IETF Logo Mail Archive

Re: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11

"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Tue, 28 April 2015 18:27 UTC

Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90D161A894A; Tue, 28 Apr 2015 11:27:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DNmAOyluWUtr; Tue, 28 Apr 2015 11:27:43 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC75C1A020A; Tue, 28 Apr 2015 11:27:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9206; q=dns/txt; s=iport; t=1430245659; x=1431455259; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=tMyQI4zm+1eYV//wRpXJg1Zb7NSTI0yvjidpLUXWXC0=; b=PQwGS7qT6Zk1m5sKIzlWJd30Mly92kPXkbEDUZFqzdpPqcIpBvgkn9ZX PkPbo4vSH9toShTnPO0NHuMjovIj7ZJt4rYPPkn4T/6f4tiG6UrIA0YBK 997iTABMJ5yKFRXFD/AY5vldH6+6hPNlNTuyOgPUjBbZT0Qu9rRYxYQ6k 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CiBgCS0D9V/5ldJa1cgkVHU1yFI8EOPIF8AQuGAgKBO0wBAQEBAQGBC4QgAQEBAwEBAQEqQQsFCwIBCBEDAQILGQsnCx0IAgQBDQUIiBsIDcdeAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4s4hFQgDQQHBoMRgRYFhHSKToIjhASEM4IJgSI9gwyCcIZmg1qDUCNggSccFYE8bwGBAySBHQEBAQ
X-IronPort-AV: E=Sophos;i="5.11,665,1422921600"; d="scan'208,217";a="412370647"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-9.cisco.com with ESMTP; 28 Apr 2015 18:27:38 +0000
Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id t3SIRaFi004612 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 28 Apr 2015 18:27:36 GMT
Received: from xmb-rcd-x02.cisco.com ([169.254.4.111]) by xhc-rcd-x05.cisco.com ([173.37.183.79]) with mapi id 14.03.0195.001; Tue, 28 Apr 2015 13:27:36 -0500
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: Iljitsch van Beijnum <iljitsch@muada.com>, Sandra Murphy <sandy@tislabs.com>
Thread-Topic: [Idr] Levels of BGPsec/RPKI validation, was: Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11
Thread-Index: AQHQgd2IxBf3Buc8wUqu36ahK1ga251ivkSa
Date: Tue, 28 Apr 2015 18:27:35 +0000
Message-ID: <EF4348D391D0334996EE9681630C83F02D173BEB@xmb-rcd-x02.cisco.com>
References: <4C184296-F426-40EF-9DB6-3AE87C42B516@tislabs.com> <91148102-DADB-42E8-96A0-E89120642894@tislabs.com>, <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com>
In-Reply-To: <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_EF4348D391D0334996EE9681630C83F02D173BEBxmbrcdx02ciscoc_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/_HD0c9m1Vg-mxPXNzbJ4jkWq_u4>
Cc: "idr@ietf.org wg" <idr@ietf.org>, "ggm@apnic.net" <ggm@apnic.net>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2015 18:27:45 -0000

Iljitsu,

It is not an implementation choice, it is by design. If a signed object does not validate (based on whatever reason not just expiration), it is like if did not existed.

I guess your point is covered.

Roque

Sent from my HTC

----- Reply message -----
From: "Iljitsch van Beijnum" <iljitsch@muada.com>
To: "Sandra Murphy" <sandy@tislabs.com>
Cc: "idr@ietf.org wg" <idr@ietf.org>, "ggm@apnic.net" <ggm@apnic.net>, "sidr@ietf.org" <sidr@ietf.org>
Subject: [Idr] Levels of BGPsec/RPKI validation, was: Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11
Date: Tue, Apr 28, 2015 20:02

On 28 Jan 2015, at 23:38, Sandra Murphy <sandy@tislabs.com> wrote:

> idr folk, your attention and comments would be appreciated as well.

Since you ask...

I'm sending this to both idr and sidr as I think this needs broader input than just sidr. (And it seems I'm no longer on the sidr list.)

I read draft-ietf-sidr-bgpsec-protocol-11 and draft-lepinski-bgpsec-overview-00.txt as well as RFC 6483.

I think what's lacking here is any discussion of what happens when certificates etc expire. Please stay with me for a bit:

RFC 6483 talks about RPKI route validation, which suggests that there are three possible states:

valid
unknown
invalid

where valid is preferred over unknown and unknown over invalid, and:

"It is a matter of local routing policy as to whether routes with an "invalid" validity state are considered to be ineligible for further consideration in a route selection process."

Actually, I think the only reasonable approach is to filter out invalids and prefer valids over unknowns. The important part here is that if there's a ROA for 193.0.0.0/21 and then someone announces a more specific like 193.0.7.0/24, that /24 will be "invalid", so even in partial deployment RPKI users are protected against malicious or accidental more specifics. But if invalids are accepted, even with a very low preference, then they still get to divert traffic.

So far, so good.

But now what if a certificate expires? We know from the web that this is extremely common. If an expired certificate means the prefixes involved are marked invalid, this means that filtering invalids becomes very problematic: not only will prefixes randomly drop off the net as people forget to generate or install certificates or RPKI caches get stale, but if things get really bad the resulting lack of connectivity makes it impossible to correct the problem...

So what we need is for expired certificates to make the affected prefixes revert to unknown rather than invalid. Turns out, that's what happens today:

http://mailman.nanog.org/pipermail/nanog/2014-December/071907.html

However, unless this is specified in one of the related documents other than the three mentioned above, this seems to be an implementation choice.

I think the above issue needs to be discussed in an update of RFC 6483 or in one of the BGPsec documents.

And there's probably a bit more to think about: wouldn't it make sense to be able to filter on the signature algorithm at some point during the transition from one algorithm to the next? Or to be able to filter on "expired" explicitly? A binary valid/invalid isn't enough. Valid/unknown/invalid is workable, but maybe four or five levels is even better.

(And have a look at how this works in practice: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html search for PEX.)

_______________________________________________
Idr mailing list
Idr@ietf.org
https://www.ietf.org/mailman/listinfo/idr

v2.23.0 | Report a Bug | By Email