLRI for the route" 2.1): s/AS-PATH/AS_PATH/ *fixed.* 2.2): I do not believe that even BGPSEC does this. Instead, in introduces a new attribute which BGPSEC secures, and it forces no parity between the new attribute and the old attribute. See 3) below, but absent some clarification of this I am not comfortable with this text as written. *This text is taken from the charter (including the "AS-PATH" typo). A discussion of whether the BGPSEC design addresses this charter goal may be appropriate for the BGPSEC architecture document, but not here. * ** ===== INTRODUCTION 3) I'm not comfortable with the document as written, per it suggests that the term "BGPSEC" == BGP Path Security, yet even the proposals received for BGPSEC in the WG only introduce new attributes, they do not secure the BGP AS_PATH attribute, nor do they force parity between the globally deployed BGP AS_PATH attribute and the new attributes they propose. *Your comment caused me to realize that I ought not be addressing BGPSEC in this document. BGPSEC is a proposed solution and thus not the focus of a threat analysis which, in turn, is intended to be an input to a requirements document. I'll remove all BGPSEC references. * 4) "This model also takes into consideration classes of attacks that are enabled by the use of BGPSEC (based on the current BGPSEC design.)" A stable reference for "current BGPSEC design" is in order here. *As noted above, I'm removing all references to BGPSEC. * 5) "i.e., for the links that connect BGP routers." By "links" here I assume you mean "transport connections"? *I meant the telecom links that connect eBGP speakers, but talking in terms of BGP/TCP sessions seems OK. I'll edit the text accordingly.* 6) Can you explain what this means, I'm not sure how RPKI by itself provides this: "secure route origination foundation offered by use of the RPKI." The operative word "secure" appears to be used rather loosely there, particularly when talking about BGP. Perhaps "route origin validation" and a reference to RPKI-RTR would be more appropriate - i.e., if it's not effectuated in BGP speaking routers through some mechanism it doesn't matter whether it's in the RPKI or not. Conflating the two tends to cause confusion in the operations community, methinks. *I have changed the text use the phrasing you suggested, and have included the relevant cite. * 7) This text seems to muddy things, as it talks about the design of BGPSEC rather than the Threat Model primitives which informed it's design: " The security model adopted for BGPSEC does not assume an "oracle" that can see all of the BGP inputs and outputs associated with every AS or every BGP router. Instead, the model is based on a local notion of what constitutes legitimate, authorized behavior by the BGP routers associated with an AS. This is an AS-centric model of secure operation, consistent with the AS-centric model that BGP employs for routing. This model forms the basis for the discussion that follows." *I disagree. It is common in academic literature to use an oracle as the basis against which the security of a protocol is measured. That's an appropriate model for protocol security in many contexts, e.g., for a point-to-point connection where a wiretapper would be able to see all of the traffic. It is overkill in this context, and thus I have chosen to explicitly reject it. But, I have removed the reference to any specific solution approach.* ===== TERMINOLOGY 8) While I appreciate the attempt to restate and/or redefine these terms in order to make this a standalone document, references to a large body of previous IETF and SIDR WG documents (much of which at least one of the authors is intimately familiar with for these terms would seem to be far more appropriate. *You're missing a ")" above **J. I don't know which SIDR (vs. IETF) RFCs you have in mind. Please be specific. Restating definitions in a terminology section is common; unless the WG chairs believe this is a bad idea for this document, I'll retain them. If you feel that specific terms have been redefined in a fashion that is inaccurate, please note which ones, and indicate the preferred definitions, and we can revisit them as needed.* 9) A reference to one of your previous (or new) citations may well be in order here: "False (Route) Origination - If a network operator originates a route for a prefix that the network operator does not hold (and that it has not been authorized to originate by the prefix holder, this is termed false route origination." *I looked at several of the RPKI RFCs and didn't see a definition for this term. I believe we added it in response to a request from Sriram. If you have an appropriate cite I can add it. * Also, you're missing closing ")" there.. *Fixed.* 10) I'm not sure I agree with this definition, can you explain? E.g., given that motivatiors are complex in a world of hacktivists and nation-state actors alike, or pay-for-for financially motivated actors, this all seems a bit fuzzing to me. By it's very definition above, if I've classified an entity as malicious ("Adversary - An adversary is an entity (e.g., a person or an organization) perceived as malicious, relative to the security policy of a system. The decision to characterize an entity as an adversary is made by those responsible for the security of a system. Often one describes classes of adversaries with similar capabilities or motivations, rather than specific individuals or organizations."). *You seem to have omitted some words above, so the result is not a sentence. I also don't know what "pay-for-for" means, ...