Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
Russ Housley <housley@vigilsec.com> Wed, 04 January 2017 19:22 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E688129A7E for <sidr@ietfa.amsl.com>; Wed, 4 Jan 2017 11:22:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SKy_bUsvyUS6 for <sidr@ietfa.amsl.com>; Wed, 4 Jan 2017 11:22:49 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47FF2129A40 for <sidr@ietf.org>; Wed, 4 Jan 2017 11:22:49 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id DFBBB30042F for <sidr@ietf.org>; Wed, 4 Jan 2017 14:12:32 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id LsHZ_rbXF9t4 for <sidr@ietf.org>; Wed, 4 Jan 2017 14:12:31 -0500 (EST)
Received: from [192.168.2.100] (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 59138300278; Wed, 4 Jan 2017 14:12:31 -0500 (EST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <148353798879.13011.5291414579598073386.idtracker@ietfa.amsl.com>
Date: Wed, 04 Jan 2017 14:24:05 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <B659D894-672F-4059-A001-5C4D1D602470@vigilsec.com>
References: <148353798879.13011.5291414579598073386.idtracker@ietfa.amsl.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/rYfg3BKnioE2juyf5uRKeTRluXk>
Cc: IESG <iesg@ietf.org>, IETF SIDR <sidr@ietf.org>
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 19:22:51 -0000
> ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I have a couple of fairly straightforward things I'd > like to briefly discuss... > > [snip] > > (3) section 8: Is there a potential exposure here in that > a relying party who emits e.g. certificate status checks > or cert retrieval queries for an RPKI cert they've not > previously seen is exposing something about the set of > paths its traffic is likely to follow. (This is similar to > why we have OCSP stapling in the web.) IIRC the RPKI specs > may cover this but I suspect it'd be worth noting here as > well even if so as this represents exposing something > about BGP announcement content to off-path parties which I > think is new for BGP. Is that a new thing for BGP? (I > think the new aspect to the attack is that a bad actor who > has already compromised some AS could more easily spot > that traffic from the relying party's AS is likely to > transit the compromised AS.) I am not sure what you mean by a "compromised AS,” but it may not matters … If a link goes down, and that causes an alternative path to be selected, that forces the validation a new path which might involve a previously unvalidated AS. If an OCSP responder or repository that provides RPKI objects is contacted as part of that validation, then some external entities can detect that something is changing. That is, stuff not normally validated because it is associated with a unselected path gets fetched. That said, the NOC could fetch a snapshot of the RPKI, then the exposure of the switch to a new path can be limited to that AS. This assumes that the snapshot uses CRLs, which seems like a very reasonable choice in the RPKI. Russ
- [sidr] Stephen Farrell's Discuss on draft-ietf-si… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sean Turner
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Russ Housley
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Mehmet Adalier (Antara Teknik)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Montgomery, Douglas (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Montgomery, Douglas (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Randy Bush