IETF Logo Mail Archive

Re: [sidr] Key learning procedures in BGPsec?

"Murphy, Sandra" <Sandra.Murphy@sparta.com> Tue, 31 January 2012 15:06 UTC

Return-Path: <Sandra.Murphy@sparta.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDD0F21F8566 for <sidr@ietfa.amsl.com>; Tue, 31 Jan 2012 07:06:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.443
X-Spam-Level:
X-Spam-Status: No, score=-102.443 tagged_above=-999 required=5 tests=[AWL=0.155, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GyXXgtIe886c for <sidr@ietfa.amsl.com>; Tue, 31 Jan 2012 07:06:33 -0800 (PST)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id AC8C321F85F0 for <sidr@ietf.org>; Tue, 31 Jan 2012 07:06:32 -0800 (PST)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id q0VF6O4M009505; Tue, 31 Jan 2012 09:06:24 -0600
Received: from Hermes.columbia.ads.sparta.com ([157.185.80.107]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id q0VF6LmI014746; Tue, 31 Jan 2012 09:06:23 -0600
Received: from HERMES.columbia.ads.sparta.com ([2002:9db9:506b::9db9:506b]) by Hermes.columbia.ads.sparta.com ([::1]) with mapi id 14.01.0355.002; Tue, 31 Jan 2012 10:06:20 -0500
From: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
To: "Ross.Anderson@cl.cam.ac.uk" <Ross.Anderson@cl.cam.ac.uk>, "sidr@ietf.org list" <sidr@ietf.org>
Thread-Topic: [sidr] Key learning procedures in BGPsec?
Thread-Index: AQHM33oIuc3Eip6I+kepCBOaAHZARZYlRm6qgABhNYD//7BhKoAAkqoAgACIgwCAABqHrw==
Date: Tue, 31 Jan 2012 15:06:19 +0000
Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6077B1C@Hermes.columbia.ads.sparta.com>
References: <13269421-8A36-4628-9F1A-30E02B922AE1@verisign.com> <24B20D14B2CD29478C8D5D6E9CBB29F6074CA8@Hermes.columbia.ads.sparta.com> <A0B7EE2D-8E59-4DC8-9DC0-140E9574B479@verisign.com> <p06240804cb3caa4fd051@128.89.89.66> <CCE15AEB-D606-4A59-8118-BA5CD53413E8@verisign.com> <p06240807cb3e3e117777@128.89.89.66> <12C07EA1-EDC5-4F88-99F7-B57B9AF53C53@verisign.com> <p06240801cb43712287ed@10.243.32.68> <79053E60-25FE-4A84-9391-F451C8F0E720@verisign.com> <p06240818cb477d54edae@128.89.89.66> <CAH1iCiq04z2k+q2xBFGmnoRyuHmrE44_8cdgjTN4JVg6YwJALw@mail.gmail.com> <24B20D14B2CD29478C8D5D6E9CBB29F6077830@Hermes.columbia.ads.sparta.com> <CAH1iCip4qD4ePPEng7uNVjz9ebO1U5A4oN_Dd5YneELxTUWrVw@mail.gmail.com> <24B20D14B2CD29478C8D5D6E9CBB29F60778DE@Hermes.columbia.ads.sparta.com> <CAH1iCirNyhnbQipEC6wHNKOBrWJ5SphyZiptNjUG2yj=fhUqwg@mail.gmail.com>, <CABFLmSTQtxrzcLFEZh9Rnd=BE9zpNhk6j9t3_8vxNECcngdE2w@mail.gmail.com>
In-Reply-To: <CABFLmSTQtxrzcLFEZh9Rnd=BE9zpNhk6j9t3_8vxNECcngdE2w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.185.63.118]
Content-Type: multipart/alternative; boundary="_000_24B20D14B2CD29478C8D5D6E9CBB29F6077B1CHermescolumbiaads_"
MIME-Version: 1.0
Subject: Re: [sidr] Key learning procedures in BGPsec?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2012 15:06:34 -0000

Speaking as regular ol' member



On  Tuesday, January 31, 2012, Ross.Anderson said:



>If you want to authenticate a large number of messages from Alice to Bob that

>all arrive in order then hash chains are great.