* Furthermore, if I have an adversary that's attempting to procure or develop capabilities to exploit a vulnerability for which they do not have current capabilities, that would seem to render it a threat to me - unless of course, I have complete visibility to their motivations and capabilities, which is highly improbable. *When the adversary acquires the capabilities to carry out an attack, the adversary becomes a threat. If you believe that the adversary has a good chance of acquiring a specific capability (in a time frame of interest), then it is appropriate to treat the adversary as a threat, otherwise not. This characterization of "threat" has been used in defense and diplomatic contexts for decades.* " Threat - A threat is a motivated, capable adversary. An adversary that is not motivated to launch an attack is not a threat. An adversary that is motivated but not capable of launching an attack also is not a threat." ===== THREAT CHARACTERIZATION 11) Regarding this text, a reference to the BGPSEC document to which this This Threat Model subscribes would seem to be appropriate: " If it implements BGPSEC, it will have the ability to issue certificates for its routers, and to sign updates in a fashion that will be recognized by BGPSEC-enabled neighbors." *I've removed all references to BGPSEC.* 12) Also, the above seems to be implying that per router certificates would be required here: "certificates for its routers", can you clarify the intent of this text? *I've changed the text to avoid suggesting that a path security solution requires certificates to be per router vs. per-AS.* 13) "sign updates" seems to be ambiguous, is your intention to suggest that updates are signed, or that new BGP attributes would be introduced that would be contained with existing BGP Update messaging that could be "recognized" by BGPSEC-enabled neighbors? *I've reworded this to avoid the offending language.* 14) Is the phrase "Hackers" even necessary here, or should you not employ "Adversary" as defined in previous sections? *First, it's not clear where "here" is, since you didn't include any quoted text. If you are referring to the discussion of hackers as a class of adversary, then yes, it's necessary to explicitly describe the class of adversary. * 15) Regarding "It is assumed that hackers generally do not have the capability to effect MITM attacks on most links between networks (links used to transmit BGP and subscriber traffic)." given the preceding two sentences, they'd certainly be able to, no? *Not in general. An MITM attack against a link implies an on-path presence, which is not usually a capability of a hacker, e.g., an ability to insert a packet processing device on a link between two (e)BGP speakers. The underlying notion is that such links (in the layer 1, not layer 4 sense) are not accessible to this class of adversaries.* 16) Also, can you define what "subscriber" means in this context, it seems to focus on a particularly type of connection but if I'm reading this correctly, the threat is more ubiquitous. *In this context, a subscriber is a customer of a network operator, and who is not another network operator.* 17) Regarding "A hacker might be recruited, without his/her knowledge, by criminals or by nations, to act on their behalf." This seems to describe a victim or compromised system more than a "hacker", by nearly all conventional definitions, no? *No. The traditional term here is a "false flag" operation, if effected via a nation state. We're not talking about installing malware as a way to make use of the privileges of a legitimate network operator.* 18) Regarding "Hackers may be motivated by a desire for "bragging rights" or for profit." -- again, I think expanding adversary as appropriate, and leaving it at that, might be the simplest solution here. *The intent here is to give examples that distinguish motivations of different classes of adversaries, so using the generic term is not appropriate.* 19) All of the above about "Hackers' applies to the "Criminals" section as well. Again, refining adversaries terminology and applying would perhaps be in order. *The text describing criminal motivations and capabilities is different.* 20) The "Network Operators" section might be more useful if it makes a distinction between benign and malicious activity, although both represent threats, the current text seems to imply malice in all cases -- when it may not have been intentional at all. *I agree that some folks use the term "threat" more generally, to encompass non-malicious behavior, referring to threats as accidental vs. malicious. I have chosen to focus on malicious behavior here. I'll note that explicitly, e.g., by augmenting the definition of "threat."* 21) The "adversary" comments about apply equally to "Nations" as well, methinks, if these represent threats to users of the system. *I disagree, for the same reasons cited in my responses above. The text describing capabilities is distinct for different classes of adversaries and this argues against using the more generic term.