Re: [sidr] David M's point about the bgpsec protocol (embarrassing)

[Sandra Murphy <sandy@tislabs.com>]

Sorry for cc-ing the list on this message and the belaboring and critical tone.  I intended it as a private message, not a message to the whole wg.

I hope others are looking at the issue.  I haven't seen anyone reply to David.

(Other than my oops-replied-to-all reply, of course.  I wear the dunce cap this week.)

--Sandy

On Feb 12, 2015, at 5:40 PM, Sandra Murphy <sandy@tislabs.com> wrote:

> I think David is right.
> 
> This is embarrassing.  I was looking at the syntax for the protocol in response to David's previous message, realizing that there's no text about what the NLRI length and NLRI prefix fields' syntax should be, looking right at those fields, thinking only that we needed to copy the text from 4271/4760, and did not spot this.
> 
> This is embarrassing for the whole wg for not spotting the syntax laxness.  And embarrassing to all the security folk.  There's a standard problem in security protocols about not signing any old group of bits you are given because the signed bits might be used in some other context.  So this should have been spotted much earlier.
> 
> I keep hoping if I look at it closely there's a reason why this is not a problem.  Surely SteveK/MattL/SteveB/RussH/etc if the problem were this obvious?
> 
> Have you two looked at this?
> 
> --Sandy
> 
> On Feb 10, 2015, at 4:48 PM, David Mandelberg <david@mandelberg.org> wrote:
> 
>> All, while coming up with the example below, I realized another issue.
>> The structure in 4.1 doesn't include an Address Family Identifier.
>> Unless I missed something, this means that a signature for 1.2.0.0/16
>> would be exactly the same as a signature for 102::/16. This would be a
>> much more practical attack than the one I originally though of.
>> 
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr