Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11
Michael Baer <baerm@tislabs.com> Thu, 26 February 2015 17:50 UTC
Return-Path: <baerm@tislabs.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 256241A1B15 for <sidr@ietfa.amsl.com>; Thu, 26 Feb 2015 09:50:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id amTu-0xWXTpM for <sidr@ietfa.amsl.com>; Thu, 26 Feb 2015 09:50:00 -0800 (PST)
Received: from mail.mikesoffice.com (dns.mikesoffice.com [75.101.48.145]) by ietfa.amsl.com (Postfix) with ESMTP id 7C6C11A040B for <sidr@ietf.org>; Thu, 26 Feb 2015 09:50:00 -0800 (PST)
Received: from localhost (unknown [IPv6:2001:470:1f05:274:3e97:eff:feba:52f]) by mail.mikesoffice.com (Postfix) with ESMTPSA id 1B620395D3A; Thu, 26 Feb 2015 09:50:00 -0800 (PST)
From: Michael Baer <baerm@tislabs.com>
To: Matthew Lepinski <mlepinski.ietf@gmail.com>
References: <54DA7C98.4040604@mandelberg.org> <D103DE3D.1041C%keyupate@cisco.com> <D104DC36.3310E%dougm@nist.gov> <m2wq3klab3.wl%randy@psg.com> <1423943624118.34986@nist.gov> <54E3D163.1040600@mandelberg.org> <CANTg3aAN9roAnK_3aeKnD3Y=maErB2=i5e+YaphxZe0hheWzVg@mail.gmail.com>
X-Face: "*g#dUT3; 8M9AE5dLk\\b4G\cNCQkRb.g/2QwEXQKf.:<GckOP:; wBMTb7\%Y"JI=R<M6g?6}tR)6Z7rp5X*24G\bkb!
Date: Thu, 26 Feb 2015 09:49:59 -0800
In-Reply-To: <CANTg3aAN9roAnK_3aeKnD3Y=maErB2=i5e+YaphxZe0hheWzVg@mail.gmail.com> (Matthew Lepinski's message of "Tue, 24 Feb 2015 12:38:07 -0500")
Message-ID: <87ioeor29k.fsf@rebma.mikesoffice.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/Y7ZoSo4KoZrc2CCigWaLENPiMFg>
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 17:50:02 -0000
I do not have any objection to the resolutions below, but I did notice something else while looking at the NLRI processing for BGPsec. For prefixes that do not end on octet boundary, the value of the trailing bits between the end of the prefix and the octet boundary are undefined. Both RFC 4271 p20 and the multiprotocol RFC 4760 p7 use the same language, "Note that the value of trailing bits is irrelevant." I was unable to find text in another RFC or within the protocol draft that explicitly sets these bits. If any of those bits get changed from what the originator signed, the signature will be invalid even though the NLRI is otherwise valid according to the RFCs. Practically speaking, these bits likely get set to zero by most (all?) routers anyway. But it would probably be good to have text in the protocol document explicitly setting them when creating signatures. Something like, "Any trailing bits in the NLRI prefix between the prefix length and the next octet boundary are set to zero when calculating the signatures." -Mike >>>>> On Tue, 24 Feb 2015 12:38:07 -0500, Matthew Lepinski <mlepinski.ietf@gmail.com> said: ML> I am in the process of resolving issues in the bgpsec-protocol document in ML> order to get out a new version before Dallas. ML> Based on the discussion in this thread, I believe the best way forward is: ML> 1) Add a small amount of security considerations text to address the ML> original concern that David raised. (I believe the consensus is that this ML> concern cannot be converted into an actual attack. However, other readers ML> might reasonably have the same concern as David and so there is no harm ML> laying the concern to rest in security considerations.) ML> 2) Given that origin validation is now decoupled from path validation, we ML> will put the AFI under the BGPsec signature to avoid potential IPv4 vs IPv6 ML> issues. ML> Any objections to this resolution of these issues? ML> - Matt Lepinski ML> On Tue, Feb 17, 2015 at 6:40 PM, David Mandelberg <david@mandelberg.org> ML> wrote: >> On 02/14/2015 02:53 PM, Sriram, Kotikalapudi wrote: >> > I agree that the solution should not merely rely on the presence of a >> validating ROA. >> > But there is some more detail here that is worth looking into. The path >> was fully signed >> > and assume all signatures are valid. Then clearly the origin AS actually >> announced it. >> > The question or ambiguity is: Did the origin AS announce 1.2.0.0/16 >> (v4) or 102::/16 (v6)? >> > The ROA has AFI information, but the signed update does not (currently). >> > https://tools.ietf.org/html/rfc6482#section-3.3 >> > “Within the ROAIPAddressFamily structure, addressFamily contains the >> > Address Family Identifier (AFI) of an IP address family. This >> > specification only supports IPv4 and IPv6. Therefore, addressFamily >> > MUST be either 0001 or 0002.” >> > >> > Hence, as Keyur has surmised, there is a possibility that the ROA can >> help resolve the ambiguity here. >> > But the ambiguity would still persist if the same origin AS happens to >> have ROA(s) for >> > both prefixes 1.2.0.0/16 (v4) and 102::/16 (v6) (though the >> probability is extremely small). >> > So, yes, a robust solution calls for something more than a validating >> ROA. >> > The ambiguity goes away if the AFI (of the announced prefix) is included >> by the origin AS >> > on the wire as well as in the sequence of octets that are signed. >> >> When there's no attack, I don't think there's any ambiguity about what >> NLRI is being announced or withdrawn. RFC4760 seems to include (S)AFIs >> in the right places on the wire. The only change that I think needs to >> happen for this issue is including (S)AFIs in the data that's signed. >> >> -- >> David Eric Mandelberg / dseomn >> http://david.mandelberg.org/ >> >> >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >> >> ML> _______________________________________________ ML> sidr mailing list ML> sidr@ietf.org ML> https://www.ietf.org/mailman/listinfo/sidr -- Michael Baer baerm@tislabs.com Senior Software Engineer Parsons Global Shared Services, Cyber Security Division C: 530.902.3131
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11 Sandra Murphy
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… George, Wes
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Sriram, Kotikalapudi
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Michael Baer
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Michael Baer
- [sidr] David M's point about the bgpsec protocol … Sandra Murphy
- Re: [sidr] David M's point about the bgpsec proto… Randy Bush
- Re: [sidr] David M's point about the bgpsec proto… Randy Bush
- Re: [sidr] David M's point about the bgpsec proto… Sandra Murphy
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Keyur Patel (keyupate)
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Montgomery, Douglas
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Randy Bush
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Sriram, Kotikalapudi
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Matthew Lepinski
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Michael Baer
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Sriram, Kotikalapudi
- [sidr] Levels of BGPsec/RPKI validation, was: Re:… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Roque Gagliano (rogaglia)
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… David Mandelberg
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Sandra Murphy
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Roque Gagliano (rogaglia)
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Randy Bush
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Geoff Huston
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Sriram, Kotikalapudi
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Randy Bush
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Jared Mauch
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Sriram, Kotikalapudi
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Randy Bush
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Tim Bruijnzeels
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Matthew Lepinski
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Iljitsch van Beijnum
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Matthew Lepinski
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Iljitsch van Beijnum
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Sriram, Kotikalapudi
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Stephen Kent
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Iljitsch van Beijnum
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Stephen Kent
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Sriram, Kotikalapudi