IETF Logo Mail Archive

Re: [sidr] BGPSEC Threat Model ID

Christopher Morrow <morrowc.lists@gmail.com> Fri, 04 November 2011 21:07 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 385AC21F8AF3 for <sidr@ietfa.amsl.com>; Fri, 4 Nov 2011 14:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.528
X-Spam-Level:
X-Spam-Status: No, score=-103.528 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Imn3Oo87wWE for <sidr@ietfa.amsl.com>; Fri, 4 Nov 2011 14:07:06 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2431821F8AE6 for <sidr@ietf.org>; Fri, 4 Nov 2011 14:07:06 -0700 (PDT)
Received: by iaeo4 with SMTP id o4so3892192iae.31 for <sidr@ietf.org>; Fri, 04 Nov 2011 14:07:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=mLjIgtGrKkVgmEeFc6u5dNefz/XzBPUoaVM3o/Pvnbc=; b=YfQs/LfSB0SRJLr36IFW108/7/W8Q0kRZufEF6rovdAvDwKc5oH5WcwRKKD5Uxwtpa eScsiM2H29cIqb0NBzkyEBMOX5uJbgn2GIUHmZ9uk9fShGChQdETLGpn7ZSUSqcCAhjF EVvCo5AbV7GKUbilry5g21muv1wLv6clWSBLo=
MIME-Version: 1.0
Received: by 10.231.68.20 with SMTP id t20mr4290529ibi.18.1320440825770; Fri, 04 Nov 2011 14:07:05 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.231.202.142 with HTTP; Fri, 4 Nov 2011 14:07:05 -0700 (PDT)
In-Reply-To: <53FA9B4A-552C-4998-8F69-592A0F5AA13B@verisign.com>
References: <E96517DD-BAC7-4DD8-B345-562F71788C6A@tcb.net> <p06240807cad42f85eb7d@193.0.26.186> <32744.216.168.239.87.1320175657.squirrel@webmail.tcb.net> <p06240801cad6ab773279@193.0.26.186> <D9A38669-883D-4090-9F95-BC5C63220950@tcb.net> <p06240801cad800485596@193.0.26.186> <EEBF68E0-FAD9-4AF3-B81B-78760D200D9B@tcb.net> <p06240808cad85ff73d61@193.0.26.186> <080F8FFF-D2C7-4414-B53A-233F88D2009F@vpnc.org> <CAFU7BATC-6DUDNuadakwSa5wj0ryy0=49=XveBXD5Wv=5JL-ag@mail.gmail.com> <m2aa8c489s.wl%randy@psg.com> <53FA9B4A-552C-4998-8F69-592A0F5AA13B@verisign.com>
Date: Fri, 04 Nov 2011 17:07:05 -0400
X-Google-Sender-Auth: Pa-tpK9GvzG8HrzSlAivIxWmp9s
Message-ID: <CAL9jLaZj1wcmDnbm1f9=csUv2Uuq_w3rS6UEYmUHAQDPWT9zFg@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Eric Osterweil <eosterweil@verisign.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] BGPSEC Threat Model ID
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2011 21:07:08 -0000

On Fri, Nov 4, 2011 at 3:05 PM, Eric Osterweil <eosterweil@verisign.com> wrote:
>
> This is a list of three questions.  Until there is discussion of the first, it is premature to address the second two.  Therefore, how about we just choose a specific case of the first: how would BGPSec protect against an instance of an event found here:
>        http://puck.nether.net/bgp/leakinfo.cgi
>

I'm not randy, but I was talking about this very thing in the office
today with a co-worker... I'm not clear on how anything can stop an
instance like:
src      time                                        prefix
puck	2011-11-04 16:15:49.157742	8.10.160.0/23	
   path
   2914 2828 12989 12189 3356 19181 19181 19181
  Contact   score  blame_asn
   2828	3	12989

As I read this, 12989 (highwind) is 'accidentally' announcing
reachability for 8.10.160.0/23 (CWIE? AS19181). Looking at one popular
source of routing data:
  <http://www.robtex.com/as/as19181.html>

it actually seems that the 2 people may be peers :( the route that we
see is merely an artifact of their connectivity and 'poor route
selection' inside their networks :(

Point being that in cases like this (or really all route leak cases)
the only thing that stops this is filtering routes between bgp peers.
(transits, customers, SFP peers) There isn't anything in the protocol
itself (which is Stephen's, Russ's, Randy's comment through out) that
tells you/me/them that 12989 should not be permitted to announce this
route. (looking at available data, it seems that they SHOULD, perhaps
not with this ASPath, but...)

How would you go about telling, from the data on the wire in bgp, that
a route is a hijack?
How would you propose changing the data on the wire in bgp today to do
this tomorrow?

Would having data you could mechanically verify about the routes and
origins and relationships (say connectivity only?) between bgp peers
help solve this problem?

In my view I don't see a change to the BGP wire format helping, I do
see existence of data to mechanically verify ownership (and perhaps
connectivity information?) helping.

-chris

v2.23.0 | Report a Bug | By Email