Re: [sidr] BGPSEC Threat Model ID

Christopher Morrow <morrowc.lists@gmail.com> Fri, 04 November 2011 04:49 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5216421F9050 for <sidr@ietfa.amsl.com>; Thu, 3 Nov 2011 21:49:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.52
X-Spam-Level:
X-Spam-Status: No, score=-103.52 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id exm5bNzLOB-T for <sidr@ietfa.amsl.com>; Thu, 3 Nov 2011 21:49:48 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8F1F121F8F2F for <sidr@ietf.org>; Thu, 3 Nov 2011 21:49:48 -0700 (PDT)
Received: by iaeo4 with SMTP id o4so2733861iae.31 for <sidr@ietf.org>; Thu, 03 Nov 2011 21:49:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=+ACN7dpVkVfI+4cG1dDP0QQPg0N+U+wvU8pw0VZfEp8=; b=X6DmOdjo4ig1AhNtaKST4jbbn7BCLrFKjAKKGVIFg1HcxEaU0HjCkapHAdJKEPQugp fzU9edS2tAeC7A5sXEkwgAMllLciNUu4z/ricEnA31Snx/cgj58AXp304t0RbPj3fBx3 nwVFC7twBpa9fxqhC5sdKC7Zp9REKSEDFX5GA=
MIME-Version: 1.0
Received: by 10.231.68.20 with SMTP id t20mr3022570ibi.18.1320382187871; Thu, 03 Nov 2011 21:49:47 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.231.202.142 with HTTP; Thu, 3 Nov 2011 21:49:47 -0700 (PDT)
In-Reply-To: <CAH1iCiqTST7V=jdHe8R04nfP-0c33NSo9m4gZ_majpx7wUCciw@mail.gmail.com>
References: <E96517DD-BAC7-4DD8-B345-562F71788C6A@tcb.net> <p06240807cad42f85eb7d@193.0.26.186> <32744.216.168.239.87.1320175657.squirrel@webmail.tcb.net> <p06240801cad6ab773279@193.0.26.186> <CAH1iCir-UoT+BMOD53oxQ9fdMiGirvaTL0eZDS3A5wVEDuw2LA@mail.gmail.com> <4EB170AD.1030302@riw.us> <CAH1iCiqTST7V=jdHe8R04nfP-0c33NSo9m4gZ_majpx7wUCciw@mail.gmail.com>
Date: Fri, 4 Nov 2011 00:49:47 -0400
X-Google-Sender-Auth: tOlTkiQajScNB9GZE2R8gzWuA0I
Message-ID: <CAL9jLaYJjP+K8OgfxvMx5_JSRTQ9pvcKbFuV4WHzpe5YzvGC0g@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: sidr@ietf.org
Subject: Re: [sidr] BGPSEC Threat Model ID
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2011 04:49:49 -0000

(coming in late to the party, weee!)

On Wed, Nov 2, 2011 at 1:08 PM, Brian Dickson
<brian.peter.dickson@gmail.com> wrote:
>>> (5) If any BGP path attribute used in Path Selection is not signed,
>>> then BGPSEC has failed to meet its charter requirements.
>>
>> Then MED and Local Pref must also be signed, along with a number of
>> communities, and even the next hop.
>
> Yes.

err, so... you receive a route update from AS1 at AS2, it looks roughly like:
   1.2.3.0/24 nh = 192.168.1.1
  this is signed (all of the above data)

When you pass this route off to AS3 you do so as:
   1.2.3.0/24 nh = 10.1.1.1
  the nh changed, the sig originally is for 192.168.1.1

Did you really mean to sign the next-hop? it seems infeasible...

Also, LocalPref is a locally used/determined/created (non-transitive)
item, adding that set of bits into the signature seems blatantly
wrong, since the data won't exist when you pass the route outside your
ASN the verification is going to fail, for every route you send (which
had a localpref != default), That CERTAINLY seems like something you
would want to avoid, right?

-chris