* ===== ATTACKS ON A BGP ROUTER 22) A stable reference for "route leaks" would be useful in the document, given the recurring references *If we had one that the WG agreed upon, I'd be happy to insert it. Otherwise, maybe we should just delete the phrase from the document.* 23) Regarding: " Stale Path Announcement: An announcement may be propagated with an origination signature segment that has expired. This behavior violates the BGPSEC spec and is considered a possible replay attack." -- This and other references to "BGPSEC spec" need a stable reference. *I have reworded this to not be BGPSEC-specific.* 24) s/if such a time is mandates,/if such a time is mandated,/ *fixed.* 25) Can you define "Immediate neighbor" here: "Thus only an immediate neighbor of a route originator could be expected to detect this type of attack." Do you mean EBGP neighbor? BGPSEC EBGP neighbor? Or... " *The intent was an eBGP neighbor, which is also a BGPSEC neighbor. But, * 26) s/in injected/injected/ *More likely s/in injected//* 27) Regarding your definition of "Replay Attack", as written unless I'm confused because BGP is stateful no new announcement is required at all (simply suppress withdrawal, no need to re-announce - no?)? *I've removed the redundant comment about re-announcing.* ===== ATTACKS ON NETWORK OPERATOR MANAGEMENT COMPUTERS 28) define "RP Tools" ** *Software used by an RP to process RPKI signed products, consistent with RFCs 6486, 6487, 6488, 6490, and 6491.* 29) Here and in elsewhere first use of acronyms should be expanded (e.g., CRL, etc.) *Agreed, we'll revisit the text to verify that first uses of acronyms are expanded.* 30) Section 4.3 and throughout the document seems to conflate RPKI use by operators and BGPSEC-enabled routers, while an attempt (intro of S.4) was made to define 3 classes of attacks that decouple these elements. Honoring these three classes and cleanly delineating would make the document much clearer. For example, this _could happen even if the local network were not BGPSEC-enabled, no?: "If the network operator is BGPSEC-enabled, and the adversary invoked a tool used to request certificates, it could replace valid certificates for routers with ones that might be rejected by BGPSEC enabled neighbors." *I agree that we should keep separate attacks that apply to vanilla BGP, the RPKI context, and to the BGPSEC context. However, the example you gave is not one that crosses this boundary. This attack is describing replacement of router certificates, so it applies only to a network that is BGPSEC-enabled, and thus would publish router certificates. The text has been changed to reflect removal of all BGPSEC references.* ===== ATTACKS ON A REPOSITORY PUBLICATION POINT 31) s/ inside or an external threat/ insider or an external threat/ ? *Fixed.* 32) This seems to entirely gloss over the fact that the local systems and remote systems will likely in practice handle expired data in very different ways, and it seems to suggest that data should not be purged until replaced (what if it's replaced with something compromised), and that that information should ever be used anyway (using expired data can causes other systems to need to purge it in BGPSEC, no?): "If repository publication points are unavailable or the retrieved data is corrupted, an RP can revert to using the cached data This behavior helps insulate RPs from the immediate effects of DoS attacks on publication points." *What do you mean by local vs. remote systems? Are you referring to RPKI pub points vs. RP caches? The repository RFC says nothing about a repository removing data because the data is stale, There is no assumption that an entity operating a repository will scan its contents and delete expire certificates or stale CRLs.* ** *While it is always preferable to use current, validated data from the RPKI repository system, it is not unreasonable to use stale data in the absence of current, validated data. Ultimately this decision is up to each RP, but discarding stale data just because it's stale is not usually a great strategy. Consider my driver's license (which ought not be used to identify me except in the context of driving or renting a car). It is probably just as valid an ID the day after it expires as it was the day before.* 33) This seems like bad advice to me and should be removed: "Each RP will decide, locally, whether to continue to make use of or ignore cached RPKI objects that are stale or expired." We're suggesting we build and employ this whole system and yet the threat model says we should use expired data in a PKI? *I disagree. I think it is good advice and it is not inconsistent with how many systems operate today when RPs lack access to the freshest PKI data. * 34) Regarding this text, what if there is no "older object", or if this is precisely the behavior the adversary aimed to trigger: "If an adversary deletes one or more CA certificates, ROAs or the CRL for a publication point, the manifest for that publication point will allow an RP to detect this attack. (The RP would be very unhappy if there is no CRL for the CA instance anyway.) An RP can continue to use the last valid instance