That is not what we are looking for in the sidr work.



Authenticating the stream of messages between two adjacent routers is not

the sidr focus.  Furthermore, there are solutions in hand (TCP AO, IPSEC,

pt-pt physical protections, etc.).



The sidr work is creating protections for the path - the AS_PATH attribute

that is modified by each AS in the path of propagation of the BGP update.



A sends an update to B, who adds itsself to the AS_PATH and sends to C,

who adds itself and send the update to D, who....



The protections ensure that a recipient can look at an AS_PATH that shows

A, B, C, D, ... and know that the update did in fact pass through those systems.



And "in order" becomes a more complex idea as well.



-Sandy, speaking as regular ol' member



________________________________
From: Ross.Anderson@cl.cam.ac.uk [rossjanderson@googlemail.com]
Sent: Tuesday, January 31, 2012 3:05 AM
To: sidr@ietf.org list
Cc: Murphy, Sandra; Brian Dickson
Subject: Re: [sidr] Key learning procedures in BGPsec?

Brian

(delurk) As a recovering cryptographer I can think of nits to pick but it's certainly possible to build a robust system using hash chains and hash trees rather than conventional signatures.

Declaration of interest: I started this field of study 15 years ago with a paper on the Guy Fawkes protocol. This was then taken up by Adrian Perrig and others and turned into systems (TESLA etc) for authenticating digital streams using hash chains. If you want to authenticate a large number of messages from Alice to Bob that all arrive in order then hash chains are great.

Here's how it might work. You have a conventional mechanism for initial key setup between routers (maybe a route reflector doing public-key crypto, maybe DNSSEC). Then each router sets up a hash chain with each peer and uses hashes to authenticate routine updates.

Steve Kent will point out that routers do in effect have key material, in the sense of not-yet-published hash preimages, and this is almost equivalent to using symmetric keys for MACs (not quite, as you can get some nonrepudiation from hash chains). But having local symmetric keys (or short-lived signature keys) managed by per-AS route reflectors, perhaps with HSMs for the bigger players, is in any case a good strategy to get resilience in the face of occasional compromise.

So it might well be worth trying to explore the design options in more detail. The authentication mechanisms had better be cheap and resilient if we want this thing deployed

Ross Anderson
www.ross-anderson.com<http://www.ross-anderson.com>


On 30 January 2012 23:57, Brian Dickson <brian.peter.dickson@gmail.com<mailto:brian.peter.dickson@gmail.com>> wrote:

> Do you have any designs in mind that will NOT use cryptography?

There are two things to consider here.

(1) If I can come up with an example design that does not rely on
private keys being kept (let alone exposed) on routers, would that be
sufficient to justify exploring more options than just my example? I'm
fine with someone else coming up with something better than this, and
am not married to the particulars of this. However, it can be
considered an "existence proof".

(2) Do you accept that an example of such a design is intended to
prompt the merits of looking for better designs, rather than the
example being fodder for dissection/discussion/bashing? I mean for
this to be an "okay, fine, clearly there are alternatives, and we
should discuss the high-level pros/cons of on-router crypto and key
management".



Having said that, here's a simple example (with "simple" being in the
eye of the beholder, obviously).

Each AS maintains a (for lack of a better term) "database" of its BGP
neighbors, and known prefixes.

Each AS also maintains a single, global "nonce", which it may
periodically change.

>From these sets of data and the single nonce, each AS publishes a set
of SHA-256 hashes (or other SHA hash, as appropriate), over (prefix +
neighbor_ASN + nonce) tuples.

v2.23.0 | Report a Bug | By Email