Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protocol-05
Randy Bush <randy@psg.com> Mon, 24 September 2012 04:59 UTC
Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFFD021F8555 for <sidr@ietfa.amsl.com>; Sun, 23 Sep 2012 21:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPR0tVoSUUuc for <sidr@ietfa.amsl.com>; Sun, 23 Sep 2012 21:59:37 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 467C721F8493 for <sidr@ietf.org>; Sun, 23 Sep 2012 21:59:36 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.80 (FreeBSD)) (envelope-from <randy@psg.com>) id 1TG0lW-0007zc-TG; Mon, 24 Sep 2012 04:59:34 +0000
Date: Mon, 24 Sep 2012 06:59:29 +0200
Message-ID: <m2vcf4c8y6.wl%randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Sandy Murphy <sandy@sparta.com>
In-Reply-To: <2671C6CDFBB59E47B64C10B3E0BD59235EFAAF6F@PRVPEXVS15.corp.twcable.com>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F706AF@CMA-MB003.columbia.ads.sparta.com> <2671C6CDFBB59E47B64C10B3E0BD59235EFAAF6F@PRVPEXVS15.corp.twcable.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Cc: sidr wg <sidr@ietf.org>
Subject: Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protocol-05
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 04:59:40 -0000
my apologies for the bald and boring ascii text. if you wish i can put it in word perfect or pdf. :) </in joke> the document seems to have lost that Router Certificates for key sets may be per router, not just per AS. see section 3.1.1.1 (sic), Subject, of draft-ietf-sidr-bgpsec-pki-profiles. as an AS may have hundreds of BGPSEC speaking edge routers, you don't want to have to search the whole bag of Router Certificates for an AS to find the cert/key that verifies a particular signature. and you can not just use the router-id of the peer AS received in the bgp open, as you will also need the router-ids of the signers further down the path. the document repeaytedly refers to EE Certs etc. where it should simply reference BGPsec Router Certificates as described in Section 3.1 of [I-D.ietf-sidr-bgpsec-pki-profiles] in general, i think the wording is redundant and unnecessarily complex in many places. but that is probably as much my disease than the editor's. --- Abstract This document describes BGPSEC, an extension to the Border Gateway Protocol (BGP) that provides security for the AS-PATH attribute in BGP update messages. uh, the bgp attribute is AS_PATH, note the underbar and since it removes the AS_PATH attribute, it does not really secure it. in general, i think the nomenclature needs tightening, and it needs a clear phrase for the ASs through which the announcement has been routed. -- Requirements Language fwiw, recently i have been using more specific language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in RFC 2119 [RFC2119] only when they appear in all upper case. They may also appear in lower or mixed case as English words, without normative meaning. -- 1. Introduction 2. Every AS listed in the AS_Path attribute of the update explicitly authorized the advertisement of the route to the subsequent AS in the AS_Path. ain't no as_path attribute in a bgpsec update. it seems to be the bgpsec_path_signatures attribute. btw, why not just bgpsec_path? or more formally BGPSEC_PATH -- This document specifies a new optional (non-transitive) BGP path why is "non-transitive" in parens? -- the documents referenced therein.) Any BGPSEC speaker who wishes to send BGP update messages to external peers (eBGP) containing the BGPSEC_Path_Signatures scrambled. the external peers do not contain the BGPSEC_Path_Signatures -- must have an RPKI end-entity certificate (as well as the associated private signing key) corresponding to the BGPSEC speaker's AS number. i think you want to refer to BGPsec Router Certificates as described in Section 3.1 of [I-D.ietf-sidr-bgpsec-pki-profiles] -- 2. BGPSEC Negotiation This document defines a new BGP capability [4]that allows a BGP speaker to advertise to its neighbors the ability to send and/or it advertises to *a* neighbor -- 0 1 2 3 4 5 6 7 +---------------------------------------+ | Send | Receive | Reserved | Version | +---------------------------------------+ | AFI | +---------------------------------------+ | | +---------------------------------------+ | Reserved | +---------------------------------------+ | SAFI | +---------------------------------------+ remove the middle part of the line between AFI and the following octet. e.g. +---------------------------------------+ | | +---- AFI --------+ | | +---------------------------------------+ -- The high order bit (bit 0) of the first octet is set to 1 to indicate that the sender is able to send BGPSEC update messages, and is set to zero otherwise. The next highest order bit (bit 1) of this octet is set to 1 to indicate that the sender is able to receive BGPSEC update messages, and is set to zero otherwise. this leaves open that both may be zero -- The BGPSEC_Path_Signatures algorithm carries the secured AS Path information, including the digital signatures that protect this AS "algorithm?" attribute, i suspect -- BGPSEC_Path_Signatures attribute replaces the AS_PATH attribute, in a BGPSEC update message. That is, update messages that contain the BGPSEC_Path_Signatures attribute MUST NOT contain the AS_PATH attribute. and vice versa -- BGPSEC_Path_Signatures Attribute +-------------------------------------------------------+ | Secure_Path (variable) | +-------------------------------------------------------+ | Additional_Info (variable) | +-------------------------------------------------------+ | Sequence of one or two Signature_Blocks (variable) | +-------------------------------------------------------+ The Secure_Path contains AS Path information for the BGPSEC update "Path" should probably be lower case to avoid confusion -- message. This is logically equivalent to the information that would be contained in the AS_PATH attribute. s/would be contained in the/is contained in a non-BGPSEC/ -- The path information is used by BGPSEC speakers in the same way that information from the AS_PATH is used by non- BGPSEC speakers. s/path information/Secure_Path/ -- suite. Each of the Signature_Blocks will contain a signature segment for each AS number (i.e, secure path segment) in the Secure_Path. s/each/one/ -- However, in order to enable a transition from an old algorithm suite to a new algorithm suite without a flag day -- The Secure_Path Length contains the length (in octets) of the variable-length sequence of Secure_Path Segments. As explained below, each Secure_Path segment is six octets long. Note that this means the Secure_Path Length is six times the number Secure_Path Segments (i.e., the number of AS numbers in the path). imiho, L in TLV includes itself so that you can just skip over that many octets. i.e. it would be 2 x segments + 2. this occurs throughout. -- The Secure_Path contains one Secure_Path segment for each (distinct) capitalize Segment -- Autonomous System in the path to the NLRI specified in the update message. in the path to the origiating AS of the NLRI -- Secure_Path Segment +----------------------------+ | AS Number (4 octets) | +----------------------------+ | pCount (1 octet) | +----------------------------+ | Flags (1 octet) | +----------------------------+ you are going to need the Router-ID of the signing router so that the verifier knows which BGPsec Router Certificate to choose. -- The pCount field contains the number of repetitions of the associated autonomous system number that the signature covers. This field enables a BGPSEC speaker to mimic the semantics of adding multiple s/adding/prepending/ -- The remaining seven bits of the Flags field are reserved for future use. These bits MUST be set to zero by the sender. The receiver uses the entire Flags octet to verify the digital signature (regardless of what value the reserved bits contain) The remaining seven bits of the Flags MUST be set to zero by the sender, and the signature is computed over all seven bits of the Flags. -- Signature Segments +---------------------------------------------+ | Subject Key Identifier (20 octets) | +---------------------------------------------+ | Signature Length (2 octets) | +---------------------------------------------+ | Signature (variable) | +---------------------------------------------+ The Subject Key Identifier contains the value in the Subject Key Identifier extension of the RPKI end-entity certificate again. please refer to BGPsec Router Certificates as described in Section 3.1 of [I-D.ietf-sidr-bgpsec-pki-profiles] -- 4. Generating a BGPSEC Update Note that in order to create or add a new signature to a BGPSEC update message with a given algorithm suite, the BGPSEC speaker must possess a private key suitable for generating signatures for this algorithm suite. Additionally, this private key must correspond to the public key in a valid Resource PKI end-entity certificate whose AS number resource extension includes the BGPSEC speaker's AS number [11]. you do not mention that it could be a per-router-id key set. -- 4.1. Originating a New BGPSEC Update The pCount field of the Secure_Path Segment is typically set to the value 1. However, a BGPSEC speaker may set the pCount field to a value greater than 1. Setting the pCount field to a value greater than one has the same semantics as repeating an AS number multiple times in the AS_PATH of a non-BGPSEC update message (e.g., for traffic engineering purposes). Setting the pCount field to a value greater than one permits this repetition without requiring a separate digital signature for each repetition. it may be zero in certain special circumstances, see section 42.666 -- o Construct a sequence of octets by concatenating the Target AS Number, the Secure_Path (Origin AS, pCount, and Flags), the ^ Router-ID -- 4.2. Propagating a Route Advertisement If a BGPSEC router has received only non-BGPSEC update messages (without the BGPSEC_Path_Signatures attribute), containing the AS_Path attribute, from a peer for a given prefix s/messages/message/ -- Note that removing BGPSEC signatures (i.e., propagating a route advertisement without the BGPSEC_Path_Signatures attribute) has significant security ramifications. (See Section 7 for discussion of the security ramifications of removing BGPSEC signatures.) Therefore, when a route advertisement is received via a BGPSEC update message, propagating the route advertisement without the BGPSEC_Path_Signatures attribute is NOT RECOMMENDED. unless the peer to which the BGPSEC speaker is sending did not signal the ability to receive BGPSEC in the capability negotiation. if this is the case, see section 42.666 for converting to AS_PATH. -- If the BGPSEC speaker is not a member of an autonomous system confederation [3], then the Flags field of the Secure_Path Segment MUST be set to zero. it might be prudent to not talk about the whole flags field, as we do not know what exciting future may lie before it. just talk about the Confed_Segment flag. -- If the received BGPSEC update message contains two Signature_ Blocks and the BGPSEC speaker supports both of the corresponding algorithms suites, then the new update message generated by the BGPSEC speaker SHOULD include both of the Signature_Blocks. If the received BGPSEC update message contains two Signature_Blocks and the BGPSEC speaker only supports one of the two corresponding algorithm suites, then the BGPSEC speaker MUST remove the Signature_Block corresponding to the algorithm suite that it does not understand. If the BGPSEC speaker does not support the algorithm suites in any of the Signature_Blocks contained in the received update message, then the BGPSEC speaker MUST NOT propagate the route advertisement with the BGPSEC_Path_Signatures attribute (i.e., propagate it as an unsigned BGP update message). explain why. the speaker can not add its info to a sig block for which it does not understand the alg. and there can not be a gap in the sig block. -- 4.3. Processing Instructions for Confederation Members o First, starting with the least recently added Secure_Path segments, remove all of the consecutive Secure_Path segments that have the Confed_Segment flag set to one. s/least/most/ -- 4.4. Reconstructing the AS_PATH Attribute 2. If the Confed_Segment flag in the Secure_Path segment is set to zero, then look at the most-recently added segment in the AS_PATH. * In the case where the AS_PATH is empty then add (prepend to the AS_PATH) a new AS_PATH segment of type AS_SEQUENCE. In the case where the AS_PATH is empty and pcount is greater than zero, ... -- 5. Processing a Received BGPSEC Update Upon receiving a BGPSEC update message from an external (eBGP) peer, a BGPSEC speaker SHOULD validate the message to determine the authenticity of the AS PATH information contained in the BGPSEC_Path_Signatures attribute. AS PATH is confusing. maybe Upon receiving a BGPSEC update message from an external (eBGP) peer, a BGPSEC speaker SHOULD validate the message to determine the authenticity of the data covered by the BGPSEC_Path_Signatures attribute. -- However, in practice, it is expected that most implementations will not actually run the algorithm from Section 4.4, and will instead transform the BGPSEC_Path_Signatures attribute directly into some internal representation of AS path. how about just saying that it will behave the same, and do not say it actually has to transform it in any way? -- With regards to the processing of duplicate update messages, if the first update message is valid, then an implementation SHOULD NOT run the validation procedure on the second, duplicate update message (even if the bits of the signature field are different). If the first update message is not valid, then an implementation SHOULD run the validation procedure on the second duplicate update message (as the signatures in the second update may be valid even though the first contained a signature that was invalid). in the very next section, you use the words "Good" and "Not Good." there is a consistency problem, and not just here. -- 5.1. Overview of BGPSEC Validation Validation of a BGPSEC update messages makes use of data from RPKI certificates and signed Route Origination Authorizations (ROA). In particular, to validate update messages containing the BGPSEC_Path_Signatures attribute, it is necessary that the recipient have access to the following data obtained from valid RPKI certificates and ROAs: o For each valid RPKI end-entity certificate containing an AS Number extension, the AS Number, Public Key and Subject Key Identifier are required, and router-id -- o For each valid ROA, the AS Number and the list of IP address prefixes. what is a 'valid' roa? -- Note that the BGPSEC speaker could perform the validation of RPKI certificates and ROAs on its own and extract the required data, or it could receive the same data from a trusted cache that performs RPKI validation on behalf of (some set of) BGPSEC speakers. (The latter case in analogous to the use of the RPKI-RTR protocol [13] for origin validation.) draft-ymbk-rpki-rtr-keys is soon to describe a new rpki-rtr pdu to handle the per-as and per-router keys -- It is expected that the output of the validation procedure will be used as an input to BGP route selection. However, BGP route selection and thus the handling of the two validation states is a matter of local policy, and shall be handled using existing local policy mechanisms. s/existing// i.e. a vendor could create a new testable attribute bgpsec-state. -- It is expected that BGP peers will generally prefer routes received via 'Good' BGPSEC update messages over routes received via 'Not Good' BGPSEC update messages as well as routes received via update messages that do not contain the BGPSEC_Path_Signatures attribute. However, BGPSEC specifies no changes to the BGP decision process and leaves to the operator the selection of an appropriate policy mechanism to achieve the operator's desired results within the BGP decision process. someone should write a draft something like draft-ietf-sidr-bgpsec-ops -- BGPSEC validation needs only be performed at eBGP edge. The validation status of a BGP signed/unsigned update MAY be conveyed via iBGP from an ingress edge router to an egress edge router. how? where are the bits to carry validation state? -- Local policy in the AS determines the specific means for conveying the validation status through various pre-existing mechanisms (e.g., modifying an attribute). imiho, this document should not get into all the lovely things local policy might do unless it is required for bgpsec, and nothing should be in that set. -- As discussed in Section 4, when a BGPSEC speaker chooses to forward a (syntactically correct) BGPSEC update message, it SHOULD be forwarded with its BGPSEC_Path_Signatures attribute intact (regardless of the validation state of the update message). no. not when the speaker does not understand one of the algorithms. -- Based entirely on local policy settings, an egress router MAY trust the validation status conveyed by an ingress router or it MAY perform its own validation. or it can just sign it and not test anything at all. this does not need to be said -- 5.2. Validation Algorithm 3. Check that the update message does not contain both a BGPSEC_Path_Signatures attribute and an AS_PATH attribute. this sentence implies bgpsec validation could happen on an update with only as_path. you want to simply say no as_path is allowed. -- If there are two Signature_Blocks within the BGPSEC_Path_Signatures attribute and one of them is poorly formed (or contains the wrong number of Signature segments) , then the recipient should log that an error occurred s/log/inform the operator/ i.e. it could snmp trap etc -- strip off that particular Signature_Block and process the update message as though it arrived with a single Signature_Block. If the BGPSEC_Path_Signatures attribute contains an error that is not local to one of two Signature_Blocks, then the recipient should log that an error occurred s/log/inform the operator/ -- message containing the error. (In particular, if any of checks 3-5 above fail, the recipient should log that an error occurred and drop the update message containing the error.) s/log/inform the operator/ -- o (Step II): Compute the digest function (for the given algorithm suite) on the appropriate data. If the segment is not the (least recently added) segment corresponding to the origin AS, then the digest function should be computed on the following sequence of octets: Sequence of Octets to be Hashed +-------------------------------------------+ | AS Number of Target AS (4 octets) | +-------------------------------------------+ | AS Number (4 octets) | ---\ +-------------------------------------------+ \ | pCount (1 octet) | > Secure_Path +-------------------------------------------+ / | Flags (1 octet) | ---/ +-------------------------------------------+ | Sig Field in the Next Segment (variable) | +-------------- ----------------------------+ ^ did the router-id fall through that little hole? :) -- 7. Security Considerations o The origin AS number corresponds to an autonomous system that has been authorized by the IP address space holder to originate route ^ in the RPKI advertisements for the given prefix. o For each AS number in the AS Path, a BGPSEC speaker authorized by in the RPKI ^ the holder of the AS number intentionally chose (in accordance with local policy) to propagate the route advertisement to the next AS in the Secure_Path. -- That is, the recipient of a valid BGPSEC Update message is assured that the Secure_Path corresponds to a sequence of autonomous systems who have all agreed in principle to forward packets to the given prefix along the indicated path. we do not know what the bgp announcement is signaling. while willingness to forward has been the classic, idr is declaring bgp to be a competitor to the dns for arbitrary signaling. -- (It should be noted that BGPSEC does not offer a precise guarantee that the data packets would propagate along the indicated path; it only guarantees that the BGP update conveying the path indeed propagated along the indicated path.) this is more like it -- Therefore, it is important to note that when a BGPSEC speaker signs an outgoing update message, it is not attesting to a belief that all signatures prior to its are valid. Instead it is merely asserting that: o The BGPSEC speaker received the given route advertisement with the indicated NLRI and Secure_Path; and o The BGPSEC speaker chose to propagate an advertisement for this route to the peer (implicitly) indicated by the 'Target AS' and that it is capable of that particular algorithm suite (trivial) -- Finally, BGPSEC does not provide protection against all attacks at the transport layer. s/all// -- EDITOR'S NOTE: Do we want to mandate a specific transport security mechanism (e.g., TCP-AO)? slippery slope. -- Samuel Weiler Cobham sparta again -30-
- [sidr] WGLC for draft-ietf-sidr-bgpsec-protocol-05 Murphy, Sandra
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… George, Wes
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Murphy, Sandra
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… George, Wes
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Danny McPherson
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Sean Turner
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Danny McPherson
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Christopher Morrow
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Murphy, Sandra
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Brian Dickson
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Christopher Morrow
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Brian Dickson
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Brian Dickson
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Randy Bush
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Christopher Morrow
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Christopher Morrow
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Osterweil, Eric
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Randy Bush
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Danny McPherson
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Danny McPherson
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Randy Bush
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Rob Austein
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Rob Austein
- Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protoc… Stephen Kent