Re: [sidr] Route Leaks and BGP Security

Jakob Heitz <jakob.heitz@ericsson.com> Mon, 21 November 2011 06:17 UTC

Return-Path: <jakob.heitz@ericsson.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EECE21F8AEA for <sidr@ietfa.amsl.com>; Sun, 20 Nov 2011 22:17:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.394
X-Spam-Level:
X-Spam-Status: No, score=-6.394 tagged_above=-999 required=5 tests=[AWL=0.205, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BE-U0IOyQdTS for <sidr@ietfa.amsl.com>; Sun, 20 Nov 2011 22:17:36 -0800 (PST)
Received: from imr4.ericy.com (imr4.ericy.com [198.24.6.9]) by ietfa.amsl.com (Postfix) with ESMTP id 7DB8921F8ADC for <sidr@ietf.org>; Sun, 20 Nov 2011 22:17:36 -0800 (PST)
Received: from eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) by imr4.ericy.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id pAL6HWso015740; Mon, 21 Nov 2011 00:17:34 -0600
Received: from EUSAACMS0701.eamcs.ericsson.se ([169.254.1.20]) by eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) with mapi; Mon, 21 Nov 2011 01:17:33 -0500
From: Jakob Heitz <jakob.heitz@ericsson.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
Date: Mon, 21 Nov 2011 01:17:32 -0500
Thread-Topic: [sidr] Route Leaks and BGP Security
Thread-Index: AcyoE6xd15/hZYmjR2ysn94zGp8PdwAADQ0w
Message-ID: <7309FCBCAE981B43ABBE69B31C8D21391A47045264@EUSAACMS0701.eamcs.ericsson.se>
References: <20111117040124.18551.47190.idtracker@ietfa.amsl.com> <0863194F-7564-40A9-BB73-ABF8BB97C3AB@tcb.net> <7309FCBCAE981B43ABBE69B31C8D21391A4704525E@EUSAACMS0701.eamcs.ericsson.se> <CAL9jLabbHVauBYUkXCxdpWW90Vt+fMRzATr-aOrdU912ibxJeQ@mail.gmail.com>
In-Reply-To: <CAL9jLabbHVauBYUkXCxdpWW90Vt+fMRzATr-aOrdU912ibxJeQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Route Leaks and BGP Security
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2011 06:17:37 -0000

> -----Original Message-----
> From: christopher.morrow@gmail.com
> [mailto:christopher.morrow@gmail.com] On Behalf Of Christopher
> Morrow
> Sent: Sunday, November 20, 2011 10:06 PM
> To: Jakob Heitz
> Cc: Danny McPherson; sidr wg list
> Subject: Re: [sidr] Route Leaks and BGP Security
> 
> On Mon, Nov 21, 2011 at 12:40 AM, Jakob Heitz
> <jakob.heitz@ericsson.com> wrote:
> > To make the route leak problem tractable, we need a definition.
> > Here is my attempt:
> >
> 
> danny's draft actually does a decent job of saying what a leak is
> (one instance of a leak at least, which is fine), it just doesn't
> say how you'd know that from 2 as-hops away... (today, with out bgp
> changes and/or external knowledge about the ASes in the AS-Path)
> 
> <snip>
> 
> > When S sends a packet to D, that packet should traverse only ASs
> that
> > S trusts OR that D trusts. If the packet traverses an AS that
> NEITHER
> > S NOR D trusts, then a route leak has occurred.
> 
> how is this 'trust' known? how does it translate down the chain? I
> don't trust AS9001 anymore than 4134 than 4366 than 3 ... I do
> happen to fling packets through them though :(

You contracted it to provide you connectivity.
If it doesn't, it breaks the contract.

> 
> > When a route announcement leaves the set of ASs trusted by its
> > originator, Brian's "transit" bit turns off.
> 
> I doubt the originator trusts anyone except itself... and MAYBE it's
> transits.
> 
> why mix two topics? :( (also, how does the route know it crossed
> this boundary and a bit needs flipping?)

When the provider sends it to another customer or
another AS that is not contracted to provide connectivity
for that route.

> 
> -chris

The trust I'm talking about is the trust to provide
connectivity, not the trust not to snoop your packets
or anything else.