IETF Logo Mail Archive

Re: [sidr] BGPSEC Threat Model ID

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 02 November 2011 18:11 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C76B1F0C8C for <sidr@ietfa.amsl.com>; Wed, 2 Nov 2011 11:11:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.563
X-Spam-Level:
X-Spam-Status: No, score=-3.563 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2VELq3M8hIlu for <sidr@ietfa.amsl.com>; Wed, 2 Nov 2011 11:11:04 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 607881F0C44 for <sidr@ietf.org>; Wed, 2 Nov 2011 11:11:04 -0700 (PDT)
Received: by faas12 with SMTP id s12so851487faa.31 for <sidr@ietf.org>; Wed, 02 Nov 2011 11:11:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4Rn22efRg4pPuZcpne7bxbPUmkbne8pW2Vs9hED+lHI=; b=pHBgMHsMDtUV7dQG1pA15kjgKnDij/27foaJVrpMlbIL6ESxhIeuAn6mWAl4JKXqgW B973mpg1euLxmpwcVh/IFaTTeINusDVumVNA1aLEy3FfqIWDTSGOi7ysxNyhQ8hg6Gn2 L7GSZObScp+LOp4uYFUTIBsp80Ld8ka67i9xo=
MIME-Version: 1.0
Received: by 10.223.91.73 with SMTP id l9mr9999870fam.22.1320257463532; Wed, 02 Nov 2011 11:11:03 -0700 (PDT)
Received: by 10.223.54.15 with HTTP; Wed, 2 Nov 2011 11:11:03 -0700 (PDT)
In-Reply-To: <4EB180DD.5010401@riw.us>
References: <E96517DD-BAC7-4DD8-B345-562F71788C6A@tcb.net> <p06240807cad42f85eb7d@193.0.26.186> <32744.216.168.239.87.1320175657.squirrel@webmail.tcb.net> <p06240801cad6ab773279@193.0.26.186> <CAH1iCir-UoT+BMOD53oxQ9fdMiGirvaTL0eZDS3A5wVEDuw2LA@mail.gmail.com> <4EB170AD.1030302@riw.us> <CAH1iCiqTST7V=jdHe8R04nfP-0c33NSo9m4gZ_majpx7wUCciw@mail.gmail.com> <4EB180DD.5010401@riw.us>
Date: Wed, 02 Nov 2011 14:11:03 -0400
Message-ID: <CAH1iCiq9ugsV2uARRUrb7af3_HAi62EiAWAhoWZnDSr3sb8Z5w@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Russ White <russw@riw.us>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: sidr@ietf.org
Subject: Re: [sidr] BGPSEC Threat Model ID
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 18:11:05 -0000

On Wed, Nov 2, 2011 at 1:41 PM, Russ White <russw@riw.us> wrote:
> 1. Most providers apparently want to enforce policy without telling
> anyone what their policy actually is. That this is a logical
> contradiction doesn't seem to disturb anyone.
>
> 2. You can't "enforce" your policy --all you can do is signal to someone
> else what that policy is, and ask them nicely to enforce it for you.
>
> 2a. If you have a business relationship with this other party, then you
> already have an enforcement mechanism at hand --signatures and other
> sorts of things won't provide anything additional.

Actually, this is not strictly true.

Let's consider the smallest case where there are more than two parties,
where route leaks cause problems (whether malicious or accidental).

Parties: A, B, C.
Relationships, all formalized via contracts (whether for transit or peering).
C is a customer of A.
C is a customer of B.
B and A are peers.
For sake of argument, presume that A and B also have upstream transit providers.

The intended policies have A and B exchanging routes of only their
customers, and
their internal routes.

C receives the full Internet routing table from both A and B.

The agreements between A and C, and between B and C, prohibit C sending anything
other than C's own routes to A and B.

Then consider what happens in the case of C sending B's routes (and
B's upstream routes) to A.

A prefers routes learned from customers over peer or transit routes.

A now prefers the path via C to the entire Internet, including traffic
from A to B.

There is no _technological_  mechanism for B to stop this, short of
turning down C's BGP session.
And, this also presumes that B has some definitive way of discovering
this, which is not necessarily
the case.

When we add in D, a transit customer of C, we can see the challenging
nature of the problem.

How to we distinguish C sending B's routes to D (which is good and
expected and allowed),
from C sending B's routes to A (not good/unexpected/not "allowed" by contracts)?

If there isn't some easy way for A to see that their customer is
sending routes which are not
their own or their customers', by way of "marking" in the middle of
the AS path, then the scale
of the problem is huge (having prefix filters and AS-path filters
built on ... the IRR).
With marking, we gain easy filtering to honor the senders' intentions, and
the ability to authenticate things and still limit the information on
a need-to-know basis.

Observe the following - information about relationships encoded within
the path will be visible
only to those who receive the path. If the path signals "block me",
the relationship information
is also blocked.

This may be an acceptable degree of information leakage - which
happens to coincide with
path information, which necessarily must be leaked.

Brian

v2.23.0 | Report a Bug | By Email