IETF Logo Mail Archive

[sidr] Levels of BGPsec/RPKI validation, was: Re: [Idr] wglc for draft-ietf-sidr-bgpsec-protocol-11

Iljitsch van Beijnum <iljitsch@muada.com> Tue, 28 April 2015 18:02 UTC

Return-Path: <iljitsch@muada.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D53431A897C; Tue, 28 Apr 2015 11:02:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.51
X-Spam-Level:
X-Spam-Status: No, score=-0.51 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4b9IRDO9QvkB; Tue, 28 Apr 2015 11:01:59 -0700 (PDT)
Received: from sequoia.muada.com (sequoia.muada.com [IPv6:2001:1af8:3100:a006:1::]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 285441A8AB5; Tue, 28 Apr 2015 11:01:56 -0700 (PDT)
Received: from global-hq.muada.nl (global-hq.muada.nl [IPv6:2001:470:1f15:8b5:a8f7:f4e5:3e8:856e] (may be forged)) (authenticated bits=0) by sequoia.muada.com (8.13.3/8.13.3) with ESMTP id t3SI1Xcs063315 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 28 Apr 2015 20:01:35 +0200 (CEST) (envelope-from iljitsch@muada.com)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: <91148102-DADB-42E8-96A0-E89120642894@tislabs.com>
Date: Tue, 28 Apr 2015 20:01:43 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com>
References: <4C184296-F426-40EF-9DB6-3AE87C42B516@tislabs.com> <91148102-DADB-42E8-96A0-E89120642894@tislabs.com>
To: Sandra Murphy <sandy@tislabs.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/cybuhYRveX9gRGu4hfXg-7Edv9s>
Cc: "idr@ietf.org wg" <idr@ietf.org>, ggm@apnic.net, sidr@ietf.org
Subject: [sidr] Levels of BGPsec/RPKI validation, was: Re: [Idr] wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2015 18:02:01 -0000

On 28 Jan 2015, at 23:38, Sandra Murphy <sandy@tislabs.com> wrote:

> idr folk, your attention and comments would be appreciated as well.

Since you ask...

I'm sending this to both idr and sidr as I think this needs broader input than just sidr. (And it seems I'm no longer on the sidr list.)

I read draft-ietf-sidr-bgpsec-protocol-11 and draft-lepinski-bgpsec-overview-00.txt as well as RFC 6483.

I think what's lacking here is any discussion of what happens when certificates etc expire. Please stay with me for a bit:

RFC 6483 talks about RPKI route validation, which suggests that there are three possible states:

valid
unknown
invalid

where valid is preferred over unknown and unknown over invalid, and:

"It is a matter of local routing policy as to whether routes with an "invalid" validity state are considered to be ineligible for further consideration in a route selection process."

Actually, I think the only reasonable approach is to filter out invalids and prefer valids over unknowns. The important part here is that if there's a ROA for 193.0.0.0/21 and then someone announces a more specific like 193.0.7.0/24, that /24 will be "invalid", so even in partial deployment RPKI users are protected against malicious or accidental more specifics. But if invalids are accepted, even with a very low preference, then they still get to divert traffic.

So far, so good.

But now what if a certificate expires? We know from the web that this is extremely common. If an expired certificate means the prefixes involved are marked invalid, this means that filtering invalids becomes very problematic: not only will prefixes randomly drop off the net as people forget to generate or install certificates or RPKI caches get stale, but if things get really bad the resulting lack of connectivity makes it impossible to correct the problem...

So what we need is for expired certificates to make the affected prefixes revert to unknown rather than invalid. Turns out, that's what happens today:

http://mailman.nanog.org/pipermail/nanog/2014-December/071907.html

However, unless this is specified in one of the related documents other than the three mentioned above, this seems to be an implementation choice.

I think the above issue needs to be discussed in an update of RFC 6483 or in one of the BGPsec documents.

And there's probably a bit more to think about: wouldn't it make sense to be able to filter on the signature algorithm at some point during the transition from one algorithm to the next? Or to be able to filter on "expired" explicitly? A binary valid/invalid isn't enough. Valid/unknown/invalid is workable, but maybe four or five levels is even better.

(And have a look at how this works in practice: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html search for PEX.)

v2.23.0 | Report a Bug | By Email