IETF Logo Mail Archive

Re: [sidr] BGPSEC Threat Model ID

Russ White <russw@riw.us> Thu, 03 November 2011 12:00 UTC

Return-Path: <russw@riw.us>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03F9C11E80D2 for <sidr@ietfa.amsl.com>; Thu, 3 Nov 2011 05:00:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.155
X-Spam-Level:
X-Spam-Status: No, score=-2.155 tagged_above=-999 required=5 tests=[AWL=0.444, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZR+kuoD3FebK for <sidr@ietfa.amsl.com>; Thu, 3 Nov 2011 05:00:08 -0700 (PDT)
Received: from ecbiz91.inmotionhosting.com (ecbiz91.inmotionhosting.com [173.205.124.250]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA6911E8088 for <sidr@ietf.org>; Thu, 3 Nov 2011 05:00:08 -0700 (PDT)
Received: from rtp-isp-nat1.cisco.com ([64.102.254.33]:53848 helo=[10.117.153.102]) by ecbiz91.inmotionhosting.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <russw@riw.us>) id 1RLvxm-0002jg-Jl for sidr@ietf.org; Thu, 03 Nov 2011 08:00:06 -0400
Message-ID: <4EB28247.8010604@riw.us>
Date: Thu, 03 Nov 2011 08:00:07 -0400
From: Russ White <russw@riw.us>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: sidr@ietf.org
References: <E96517DD-BAC7-4DD8-B345-562F71788C6A@tcb.net> <p06240807cad42f85eb7d@[193.0.26.186]> <32744.216.168.239.87.1320175657.squirrel@webmail.tcb.net> <p06240801cad6ab773279@[193.0.26.186]> <D9A38669-883D-4090-9F95-BC5C63220950@tcb.net>
In-Reply-To: <D9A38669-883D-4090-9F95-BC5C63220950@tcb.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ecbiz91.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - riw.us
Subject: Re: [sidr] BGPSEC Threat Model ID
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 12:00:09 -0000

> To say that BGP routes "leaked" via an AS for purposes of MITM, DoS, or
> benign, that is not an authorized transit for a given prefix is out of
> scope 
> because it is not a "semantics violation" does not mitigate what I perceive 
> as  a very significant risk to my operations.  

This is something of an aside --but I find the entire discussion about
"semantics violations" a bit of a red herring. If we are to secure every
possible "semantic violation," then we should also be securing
communities, next hops, and verifying the AS of the peering router is
actually the AS contained in the AS Path --in a way that operators
multiple hops away can check. These are all also "BGP semantics," not
just the AS Path.

> Absent a companion set of mechanisms and controls under cover of "BGPSEC" 
> to mitigate that risk, I'm opposed to the publication of this document
> under the 
> auspices  of  "Threat Model for BGP Path Security".  I.e., it is not an
> acceptable 
> residual risk.

The bottom line issue --as I see it-- is that we've never properly
defined the problem space.

To secure something requires that everyone understand the intent,
whether by implying it from inband signaling, or knowing it through out
of band signaling. SIDR --and hence this threats document-- has been
going down the path of "we want security without knowing intent." A
logical impossibility.

So, I agree with Danny --this document doesn't cover the threat space,
and shouldn't be published. Instead, we need a real analysis of the
entire threat space, without regard to the difficulty of actually
securing that space.

> I'm saying policy is a big part of the problem, at least as considerable
> as  
> "integrity" of the AS_PATH, IMO, and if we don't take a systemic approach 
> and consider the gaps that exist, then it's hard for me to justify the 
> investment.

To put this in different terms:

1. You can't know if something is "secure" without knowing the intent of
the "authorizer."
2. You can't know someone's intent unless they tell you --inferring
intent is dangerous and bad.
3. Hence, securing a system without advertising intent is impossible.
4. Intent == policy.
5. If you're going to include policy, then you need to consider all
policy, and not just a narrow range of policy "because this is what I
care about, and it's what also happens to be easy to secure."

Whether intent should be transmitted in band or out of band is a matter
of open discussion (though I think we must either resolve to change the
nature of BGP, or resolve to signal intent out of band).

:-)

Russ

v2.23.0 | Report a Bug | By Email