Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats-07.txt
Stephen Kent <kent@bbn.com> Wed, 09 October 2013 15:13 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1E7321E809F for <sidr@ietfa.amsl.com>; Wed, 9 Oct 2013 08:13:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.966
X-Spam-Level:
X-Spam-Status: No, score=-105.966 tagged_above=-999 required=5 tests=[AWL=0.632, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gui95aUVsuxe for <sidr@ietfa.amsl.com>; Wed, 9 Oct 2013 08:13:14 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 6A87321E811A for <sidr@ietf.org>; Wed, 9 Oct 2013 08:13:12 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:49391) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1VTvRn-0007W9-BQ; Wed, 09 Oct 2013 11:13:11 -0400
Message-ID: <52557287.8010205@bbn.com>
Date: Wed, 09 Oct 2013 11:13:11 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: "George, Wes" <wesley.george@twcable.com>
References: <20131008204114.28645.53351.idtracker@ietfa.amsl.com> <2671C6CDFBB59E47B64C10B3E0BD5923043C7556E1@PRVPEXVS15.corp.twcable.com>
In-Reply-To: <2671C6CDFBB59E47B64C10B3E0BD5923043C7556E1@PRVPEXVS15.corp.twcable.com>
Content-Type: multipart/alternative; boundary="------------070307010501060905010403"
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats-07.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2013 15:13:21 -0000
Wes, Sorry. I was on vacation when your message was sent, and I did not see it when I processed all of the messages upon return, two weeks later. I did locate it in the archive today, after seeing your message. I'll treat your comments as IETF last call comments since, as you note, they were posted long after WGLC. Your comments were: Maybe I'm hypersensitive to such in light of recent accusations of national actors subverting supposedly secure infrastructure to behave badly, but I find it odd that this threats document doesn't discuss the interaction between a national actor and the machinery provided by draft-ietf-sidr-ltamgmt. i.e. a national actor imposes upon SPs that operate inside their borders to use their own Local (and compromised) Trust Anchor to subvert the protections provided by RPKI. While this is primarily a concern for origin validation, I view it as distinct from the existing discussion of attacks on a CA covered in 4.5, and there is no equivalent Origin Validation threats document. It may be that the right path is to augment the discussion of this issue in the LTA management draft, and simply reference it from this draft, but I don't think that this is discussed suitably in the security considerations of either draft. The increased sensitivity to nation-level threats is understandable.The threats doc lists nations as a category of adversary in Section 3; we have not ignored them. (Can you name any other IETF threat analysis that has done so?) The doc does not discuss attacks by nations against LTAM. The RPKI, as specified in RFCs 6480-91, is addressed for completeness, and because the SIDR charter mandates use of the RPKI. LTAM is still an I-D; it is not part of the RPKI standards. As such, I don't consider it to be in scope for this doc. More to the point, as lead author of the LTAM doc, I anticipate reducing its scope in a way that may remove the concern you raised. However, our new I-D, "Suspenders" may raise similar concerns. I think it appropriate to discuss them if and when the WG elects to adopt that doc as a work item. Section 4.2 is missing any discussion regarding manipulation of other route attributes that may be used to affect a BGP route's selection, such as MED, Local Pref. It's covered in section 5, but since this occurred to me whilst reading section 4.2, perhaps some mention in 4.2 would be useful, I don't know. As you noted, Section 5 discusses other attributes that are not considered in this doc, and explains why. Unless Stewart directs us to add a forward pointer in 4.2, I don't plan to do so. That said, I also think that the discussion of this topic at the end of session 5 is inadequate for a document in IETF LC. The SIDR WG made a conscious decision to secure *only* the AS_Path attribute, and leave other attributes insecure, but there is no summary of the underlying rationale supporting this choice. Pointing to a WG charter as the sole explanation, and noting that this document should be changed if the charter is updated is unacceptable, as it provides no context to a reader that was not privy to the discussion leading to that charter/scope decision. No one (other than you) suggested that we include a discussion of the history of the charter/scope discussion here. I do not recall seeing such a discussion in any other threat analysis doc. I don't plan to add such a discussion here. It also makes reference to something fairly ephemeral (a WG and charter) in a permanent document. Fine for a draft in WG discussion to have that sort of placeholder, but not anymore. The latest version (-07) of the threats document added a paraphrase of the relevant charter text to address the concern about referencing a charter, an issue raised by David Black in his GENART review. There is a brief (and IMO incomplete) discussion of this matter to be found in section 2.3 of draft-sriram-bgpsec-design-choices that could be referenced, but since that document's future is unclear, some standalone discussion within this document might be more appropriate. At a minimum, a threats document should discuss why these threats are not considered high enough risk to justify the added complexity of securing them using the RPKI. A threat analysis, in principle, identifies adversaries, their motivations for carrying out classes of attacks, and their capabilities to do so. It need not establish requirements for acceptable designs, or propose countermeasures to address classes of attacks. In this doc we went beyond those essential threat analysis elements, because there was no RPKI threat doc (and because the charter calls for use of the RPKI as a basis for BGPSEC). A requirements doc is a place where one defines what needs to be done by a solution, to address the threats previously described. Steve
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes
- [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats… internet-drafts
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stephen Kent
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stephen Kent
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stephen Kent
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Andrei Robachevsky
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stewart Bryant
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes