IETF Logo Mail Archive

Re: [sidr] about "beaconing" and the bgspec-protoocol

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Sat, 08 December 2012 14:28 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B45621F86D5 for <sidr@ietfa.amsl.com>; Sat, 8 Dec 2012 06:28:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.227
X-Spam-Level:
X-Spam-Status: No, score=-6.227 tagged_above=-999 required=5 tests=[AWL=0.372, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OUgOmpRWUjRA for <sidr@ietfa.amsl.com>; Sat, 8 Dec 2012 06:28:49 -0800 (PST)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 3933421F867B for <sidr@ietf.org>; Sat, 8 Dec 2012 06:28:48 -0800 (PST)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.2.318.4; Sat, 8 Dec 2012 09:27:55 -0500
Received: from MBCLUSTER.xchange.nist.gov ([2002:8106:125b::8106:125b]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Sat, 8 Dec 2012 09:28:04 -0500
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Danny McPherson <danny@tcb.net>, "Murphy, Sandra" <Sandra.Murphy@sparta.com>
Date: Sat, 08 Dec 2012 09:25:14 -0500
Thread-Topic: [sidr] about "beaconing" and the bgspec-protoocol
Thread-Index: Ac3U0ZDFa1YhdJjLQTiulpMktwaN+QAd01/T
Message-ID: <D7A0423E5E193F40BE6E94126930C4930BACFB3EA4@MBCLUSTER.xchange.nist.gov>
References: <24B20D14B2CD29478C8D5D6E9CBB29F63C1E544A@Hermes.columbia.ads.sparta.com>, <FC2FA0E2-6920-43D4-AC5C-D6576C522A20@tcb.net>
In-Reply-To: <FC2FA0E2-6920-43D4-AC5C-D6576C522A20@tcb.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] about "beaconing" and the bgspec-protoocol
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Dec 2012 14:28:50 -0000

>> From comments made at the mike in the last IETG sidr session after the discussion of key rollover techniques, I think there might be a bit of confusion about beaconing.
>>
>> An Expire Time was a feature of the bgpsec protocol in versions 00-01.  The purpose of the Expire Time  was to prevent replay and ensure freshness.  The effect of this feature was to require periodic readvertisements of all prefixes, hence the name "beaconing".
>
> I'm pretty sure the captured proceedings for "Discussion of Key Rollover Mechanisms for Replay-Attack Protection" [!=beacon?] mentions "beacon" at least eleven times.  Additionally, "BGPSEC router key rollover" was about periodic updates (aka "beacons") as well.

Semantically, Beaconing = Periodic re-origination of prefixes

Beaconing (i.e., periodic re-origination) was an attribute of the explicit Expire Time method, 
and it IS an attribute of the periodic key rollover (PKR) method as well.
However, beaconing (periodic re-origination) IS NOT an attribute of the Event-driven Key Rollover (EKR) method. 
This is all fairly well documented in [draft-sriram-replay-protection-design-discussion]:
 
http://tools.ietf.org/html/draft-sriram-replay-protection-design-discussion-00 

and also in my presentation slides from the Atlanta IETF SIDR session:
  
http://www.ietf.org/proceedings/85/slides/slides-85-sidr-4.pdf

Periodic key rollover (PKR) is currently recommended in [draft-ietf-sidr-bgpsec-rollover] 
as evident from the following quote (from Section 4.2):

  “For  this reason, it is recommended that routers in this scenario been
   provisioned with two certificates: one to sign BGP UPDATES in transit
   and a second one to sign BGP UPDATE for prefixes originated in its
   AS.  Only the second certificate (for prefixes originated in its AS)
   should be rolled-over frequently as a means of limiting replay attach
   windows.  The transit BGPSEC certificate is expected to be longer
   living than the origin BGPSEC certificate.”

In the PKR method, the "current" origination cert (and key pair) expires at periodic intervals 
and updates are re-originated signed by the "next" origination cert.
No CRLs need to propagate; the cert expiry is automated by setting NotValidAfter time,
and the "next" cert is always pre-provisioned well in advance. 
None of it is tied to human scale intervention -- it can all be automated.

In the same section (section 4.2) , the authors also observed:

“Advantage of Re-keying as replay attack protection mechanism:
  	 1.  Does not require beaconing”

However, that advantage #1 is not correct for the periodic key rollover method, which is currently recommended. 

>
> considerable added churn through origination and transit node-triggered "beacons", and added processing overhead for cryptographic functions for signing and validation, 
>

Just to clarify, *transit* prefixes are not beaconed (i.e., not "periodically" re-propagated)
by *transit routers* in any of the key rollover methods.
The PKR method has periodic re-origination of origination prefixes only 
(i.e., each eBGP router periodically re-originates its origination prefixes).
The EKR method by definition is event-driven, hence does not entail any periodic re-originations. 
The events (topology changes, etc.) are presumably rare/infrequent. 

Sriram

v2.23.0 | Report a Bug | By Email