IETF Logo Mail Archive

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview ENDING: 10/21/2015)

"George, Wes" <wesley.george@twcable.com> Thu, 15 October 2015 14:14 UTC

Return-Path: <wesley.george@twcable.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AEB11B3259; Thu, 15 Oct 2015 07:14:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.664
X-Spam-Level: *
X-Spam-Status: No, score=1.664 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, HELO_EQ_MODEMCABLE=0.768, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S80J3PRgfZfS; Thu, 15 Oct 2015 07:13:59 -0700 (PDT)
Received: from cdpipgw02.twcable.com (unknown [165.237.59.23]) by ietfa.amsl.com (Postfix) with ESMTP id 3DE1D1A1EF7; Thu, 15 Oct 2015 07:13:58 -0700 (PDT)
X-SENDER-IP: 10.64.163.149
X-SENDER-REPUTATION: None
X-IronPort-AV: E=Sophos;i="5.17,686,1437451200"; d="scan'208";a="811896611"
Received: from unknown (HELO exchpapp08.corp.twcable.com) ([10.64.163.149]) by cdpipgw02.twcable.com with ESMTP/TLS/AES256-SHA; 15 Oct 2015 10:08:37 -0400
Received: from EXCHPAPP06.corp.twcable.com (10.64.163.147) by exchpapp08.corp.twcable.com (10.64.163.149) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 15 Oct 2015 10:13:37 -0400
Received: from EXCHPAPP06.corp.twcable.com ([10.64.163.147]) by exchpapp06.corp.twcable.com ([10.64.163.147]) with mapi id 15.00.1104.000; Thu, 15 Oct 2015 10:13:37 -0400
From: "George, Wes" <wesley.george@twcable.com>
To: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>, Chris Morrow <morrowc@ops-netman.net>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>
Thread-Topic: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview ENDING: 10/21/2015)
Thread-Index: AQHRB1Ourv/u8/GWe0ijQahajfn1Mg==
Date: Thu, 15 Oct 2015 14:13:36 +0000
Message-ID: <D2451B60.6CFFF%wesley.george@twcable.com>
References: <yj9osi5mae4p.wl%morrowc@ops-netman.net> <D2442A8C.6CE45%wesley.george@twcable.com> <CY1PR09MB079361CBE768BE1B62DBCAEA843F0@CY1PR09MB0793.namprd09.prod.outlook.com>
In-Reply-To: <CY1PR09MB079361CBE768BE1B62DBCAEA843F0@CY1PR09MB0793.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.7.151005
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.64.163.240]
x-tm-as-product-ver: SMEX-11.0.0.1191-8.000.1202-21880.004
x-tm-as-result: No--42.788100-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="utf-8"
Content-ID: <C0983F84C4C90248AB58E23382CF5D68@twcable.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/eITTGjmhskbrsOmFxZ4lVT7dpfI>
Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview ENDING: 10/21/2015)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2015 14:14:04 -0000

On 10/14/15, 7:20 PM, "Sriram, Kotikalapudi"
<kotikalapudi.sriram@nist.gov> wrote:

>>There is a discussion in 6.4 of Sriram's design-choices doc, but I think
>>it's incomplete
>>since it only discusses it in terms of it being unacceptable to sign
>>updates that it can't verify.
>
>"unacceptable to sign updates that it can't verify" -- I don't read that
>in Section 6.4.

WG] I interpreted it that way based on 6.4.2. More about that below.
>
>>Put differently: "I have no idea whether the people before Randy were
>>telling the truth, but I can assert that Randy, Sandy, Chris, Matt, and
>>Rob
>>all verifiably told the truth about their part of the path when they
>>sent the route to me." I think maybe that has some value in an
>>incremental model,
>>but if it doesn't (or is sufficiently difficult to implement as to
>>negate the potential benefit), we should explain why.
>
>The AS that you named Randy could be a bad actor,
>and may have changed the AS path segment before it
>(dropped some ASes, reduced AS prepends, etc.).
>Imagine Rob receives another update for the same NLRI that is completely
>unsigned,
>and it has a path via Wes, Chris, and Jeff.
>Let us say both updates pass origin validation.
>Should Rob trust the partially-singed update via Randy, Sandy, Chris, and
> Matt,
>or should he trust the completely unsigned latter update?
>If Rob gives priority to partially-signed path over completely unsigned
>path,
>there is potential for trouble (as in the example above).
>Then what is the use of partially signed updates?

WG] I understand that. I think you're missing the distinction I'm making
between the signed and unsigned parts of the update. In this partial-sign
mode, the way I expect it would work to be at all useful is that any
policy based on the trust of signed updates would only apply to the
portion that is signed, not the entire path. I can't see a blanket trust
of a partially signed route as a binary thing such that you could
automatically prefer partial sign over unsigned, and so your attack vector
is overly simplistic. The partial signing only matters if you care about
the actual data that is being protected inside the signed part. I might
not care that I can't explicitly verify that the AS path started at your
house, then went through Joe's Bait Shop and WISP before connecting to
Randy. But I might care that I can explicitly verify that it went from
Randy to Sandy to Chris to Matt without any unplanned excursions through
Alice or Bob.
As I said, the logic starts getting difficult from a route policy
perspective, but I was trying to point out that the existing text seems to
say that a partially signed update (one that originates unsigned and is
later signed from mid-path to end) is somehow implying a level of trust on
the unsigned portion that doesn't exist. I think the reality is that
partially signed updates would require some additional changes in the
protocol to make that useful, and a significant amount of additional logic
to make it work in policy-land, which may not be worth the effort, but
saying that we don't want to protect the BGPSec-capable part of the path
because we can't protect the preceding part of the path that isn't BGPSec
capable seems circular logic to me.

Wes


________________________________

This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.

v2.23.0 | Report a Bug | By Email