Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs
Stephen Kent <kent@bbn.com> Wed, 02 November 2011 15:05 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A000C11E80B6 for <sidr@ietfa.amsl.com>; Wed, 2 Nov 2011 08:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.33
X-Spam-Level:
X-Spam-Status: No, score=-106.33 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_SUB_OBFU_Q1=0.227, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id apBJuxBC2dow for <sidr@ietfa.amsl.com>; Wed, 2 Nov 2011 08:05:42 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 01D6411E8083 for <sidr@ietf.org>; Wed, 2 Nov 2011 08:05:41 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:38880 helo=[193.0.26.186]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1RLcNj-00059F-G1; Wed, 02 Nov 2011 11:05:35 -0400
Mime-Version: 1.0
Message-Id: <p06240808cad5c4d268eb@[193.0.26.186]>
In-Reply-To: <4297E946-980B-43C5-A01F-1F49706BC51E@tcb.net>
References: <CAL9jLaa+L-C7+Gp54BpM8FjAj+EFMabwQB9SsPW0N4QnFEfVGw@mail.gmail.com> <4297E946-980B-43C5-A01F-1F49706BC51E@tcb.net>
Date: Wed, 02 Nov 2011 11:04:53 -0400
To: Danny McPherson <danny@tcb.net>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 15:05:42 -0000
At 10:03 PM -0400 10/28/11, Danny McPherson wrote: >On Oct 28, 2011, at 2:40 PM, Christopher Morrow wrote: > >> Seems that the authors, at least, expect this doc to be prepared for >> WGLC, could we do that concluding 11/11/11 please? > > >I've got a couple of comments. > >Some high-level bits captured with specific comments below >include: This isn't my doc, but I will reply to a few of your points, since I've been replying to your comments on the threat model :-). >2) from a mechanics and processing perspective, this appears to >largely focus only on external BGP. It would be useful if the >requirements considered what behaviors and recommendations are >applicable to internal BGP speakers as well. The focus of BGPSEC is eBGP, because the concern is verifying the authenticity of routes arriving from other ASes. The hard problems arise for eBGP because these routes are delivered via BGP speakers in different "trust domains." iBGP integrity and authenticity can be achieved via internal security procedures and thus is not a focus of BGPSEC. >2) This document seems to allude to a solution that only protects >NLRI and AS_PATH, and ignores ORIGIN and other attributes. This >concerns me a great deal given that most (all?) path selection >today is largely based on policy derived from and applied based >upon all those other attributes. I replied to the ORIGIN attribute question in my other message. NLRI and AS_PATH are the attributes being protected both because they represent the fundamental routing data elements, and because they are attested to in the RPKI. Using the RPKI we can determine whether the origin AS is authorized to originate a route for the NLRI. We can verify whether a BGP speaker representing each AS in the AS_PATH is the entity that signed the data carried as part of an Update. We don't have analogous, authoritative data about MPLS, for example, so we can't provide the same sort of security guarantees. If the community identifies data carried in Updates that it believes should be protected, and we can agree on security semantics that are enforceable relative to the BGPSEC architecture, then we could expand protection, perhaps in a v2 of the protocol. >3) as a WG we need to agree on what constitutes a reasonable >solution for minimizing an exposure window. If we're going >to build such a heavy solution I find it hard to justify new >hardware and tons of complexity if we can't get the window to >seconds or minutes, rather than 8+ hours or more best case with >what we've seen proposed to date, and that's with periodic >updates (ala beacons) that have the scaling properties of RIP. Beacon frequency affects how responsive BGPSEC is relative to one set of attacks. A more accurate statement is that the beacon parameters that the BGPSEC design is likely to use will induce significant latency detecting those attacks. Reducing the latency would require more frequent beaconing, and that is viewed as an unacceptable tradeoff, at lest for now. The residual vulnerability due to beacon latency relates to the ability of an AS that was authorized to advertise a route, to replay the advertisement, even when it is not currently authorized to do so. This vulnerability should be viewed in the context of the inability of a BGP speaker to know whether a neighbor has failed to withdraw a route, when it has no paths for the prefix in question. An AS cannot, in general, know whether the only route for a given prefix has been withdrawn at some point upstream. This the BGP design and operational model embodies this vulnerability. Steve
- [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Danny McPherson
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Shane Amante
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs George, Wes
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Stephen Kent
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Danny McPherson
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Stephen Kent
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Eric Osterweil
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Sriram, Kotikalapudi
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Russ White
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Russ White
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Jakob Heitz
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Sriram, Kotikalapudi
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Eric Osterweil
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Danny McPherson
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Danny McPherson
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Eric Osterweil
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Jakob Heitz
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Brian Dickson
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Danny McPherson
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Sriram, Kotikalapudi
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Danny McPherson
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Eric Osterweil
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Brian Dickson
- [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Chris Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Sriram, Kotikalapudi
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Warren Kumari
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Keyur Patel (keyupate)
- [sidr] Another potential DOS attack on RP softwar… Demian Rosenkranz
- Re: [sidr] Another potential DOS attack on RP sof… Tim Bruijnzeels
- Re: [sidr] Another potential DOS attack on RP sof… Jared Mauch
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs George, Wes
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Warren Kumari
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs George, Wes
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs George, Wes
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Stephen Kent
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Roque Gagliano (rogaglia)
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Roque Gagliano (rogaglia)
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs George, Wes
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Christopher Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Randy Bush
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Montgomery, Douglas
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Montgomery, Douglas
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Sandra Murphy