IETF Logo Mail Archive

Re: [sidr] Key learning procedures in BGPsec?

Eric Osterweil <eosterweil@verisign.com> Tue, 24 January 2012 18:44 UTC

Return-Path: <eosterweil@verisign.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1D3A21F84C5 for <sidr@ietfa.amsl.com>; Tue, 24 Jan 2012 10:44:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.539
X-Spam-Level:
X-Spam-Status: No, score=-6.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5PL5gbATsIgt for <sidr@ietfa.amsl.com>; Tue, 24 Jan 2012 10:44:01 -0800 (PST)
Received: from exprod6og107.obsmtp.com (exprod6og107.obsmtp.com [64.18.1.208]) by ietfa.amsl.com (Postfix) with ESMTP id DC04E11E8094 for <sidr@ietf.org>; Tue, 24 Jan 2012 10:44:00 -0800 (PST)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob107.postini.com ([64.18.5.12]) with SMTP ID DSNKTx777ZS/Na/cz4KvpDxFN/yPreATkr3F@postini.com; Tue, 24 Jan 2012 10:44:00 PST
Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id q0OIhtI2025936; Tue, 24 Jan 2012 13:43:57 -0500
Received: from dul1eosterwe-m1.vcorp.ad.vrsn.com ([10.88.30.33]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 24 Jan 2012 13:43:55 -0500
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Eric Osterweil <eosterweil@verisign.com>
In-Reply-To: <p06240801cb43712287ed@[10.243.32.68]>
Date: Tue, 24 Jan 2012 13:43:54 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <79053E60-25FE-4A84-9391-F451C8F0E720@verisign.com>
References: <13269421-8A36-4628-9F1A-30E02B922AE1@verisign.com> <24B20D14B2CD29478C8D5D6E9CBB29F6074CA8@Hermes.columbia.ads.sparta.com> <A0B7EE2D-8E59-4DC8-9DC0-140E9574B479@verisign.com> <p06240804cb3caa4fd051@[128.89.89.66]> <CCE15AEB-D606-4A59-8118-BA5CD53413E8@verisign.com> <p06240807cb3e3e117777@[128.89.89.66]> <12C07EA1-EDC5-4F88-99F7-B57B9AF53C53@verisign.com> <p06240801cb43712287ed@[10.243.32.68]>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1084)
X-OriginalArrivalTime: 24 Jan 2012 18:43:55.0133 (UTC) FILETIME=[1FF472D0:01CCDAC8]
Cc: "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] Key learning procedures in BGPsec?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 18:44:02 -0000

On Jan 23, 2012, at 3:28 PM, Stephen Kent wrote:

> At 10:38 PM -0500 1/19/12, Eric Osterweil wrote:
>> 
>> > This is a local matter, so each ISP can decide what approach they wish to adopt. I personally prefer installing the cert for the CA.
>> 
>> Yeah, I see.  I agree that it should be a local policy decision, but then how does this avoid my initial concern about relying on crypto material that has been dispatched through customs (or some other suspect medium), where key material could be intercepted and extracted?
> 
> The focus of BGPSEC is improving inter-AS routing security. The operator of any AS may not do a great job of securing the keys associated with some or all of its routers. Other ASes will not, in general, be able to evaluate the operational security of an AS. BGPSEC tries to limit the extent to which an AS  can lie about routes that it propagates. Local (within an AS) security errors or poor practices do not undermine this security feature.

This seems almost like a self-contradictory statement.  How is the system improving AS security if keys can only be deployed over a potentially compromised medium, and there is no provision for CAs, signers, RPs, etc. to express partial trust?  With BGPSEC, we are already assuming some degree of trust imparted by signatures, but your comment above suggests that there should be some further understanding that "other ASes" cannot evaluate the trustworthiness of what they are consuming...  If this is the case, I would worry that we are worse off with this false sense of security...

To put it differently, I think this highlights a misalignment between the design of BGPSEC and what operators are going to have to deal with.  We're not giving any choice to operators that will essentially have to risk compromise, or not play in this system at all...

> 
>> Also, is it safe to assume that you would need the CA(s) to restrict access to just your own routers (so that unknown routers/certs cannot issue KGReqs that result in KGReses)?
> 
> A CA issuing certs to routers in an AS must have a way to verify that a cert request is form a legitimate source. There are various ways this can be done and, ultimately, this too is a local matter.

Actually, I think this is a "turtles all the way down" issue.  I cannot see any silver bullet here that solves this (which is what I'm trying to highlight).  We can't bootstrap trust in a BGPSEC router's key w/o some external handshake, but we can't bootstrap that handshake without some external cert, but we can't bootstrap that without... etc.  Deploying a remote signer with sensitive information (private keys, shared secrets, etc.) seems to be a serious problem...

> 
>> > When key escrow has been required, it has usually been mandated for keys used for encryption, not for integrity or authentication. Since we're discussing integrity & authentication here, it is not clear that there are any applicable key escrow regulations.
>> 
>> Sorry if I'm confused, but in the diagrams in 1.2.1 and 1.2.2, don't the curly braces denote encrypted material?  I thought the responses in the key exchanges where necessarily encrypted in this protocol? Otherwise, the new private key is sent in the clear.  I fully accept the possibility that I'm confused here, but if the material is encrypted and needs to be decrypted, would the corresponding keys be subject to escrow policies?
> 
> Typically no, because the use of the key being issued is for signing.

But the diagrams show encryption.  Are the KGRes private keys to be sent in the clear then?

> 
>> > Also, the IETF general policy has been to ignore any nation-specific crypto regulations when  developing standards.
>> 
>> I see, I guess I had thought we should be worried about the eventual operational issues that might arise.  I didn't know this was taboo, but shouldn't we find a way to address these concerns in order to help ensure the design's operational relevance when it's finished? I'm just bringing this up in the sprit of making this design more relevant, not because I think there should be some official linkage to escrow policies or anything.
> 
> In general it is appropriate to worry about operational issues. But, I'd suggest that key escrow is not within scope, based on previous IETF experience in related areas.

OK, I suppose my parting thought on this escrow issue, then, is that having to negotiate key escrow is an issue that operators will be required to face with this system, and I am worried that our working group's secure design might be a non-starter for some unless we try to address this issue it in the design.  I really feel like we need to fix this to keep our design relevant.

Eric

v2.23.0 | Report a Bug | By Email