of the deleted object as a local policy option), thus minimizing the impact of such an attack. *If there is no older (valid) object instance in the RP's cache, then the RP cannot make use of it, and it is as though the object did not exist. Yes, an adversary can exploit this RP behavior, but is that worse that having an RP ignore the old (valid) data? Consider a generic PKI, that uses CRLs (not OCSP). If an adversary suppresses publication of the next CRL (as specified by the next Update field), what should RPs do? All of the previously revoked certificates are still revoked (ignoring the PKIX-deprecated CRL entry extension that can undo revocation). So, it makes sense to keep using the old CRL until a current one can be acquired, CRLs do not expire; they become stale. Yes, RPs ought to engage in some OOB action to try to cause a current CRL to be posted, but in the meantime ... * 35) Regarding the above, what should an RP do when they detect such an attack? *The Ghostbusters record was developed to provide a means for alerting pub point maintainers of this sort of problem. It was specified after we generated this text, so we can add a pointer to it now.* 36) Is this feedback loop a requirement of the system; "Such behavior should result in the CA (or publication point maintainer) being notified of the problem. An RP can continue to use the last valid instance of the deleted " *This is not a requirements document, so the question, in that form, in not applicable.* 37) How does this happen?: " This alerts an RP that there may be a problem, and, hopefully, the entity responsible for the publication point will be asked to remedy the problem (e.g., republish the missing CA certificates and/or ROAs). *See comment above re Ghostbusters.* 38) Is this an actual recommendation you're making? This seems like a really bad idea to me, "An RP cannot know the content of the new certificates or ROAs that are not present, but it can continue to use what it has cached." *Again, I disagree, for the reasons noted earlier.* 39) s/be un aware/be unaware/ *Fixed.* 40) This seems to contradict your previous recommendation where you suggest that if stale or expired data exists that an RP should use it: "INRs associated with these objects will be treated as unauthenticated." *No. This text refers to "...certificates or ROAs that are not present."* 41) Hope? "Here too the hope is that the CA will be notified of the problem (by RPs) and will remedy the error." *Gee, I didn't mean to sound like an Obama supporter. s/hope/goal/* ===== ATTACKS ON AN RPKI CA 42) Section 2 only loosely defines "Adversary", unless I missed something it doesn't define various types of adversaries as this text suggests: *Section 3 defined 5 classes of threats. Since a threat is a motivated capable adversary, ...* "All of adversaries listed in Section 2 are presumed to be capable of launching attacks against the computers used to perform CA functions." As noted previously, collapsing the rather ambiguous terms you introduce in section 3 into section 2's "Adversary" set might make sense. *See response above.* 43) "(as first noted by Pogo)" -- Reference/ *fixed.* ===== RESIDUAL VULNERABILITIES 44) The difference here is that if that information is used to sign updates in the routing system which are propagated to BGPSEC-enabled routers then using stale data can cause considerable churn or non-deterministic behaviors (including forwarding loops_ in the routing system. Unless I'm missing something, this is an incredibly bad idea: " 1. The RP may choose to make use of its local cache, employing local configuration settings that tolerate expired or stale objects. (Such behavior is, nominally, always within the purview of an RP in PKI.) Using cached, expired or stale data subjects the RP to attacks that take advantage of the RP's ignorance of changes to this data." *I've already address the question of whether it makes sense for an RP to use validated but stale data.* 45) Here are you suggesting that BGPSEC should (will) protect the BGP AS_PATH, or introduce a new attribute? "BGPSEC signatures do not protect all attributes associated with an AS_path. " ** *addressed as part of removing all BGPSEC references.* Either way, some text about divergence between a BGPSEC path and a brand new attribute would seem to be in order -- although in a previous section and certainly not in a residual threats section. *See comment above. * 46) s/AS_path/AS_PATH/ *fixed.*
- [sidr] WGLC on draft-ietf-sidr-bgpsec-threats-02 Murphy, Sandra
- Re: [sidr] WGLC on draft-ietf-sidr-bgpsec-threats… Brian Dickson
- Re: [sidr] WGLC on draft-ietf-sidr-bgpsec-threats… Murphy, Sandra
- Re: [sidr] WGLC on draft-ietf-sidr-bgpsec-threats… Brian Dickson
- Re: [sidr] WGLC on draft-ietf-sidr-bgpsec-threats… Brian Dickson
- Re: [sidr] WGLC on draft-ietf-sidr-bgpsec-threats… Christopher Morrow
- [sidr] Some comments on draft-ietf-sidr-bgpsec-th… Danny McPherson
- Re: [sidr] Some comments on draft-ietf-sidr-bgpse… Stephen Kent
- Re: [sidr] Some comments on draft-ietf-sidr-bgpse… Danny McPherson
- Re: [sidr] Some comments on draft-ietf-sidr-bgpse… Andrew Chi
- Re: [sidr] Some comments on draft-ietf-sidr-bgpse… Andrew Chi
- Re: [sidr] Some comments on draft-ietf-sidr-bgpse… Andrew Chi