Re: [sidr] BGPSEC Threat Model ID
Brian Dickson <brian.peter.dickson@gmail.com> Fri, 04 November 2011 05:32 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7376911E808D for <sidr@ietfa.amsl.com>; Thu, 3 Nov 2011 22:32:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.565
X-Spam-Level:
X-Spam-Status: No, score=-3.565 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idpCIlsyIKZo for <sidr@ietfa.amsl.com>; Thu, 3 Nov 2011 22:32:21 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7E57111E8081 for <sidr@ietf.org>; Thu, 3 Nov 2011 22:32:21 -0700 (PDT)
Received: by faas12 with SMTP id s12so2713651faa.31 for <sidr@ietf.org>; Thu, 03 Nov 2011 22:32:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ngFptfSZfaulezZJw7lbTD4RAmraj8hd1t7Jsw3SwOA=; b=Y0QHxdfWoGP+qadY1QTfkkcvTVTso/nfGuZArUw5BJ6B7ZLDnDM/4daKUJTcuVNKnQ ADK5sqQIPTrp0fripbhwtLylaij8nhtFUtrhc7GGsLgGpKVmU58Kn8setGciOATL+o6a 4YXxCFH61spWHmRWqazPz0WrqgzhzvyHKtbCo=
MIME-Version: 1.0
Received: by 10.223.76.27 with SMTP id a27mr21681983fak.12.1320384740462; Thu, 03 Nov 2011 22:32:20 -0700 (PDT)
Received: by 10.223.54.15 with HTTP; Thu, 3 Nov 2011 22:32:20 -0700 (PDT)
In-Reply-To: <CAL9jLaYJjP+K8OgfxvMx5_JSRTQ9pvcKbFuV4WHzpe5YzvGC0g@mail.gmail.com>
References: <E96517DD-BAC7-4DD8-B345-562F71788C6A@tcb.net> <p06240807cad42f85eb7d@193.0.26.186> <32744.216.168.239.87.1320175657.squirrel@webmail.tcb.net> <p06240801cad6ab773279@193.0.26.186> <CAH1iCir-UoT+BMOD53oxQ9fdMiGirvaTL0eZDS3A5wVEDuw2LA@mail.gmail.com> <4EB170AD.1030302@riw.us> <CAH1iCiqTST7V=jdHe8R04nfP-0c33NSo9m4gZ_majpx7wUCciw@mail.gmail.com> <CAL9jLaYJjP+K8OgfxvMx5_JSRTQ9pvcKbFuV4WHzpe5YzvGC0g@mail.gmail.com>
Date: Fri, 04 Nov 2011 01:32:20 -0400
Message-ID: <CAH1iCiqT_eLKR82jc0LHxxVAXav8iW4QtPxFrpk7JgbD0gCsyg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: sidr@ietf.org
Subject: Re: [sidr] BGPSEC Threat Model ID
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2011 05:32:22 -0000
On Fri, Nov 4, 2011 at 12:49 AM, Christopher Morrow <morrowc.lists@gmail.com> wrote: > (coming in late to the party, weee!) > > On Wed, Nov 2, 2011 at 1:08 PM, Brian Dickson > <brian.peter.dickson@gmail.com> wrote: >>>> (5) If any BGP path attribute used in Path Selection is not signed, >>>> then BGPSEC has failed to meet its charter requirements. >>> >>> Then MED and Local Pref must also be signed, along with a number of >>> communities, and even the next hop. >> >> Yes. > > err, so... you receive a route update from AS1 at AS2, it looks roughly like: > 1.2.3.0/24 nh = 192.168.1.1 > this is signed (all of the above data) > > When you pass this route off to AS3 you do so as: > 1.2.3.0/24 nh = 10.1.1.1 > the nh changed, the sig originally is for 192.168.1.1 > > Did you really mean to sign the next-hop? it seems infeasible... > > Also, LocalPref is a locally used/determined/created (non-transitive) > item, adding that set of bits into the signature seems blatantly > wrong, since the data won't exist when you pass the route outside your > ASN the verification is going to fail, for every route you send (which > had a localpref != default), That CERTAINLY seems like something you > would want to avoid, right? Er, on non-transitive items like LocalPref, there is a use case for signing them iff the iBGP elements are decided as being in-scope. (I agree with Danny on this being worth considering.) What we are discussing is the threat model, and how threats could be countered. This in turn is used to inform the design of the protocol, not vice versa. So, when I say "signed", what I was thinking of was something along the lines of a sequence of blocks that might look something like: LocalBGPPerHopData signature(LocalBGPPerHopData|previousSignature) and after all those blocks, originatorSignature(FirstHopData|RPKI-validatable-data) The stack gives a history of transitive and non-transitive values, some of which won't be used for local policy decisions per se, and some of which can quite reasonably have been changes at each hop. The signatures protect that data. How the protected data itself is used is local policy, for selecting best path. This is more information than vanilla BGP has, of course, but arguably allows for better path selection by virtue of more data being available locally. Note that nothing is present than is generally known through various data sources, including local BGP tables, looking glasses, routeviews/Renesys, traceroutes, whois, RADB/IRR, RIRs, reverse DNS etc. Adding this "stack" allows for other aspects of local policy to be marked into the path, including markers suitable for preventing route leaks. It also means that non-transitive values can magically become pseudo-transitive, presuming the cruft that permits constructing local policy can be made to understand the association between AS-path hops and the captured policy at those hops. (This is a feature, not a bug.) The signatures make it possible to reject changes to this stack of path-historical data. The data makes it possible to choose to use the originated values, the latest values, or anything in between, however one chooses. The requirements to continue adding to this stack ensures the next AS to which the prefix is sent, has the same opportunity to apply local policy. Add a dollop of 'transit/non-transit' at each hop (mandatory but arbitrary), and simple leak-blocking (nearly fool-proof, in fact) is possible to support. Brian
- [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Paul Hoffman
- Re: [sidr] BGPSEC Threat Model ID George, Wes
- Re: [sidr] BGPSEC Threat Model ID Shane Amante
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Eric Osterweil
- Re: [sidr] BGPSEC Threat Model ID George, Wes
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Jen Linkova
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Sriram, Kotikalapudi
- Re: [sidr] BGPSEC Threat Model ID Eric Osterweil
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Jakob Heitz
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Eric Osterweil
- Re: [sidr] BGPSEC Threat Model ID Randy Bush
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson
- Re: [sidr] BGPSEC Threat Model ID Shane Amante
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Shane Amante
- Re: [sidr] BGPSEC Threat Model ID Christopher Morrow
- Re: [sidr] BGPSEC Threat Model ID Geoff Huston
- Re: [sidr] BGPSEC Threat Model ID Jakob Heitz
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Russ White
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Brian Dickson
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Geoff Huston
- Re: [sidr] BGPSEC Threat Model ID Stephen Kent
- Re: [sidr] BGPSEC Threat Model ID Danny McPherson