IETF Logo Mail Archive

Re: [sidr] BGPSEC Threat Model ID

Russ White <russw@riw.us> Sat, 05 November 2011 12:34 UTC

Return-Path: <russw@riw.us>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D62921F8922 for <sidr@ietfa.amsl.com>; Sat, 5 Nov 2011 05:34:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.244
X-Spam-Level:
X-Spam-Status: No, score=-2.244 tagged_above=-999 required=5 tests=[AWL=0.355, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wBKp2VntcxzL for <sidr@ietfa.amsl.com>; Sat, 5 Nov 2011 05:34:08 -0700 (PDT)
Received: from ecbiz91.inmotionhosting.com (ecbiz91.inmotionhosting.com [173.205.124.250]) by ietfa.amsl.com (Postfix) with ESMTP id D67CF21F847C for <sidr@ietf.org>; Sat, 5 Nov 2011 05:34:07 -0700 (PDT)
Received: from rtp-isp-nat1.cisco.com ([64.102.254.33]:10166 helo=[10.117.153.102]) by ecbiz91.inmotionhosting.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <russw@riw.us>) id 1RMfRk-0001pE-OJ; Sat, 05 Nov 2011 08:34:04 -0400
Message-ID: <4EB52D41.1040203@riw.us>
Date: Sat, 05 Nov 2011 08:34:09 -0400
From: Russ White <russw@riw.us>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Christopher Morrow <morrowc.lists@gmail.com>
References: <E96517DD-BAC7-4DD8-B345-562F71788C6A@tcb.net> <p06240807cad42f85eb7d@193.0.26.186> <32744.216.168.239.87.1320175657.squirrel@webmail.tcb.net> <p06240801cad6ab773279@193.0.26.186> <CAH1iCir-UoT+BMOD53oxQ9fdMiGirvaTL0eZDS3A5wVEDuw2LA@mail.gmail.com> <4EB170AD.1030302@riw.us> <CAH1iCiqTST7V=jdHe8R04nfP-0c33NSo9m4gZ_majpx7wUCciw@mail.gmail.com> <CAL9jLaYJjP+K8OgfxvMx5_JSRTQ9pvcKbFuV4WHzpe5YzvGC0g@mail.gmail.com>
In-Reply-To: <CAL9jLaYJjP+K8OgfxvMx5_JSRTQ9pvcKbFuV4WHzpe5YzvGC0g@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ecbiz91.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - riw.us
Cc: sidr@ietf.org
Subject: Re: [sidr] BGPSEC Threat Model ID
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Nov 2011 12:34:08 -0000

> Did you really mean to sign the next-hop? it seems infeasible...

The constant answer to any challenges to the requirements documents is: 
"We are simply protecting BGP semantics with signatures."

1. Signing a semantic doesn't make it secure.
2. If you're going to claim you're all about protecting BGP semantics, 
then protect all of them, not just one.

> Also, LocalPref is a locally used/determined/created (non-transitive)
> item, adding that set of bits into the signature seems blatantly
> wrong, since the data won't exist when you pass the route outside your
> ASN the verification is going to fail, for every route you send (which
> had a localpref != default), That CERTAINLY seems like something you
> would want to avoid, right?

So what you are saying is that you don't want to protect attributes that 
aren't carried more than one hop through the internetwork --I.e., next 
hop is only carried between one set of (presumably) locally connected 
eBGP peers, so it shouldn't be protected. This leaves us with two problems.

==
1. Since many other attributes carried in this fashion actually impact 
the usability or trustworthiness of a route, what justification can you 
give for not protecting them? Because it's "too hard?"

2. You say:

AS1--AS2--AS3

AS1 shouldn't care about what goes on between AS2 and AS3. But wait... 
Then why should AS1 care about the AS Path interactions between AS2 and 
AS3, precisely? How can AS1 really trust that traffic it sends to AS2 
will actually be forwarded through AS3 if next-hop games are going on 
between AS2 and AS3? Or local pref games are going on within AS2? Or AS3 
is sending AS2 some community that AS2 is locally interpreting in some 
way that would impact AS1's decision about forwarding along that path?

The reality is that local decisions impact the global reliability of 
each piece of routing information.
==

I would posit all this confusion comes from simply not doing a good job 
of defining the problem in the first place. A solution was chosen first, 
and then a problem set found that this specific solution could "solve" 
(and no other!), regardless of the secondary problems and complexity the 
chosen solution might happen to bring to the table.

Which is why I oppose adoption of this draft as a WG document.

:-)

Russ

v2.23.0 | Report a Bug | By Email