IETF Logo Mail Archive

Re: [sidr] BGPSEC proposal to drop AS_PATH [was: Fwd: request for agenda items for interim meeting 6 Jun]

Jakob Heitz <jakob.heitz@ericsson.com> Wed, 30 May 2012 01:06 UTC

Return-Path: <jakob.heitz@ericsson.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E51BD11E8127; Tue, 29 May 2012 18:06:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5qunIY-Upin; Tue, 29 May 2012 18:06:02 -0700 (PDT)
Received: from imr3.ericy.com (imr3.ericy.com [198.24.6.13]) by ietfa.amsl.com (Postfix) with ESMTP id 549B121F8712; Tue, 29 May 2012 18:06:02 -0700 (PDT)
Received: from eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) by imr3.ericy.com (8.13.8/8.13.8) with ESMTP id q4U161u5029472 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 29 May 2012 20:06:01 -0500
Received: from EUSAACMS0701.eamcs.ericsson.se ([169.254.1.31]) by eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) with mapi; Tue, 29 May 2012 21:06:01 -0400
From: Jakob Heitz <jakob.heitz@ericsson.com>
To: Randy Bush <randy@psg.com>
Date: Tue, 29 May 2012 21:05:59 -0400
Thread-Topic: [sidr] BGPSEC proposal to drop AS_PATH [was: Fwd: request for agenda items for interim meeting 6 Jun]
Thread-Index: Ac09/nKS5R3/ljnoQHOQ4+4cJ6S2HAAAG7Fg
Message-ID: <7309FCBCAE981B43ABBE69B31C8D213921BFA66014@EUSAACMS0701.eamcs.ericsson.se>
References: <5BA9D6DE-BE0E-4922-9E09-7B85BD6F9342@juniper.net> <CE876529-6CDB-44ED-9184-CA73DFD2D048@juniper.net> <C37AE148-0873-4D9A-B1B2-1959A427435D@bgp.nu> <7309FCBCAE981B43ABBE69B31C8D213921BFA65FD8@EUSAACMS0701.eamcs.ericsson.se> <m2sjeise8s.wl%randy@psg.com> <7309FCBCAE981B43ABBE69B31C8D213921BFA66011@EUSAACMS0701.eamcs.ericsson.se> <m2likasd6y.wl%randy@psg.com>
In-Reply-To: <m2likasd6y.wl%randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: idr wg <idr@ietf.org>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] BGPSEC proposal to drop AS_PATH [was: Fwd: request for agenda items for interim meeting 6 Jun]
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2012 01:06:03 -0000

On Tuesday, May 29, 2012 5:52 PM, Randy Bush <mailto:randy@psg.com> wrote:

>>> and here i thought that detecting that they differ, as an attack, is
>>> the core goal of as-path validation.
>> I thought it was to prevent an AS from announcing an update that it
>> was not authorised to.
> 
> nope.  that is rpki-based origin validation.  we are now talking about
> as-path validation.
> 
> from a note to some gov folk:
> 
> To be clear, as people keep calling BGP security 'RPKI'
> 
> In the current taxonomy, there are three pieces, the RPKI, RPKI-based
> origin validation, and then path validation.
> 
> RPKI is the X.509 based hierarchy with is congruent with the internet
> IP address allocation administration, the IANA, RIRS, ISPs, ...  It
> is the substrate on which the next two are based.  It is currently
> deployed in four of the five administrative regions, ARIN in North
> America being the sad and embarrassing exception.
> 
> RPKI-based origin validation uses some of the RPKI data to allow a
> router to verify that the autonomous system announcing an IP address
> prefix is in fact authorized to do so.  This is not crypto checked so
> can be violated.  But it prevents the vast majority of accidental
> 'hijackings' on the internet today, e.g. the famous Pakastani
> accidental announcement of YouTube's address space.  RPKI-based
> origin validation 
> is in shipping code from Cisco, and will be shipping by Juniper soon.
> 
> Path validation uses the full crypto information of the RPKI to make
> up for the embarrassing mistake that, like much of the internet BGP
> was designed with no thought to securing the BGP protocol itself from
> being gamed/violated.  It allows a receiver of a BGP announcement to
> formally cryptographically validate that the originating autonomous
> system was truely authorized to announce the IP address prefix, and
> that the 
> systems through which the announcement passed were indeed those which
> the sender/forwarder at each hop intended.
> 
> Sorry to drone on, but these three really need to be differentiated.
> 
> randy

Apology accepted.
Note, I said "announcing", not "originating".

Here is my view of the difference:

Origin validation does not stop anyone from announcing an update.
It only requires the first AS in that update to be the
owner of the prefix.

Path validation prevents anyone from announcing an update unless
it was sent to them by an authorised AS. And they are authorised,
because it was sent to them by an authorised AS and so on, back
to the authorised originator.

-- 
Jakob Heitz.

v2.23.0 | Report a Bug | By Email