Re: [sidr] BGPSEC Threat Model ID

Brian Dickson <> Fri, 04 November 2011 05:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7376911E808D for <>; Thu, 3 Nov 2011 22:32:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.565
X-Spam-Status: No, score=-3.565 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id idpCIlsyIKZo for <>; Thu, 3 Nov 2011 22:32:21 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7E57111E8081 for <>; Thu, 3 Nov 2011 22:32:21 -0700 (PDT)
Received: by faas12 with SMTP id s12so2713651faa.31 for <>; Thu, 03 Nov 2011 22:32:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ngFptfSZfaulezZJw7lbTD4RAmraj8hd1t7Jsw3SwOA=; b=Y0QHxdfWoGP+qadY1QTfkkcvTVTso/nfGuZArUw5BJ6B7ZLDnDM/4daKUJTcuVNKnQ ADK5sqQIPTrp0fripbhwtLylaij8nhtFUtrhc7GGsLgGpKVmU58Kn8setGciOATL+o6a 4YXxCFH61spWHmRWqazPz0WrqgzhzvyHKtbCo=
MIME-Version: 1.0
Received: by with SMTP id a27mr21681983fak.12.1320384740462; Thu, 03 Nov 2011 22:32:20 -0700 (PDT)
Received: by with HTTP; Thu, 3 Nov 2011 22:32:20 -0700 (PDT)
In-Reply-To: <>
References: <> <p06240807cad42f85eb7d@> <> <p06240801cad6ab773279@> <> <> <> <>
Date: Fri, 4 Nov 2011 01:32:20 -0400
Message-ID: <>
From: Brian Dickson <>
To: Christopher Morrow <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [sidr] BGPSEC Threat Model ID
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Nov 2011 05:32:22 -0000

On Fri, Nov 4, 2011 at 12:49 AM, Christopher Morrow
<> wrote:
> (coming in late to the party, weee!)
> On Wed, Nov 2, 2011 at 1:08 PM, Brian Dickson
> <> wrote:
>>>> (5) If any BGP path attribute used in Path Selection is not signed,
>>>> then BGPSEC has failed to meet its charter requirements.
>>> Then MED and Local Pref must also be signed, along with a number of
>>> communities, and even the next hop.
>> Yes.
> err, so... you receive a route update from AS1 at AS2, it looks roughly like:
> nh =
>  this is signed (all of the above data)
> When you pass this route off to AS3 you do so as:
> nh =
>  the nh changed, the sig originally is for
> Did you really mean to sign the next-hop? it seems infeasible...
> Also, LocalPref is a locally used/determined/created (non-transitive)
> item, adding that set of bits into the signature seems blatantly
> wrong, since the data won't exist when you pass the route outside your
> ASN the verification is going to fail, for every route you send (which
> had a localpref != default), That CERTAINLY seems like something you
> would want to avoid, right?

Er, on non-transitive items like LocalPref, there is a use case for signing
them iff the iBGP elements are decided as being in-scope.
(I agree with Danny on this being worth considering.)

What we are discussing is the threat model, and how threats could be

This in turn is used to inform the design of the protocol, not vice versa.

So, when I say "signed", what I was thinking of was something along the lines
of a sequence of  blocks that might look something like:
and after all those blocks,

The stack gives a history of transitive and non-transitive values,
some of which won't be used for local policy decisions per se, and some of which
can quite reasonably have been changes at each hop. The signatures protect
that data.

How the protected data itself is used is local policy, for selecting best path.
This is more information than vanilla BGP has, of course, but arguably allows
for better path selection by virtue of more data being available locally.

Note that nothing is present than is generally known through various
data sources,
including local BGP tables, looking glasses, routeviews/Renesys, traceroutes,
whois, RADB/IRR, RIRs, reverse DNS etc.

Adding this "stack" allows for other aspects of local policy to be
marked into the path,
including markers suitable for preventing route leaks.

It also means that non-transitive values can magically become pseudo-transitive,
presuming the cruft that permits constructing local policy can be made
to understand
the association between AS-path hops and the captured policy at those hops.
(This is a feature, not a bug.)

The signatures make it possible to reject changes to this stack of
path-historical data.
The data makes it possible to choose to use the originated values, the
latest values,
or anything in between, however one chooses.
The requirements to continue adding to this stack ensures the next AS
to which the
prefix is sent, has the same opportunity to apply local policy.
Add a dollop of 'transit/non-transit' at each hop (mandatory but
arbitrary), and simple
leak-blocking (nearly fool-proof, in fact) is possible to support.