Re: [sidr] BGPSEC Threat Model ID
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 02 November 2011 18:11 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C76B1F0C8C for <sidr@ietfa.amsl.com>; Wed, 2 Nov 2011 11:11:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.563
X-Spam-Level:
X-Spam-Status: No, score=-3.563 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2VELq3M8hIlu for <sidr@ietfa.amsl.com>; Wed, 2 Nov 2011 11:11:04 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 607881F0C44 for <sidr@ietf.org>; Wed, 2 Nov 2011 11:11:04 -0700 (PDT)
Received: by faas12 with SMTP id s12so851487faa.31 for <sidr@ietf.org>; Wed, 02 Nov 2011 11:11:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4Rn22efRg4pPuZcpne7bxbPUmkbne8pW2Vs9hED+lHI=; b=pHBgMHsMDtUV7dQG1pA15kjgKnDij/27foaJVrpMlbIL6ESxhIeuAn6mWAl4JKXqgW B973mpg1euLxmpwcVh/IFaTTeINusDVumVNA1aLEy3FfqIWDTSGOi7ysxNyhQ8hg6Gn2 L7GSZObScp+LOp4uYFUTIBsp80Ld8ka67i9xo=
MIME-Version: 1.0
Received: by 10.223.91.73 with SMTP id l9mr9999870fam.22.1320257463532; Wed, 02 Nov 2011 11:11:03 -0700 (PDT)
Received: by 10.223.54.15 with HTTP; Wed, 2 Nov 2011 11:11:03 -0700 (PDT)
In-Reply-To: <4EB180DD.5010401@riw.us>
References: <E96517DD-BAC7-4DD8-B345-562F71788C6A@tcb.net> <p06240807cad42f85eb7d@193.0.26.186> <32744.216.168.239.87.1320175657.squirrel@webmail.tcb.net> <p06240801cad6ab773279@193.0.26.186> <CAH1iCir-UoT+BMOD53oxQ9fdMiGirvaTL0eZDS3A5wVEDuw2LA@mail.gmail.com> <4EB170AD.1030302@riw.us> <CAH1iCiqTST7V=jdHe8R04nfP-0c33NSo9m4gZ_majpx7wUCciw@mail.gmail.com> <4EB180DD.5010401@riw.us>
Date: Wed, 02 Nov 2011 14:11:03 -0400
Message-ID: <CAH1iCiq9ugsV2uARRUrb7af3_HAi62EiAWAhoWZnDSr3sb8Z5w@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Russ White <russw@riw.us>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: sidr@ietf.org
Subject: Re: [sidr] BGPSEC Threat Model ID
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 18:11:05 -0000
On Wed, Nov 2, 2011 at 1:41 PM, Russ White <russw@riw.us> wrote: > 1. Most providers apparently want to enforce policy without telling > anyone what their policy actually is. That this is a logical > contradiction doesn't seem to disturb anyone. > > 2. You can't "enforce" your policy --all you can do is signal to someone > else what that policy is, and ask them nicely to enforce it for you. > > 2a. If you have a business relationship with this other party, then you > already have an enforcement mechanism at hand --signatures and other > sorts of things won't provide anything additional. Actually, this is not strictly true. Let's consider the smallest case where there are more than two parties, where route leaks cause problems (whether malicious or accidental). Parties: A, B, C. Relationships, all formalized via contracts (whether for transit or peering). C is a customer of A. C is a customer of B. B and A are peers. For sake of argument, presume that A and B also have upstream transit providers. The intended policies have A and B exchanging routes of only their customers, and their internal routes. C receives the full Internet routing table from both A and B. The agreements between A and C, and between B and C, prohibit C sending anything other than C's own routes to A and B. Then consider what happens in the case of C sending B's routes (and B's upstream routes) to A. A prefers routes learned from customers over peer or transit routes. A now prefers the path via C to the entire Internet, including traffic from A to B. There is no _technological_ mechanism for B to stop this, short of turning down C's BGP session. And, this also presumes that B has some definitive way of discovering this, which is not necessarily the case. When we add in D, a transit customer of C, we can see the challenging nature of the problem. How to we distinguish C sending B's routes to D (which is good and expected and allowed), from C sending B's routes to A (not good/unexpected/not "allowed" by contracts)? If there isn't some easy way for A to see that their customer is sending routes which are not their own or their customers', by way of "marking" in the middle of the AS path, then the scale of the problem is huge (having prefix filters and AS-path filters built on ... the IRR). With marking, we gain easy filtering to honor the senders' intentions, and the ability to authenticate things and still limit the information on a need-to-know basis. Observe the following - information about relationships encoded within the path will be visible only to those who receive the path. If the path signals "block me", the relationship information is also blocked. This may be an acceptable degree of information leakage - which happens to coincide with path information, which necessarily must be leaked. Brian
- [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Paul Hoffman
- Re: [sidr] BGPSEC Threat Model ID George, Wes
- Re: [sidr] BGPSEC Threat Model ID Shane Amante
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Eric Osterweil
- Re: [sidr] BGPSEC Threat Model ID George, Wes
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Jen Linkova
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Sriram, Kotikalapudi
- Re: [sidr] BGPSEC Threat Model ID Eric Osterweil
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Jakob Heitz
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Eric Osterweil
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Shane Amante
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Shane Amante
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Geoff Huston
- Re: [sidr] BGPSEC Threat Model ID Jakob Heitz
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Geoff Huston
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson