[sidr] looking at repository withholding attacks.
Terry Manderson <terry.manderson@icann.org> Wed, 20 July 2011 05:44 UTC
Return-Path: <terry.manderson@icann.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C3121F8997 for <sidr@ietfa.amsl.com>; Tue, 19 Jul 2011 22:44:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.554
X-Spam-Level:
X-Spam-Status: No, score=-106.554 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eb8zMIJTCOgk for <sidr@ietfa.amsl.com>; Tue, 19 Jul 2011 22:44:28 -0700 (PDT)
Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 493B021F891D for <sidr@ietf.org>; Tue, 19 Jul 2011 22:44:28 -0700 (PDT)
Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Tue, 19 Jul 2011 22:44:27 -0700
From: Terry Manderson <terry.manderson@icann.org>
To: sidr wg list <sidr@ietf.org>
Date: Tue, 19 Jul 2011 22:44:24 -0700
Thread-Topic: looking at repository withholding attacks.
Thread-Index: AcxGoBSGCiEVldVipkKuLsF2nNGAgA==
Message-ID: <CA4CA858.17FE2%terry.manderson@icann.org>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [sidr] looking at repository withholding attacks.
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2011 05:44:32 -0000
All, So it seems that the RPKI repository as it stands has the notion of a mandatory entry in the resource certificate pointing to a manifest. The existence of the manifest is intended, but doesn't seem to be mandated, that is the absence of a manifest is left to the relying party make a decision on the use of the objects remaining at the publication point (Section 6.2: all objects SHOULD be considered suspect but may be used). So thinking about this further, and using the example from sidr-usecases. '5.2. Only Some Children Participate in RPKI' The resulting ROAs issued are: Org A. +----------------------------------------------+ | asID | address | maxLength | +----------------------------------------------+ | 64496 | 10.1.0.0/16 | 20 | +----------------------------------------------+ Org A issues for Org B. +----------------------------------------------+ | asID | address | maxLength | +----------------------------------------------+ | 64511 | 10.1.16.0/20 | 20 | +----------------------------------------------+ Org C. +----------------------------------------------+ | asID | address | maxLength | +----------------------------------------------+ | 65535 | 10.1.32.0/20 | 20 | +----------------------------------------------+ I think it's sane to assume that the Org A RPKI objects are placed on the same repository server at the same publication point. Lets pretend that either the repository is compromised or a MiTM event occurs which removes the existence of the manifest at the publication point and the ROA issued by org A for org B (the second one): Org A issues for Org B. +----------------------------------------------+ | asID | address | maxLength | +----------------------------------------------+ | 64511 | 10.1.16.0/20 | 20 | +----------------------------------------------+ As I read the existing drafts, a relying party MAY still use the other objects. Further my reading suggests that the route corresponding to this object will then be considered invalid (roa-validation and pfx-validate) meaning that this is a targeted DoS attack on Org B which will succeed for all relying parties affected. Eg resulting in BGP_PFXV_STATE_INVALID. Am I correct in this interpretation, and if not. why? What have I missed? Why is this not a potential attack on org B? Considering also that there are quite a number of real world 'sub-suballocated' (provider assigned if you like) prefix originations. (See http://stats.research.icann.org/bgp/cidr-map/origin-map.bgp.20110605.1800.ht ml, please excuse the currency of the data, I had a cron issue and I just noticed it) I concede that this is an unintended state, but I find the possibility of this being played out somewhat concerning as it seems possible to still use remaining objects from a very suspicious repository point. I'm actually hoping that I have misinterpreted something and such an attack is not possible. Cheers Terry
- [sidr] looking at repository withholding attacks. Terry Manderson
- Re: [sidr] looking at repository withholding atta… Stephen Kent
- Re: [sidr] looking at repository withholding atta… Sandra Murphy
- Re: [sidr] looking at repository withholding atta… Terry Manderson
- Re: [sidr] looking at repository withholding atta… Randy Bush
- Re: [sidr] looking at repository withholding atta… Terry Manderson
- Re: [sidr] looking at repository withholding atta… Randy Bush
- Re: [sidr] looking at repository withholding atta… Terry Manderson
- Re: [sidr] looking at repository withholding atta… Andrew Chi
- Re: [sidr] looking at repository withholding atta… Terry Manderson