Re: [sidr] New version : draft-ietf-sidr-bgpsec-protocol-10
Matthew Lepinski <mlepinski.ietf@gmail.com> Mon, 12 January 2015 19:59 UTC
Return-Path: <mlepinski.ietf@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C1D81ACDB1 for <sidr@ietfa.amsl.com>; Mon, 12 Jan 2015 11:59:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0FbLXyLkFIRg for <sidr@ietfa.amsl.com>; Mon, 12 Jan 2015 11:59:16 -0800 (PST)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F39D1ACD43 for <sidr@ietf.org>; Mon, 12 Jan 2015 11:59:15 -0800 (PST)
Received: by mail-lb0-f178.google.com with SMTP id u14so19441569lbd.9 for <sidr@ietf.org>; Mon, 12 Jan 2015 11:59:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=yllsB/RYWFeT7WsgtXllK8OwEEcEGZ0s2UXuv5ESPH0=; b=pvd9ukpBgvPTQiwK7sc/6NDsLZfOdnxruakSTchDGw3iWNVXrxnXRRMld0nb6/VQ8+ ImKJzuhrk467oGWlvkBAqLkLAWm0EVJmkdXuuTpJK2u1VKIWVxr4LLfwemCDAc8bFHYE D0ioruVbugRZBaP3auKwSfYQrMq/9jpnIC1N4hZHGHVubdPe7VrB0iaFq+ggUo7B8eNv 2DHHZME8a1RgaItqnxqW5KP/bkGYNGMCszXCPoXi4xhcE044/Rk1cnk64OA1/7yRZPKp KCAlM7lVfJ1mih1lyiPsZPScUxFedzmMUthKPgMYlDugBC23mK3pEP8ITag8qEX66R1r OWaQ==
MIME-Version: 1.0
X-Received: by 10.152.115.172 with SMTP id jp12mr38515637lab.33.1421092753844; Mon, 12 Jan 2015 11:59:13 -0800 (PST)
Received: by 10.25.17.196 with HTTP; Mon, 12 Jan 2015 11:59:13 -0800 (PST)
In-Reply-To: <CAL9jLaZkj+1Fg1u-21FgE0WGY5f6bM07BzbQH2mxAmXFAL3A7w@mail.gmail.com>
References: <CANTg3aDtmrF3yBpnHchBa4d8h0xiybZmCg-_6jZci1cVLBsk9w@mail.gmail.com> <D08BD518.36828%wesley.george@twcable.com> <m2a93qjtoq.wl%randy@psg.com> <D08F7B2A.37A3F%wesley.george@twcable.com> <54738878.5030101@bbn.com> <68EFACB32CF4464298EA2779B058889D24C2C7BA@PDDCWMBXEX503.ctl.intranet> <CAL9jLaZkj+1Fg1u-21FgE0WGY5f6bM07BzbQH2mxAmXFAL3A7w@mail.gmail.com>
Date: Mon, 12 Jan 2015 14:59:13 -0500
Message-ID: <CANTg3aDfC9HU61GZBTyoOXYeM3SYy7SFKQ1sxeLGxmgq4ch=2w@mail.gmail.com>
From: Matthew Lepinski <mlepinski.ietf@gmail.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c3547ec93120050c79f0a4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/y9jrvFTnmpSQEhqfmz3cpmAm4Ek>
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] New version : draft-ietf-sidr-bgpsec-protocol-10
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jan 2015 19:59:19 -0000
Chris, You are correct that was the thinking that went into Section 7.3. That is, Section 7.3 focuses on mitigating any new denial of service possibilities that are introduced by the BGPsec extensions to BGP. I am happy to make this more clear in the text. - Matt Lepinski On Mon, Jan 12, 2015 at 1:25 PM, Christopher Morrow <morrowc.lists@gmail.com > wrote: > On Mon, Nov 24, 2014 at 3:08 PM, Smith, Donald > <Donald.Smith@centurylink.com> wrote: > > Wouldn't GTSM and tcp-ao help with DOS attacks? > > > > I think this was focused only on the uplift to bgp that bgpsec is > supposed to be, so the assumption was/is that you'd already be doing > 'bgp best practices'. > > (authors are free to correct me, as always) > -chris > > > I would recommend they be put in in the paragraph below. > > > > 7.3 Mitigation of Denial of Service Attacks > > > > BGPSEC speakers > > should implement an update validation algorithm that performs > > expensive checks (e.g., signature verification) after performing less > > expensive checks (e.g., syntax checks). The validation algorithm > > specified in Section 5.2 was chosen so as to perform checks which are > > likely to be expensive after checks that are likely to be > > inexpensive. > > > > > > > > https://tools.ietf.org/html/rfc5082 > > > > > > > > https://tools.ietf.org/html/rfc5925 > > > > > > > > As examples or recommendations for the "less expensive" checks. > > > > > > > > In fact it should be GTSM, tcp-ao THEN bgpsec validation. > > > > > > > > > > > > > > > > (coffee != sleep) & (!coffee == sleep) > > Donald.Smith@centurylink.com > > ________________________________ > > From: sidr [sidr-bounces@ietf.org] on behalf of Stephen Kent [ > kent@bbn.com] > > Sent: Monday, November 24, 2014 12:35 PM > > To: sidr@ietf.org > > Subject: Re: [sidr] New version : draft-ietf-sidr-bgpsec-protocol-10 > > > > Wes, > > > > To first order I agree with your concern of this DoS vulnerability, > > but with some minor clarifications. > > > > 1. BGPsec-signed updates are sent only between ASes that agree to > > send and receive (separate choices) this signed data. So, an > > attack of this sort is perpetrated only against an immediate neighbor > > that agrees to accept BGPsec traffic from you. You cannot send > > a BGPsec route to an arbitrary AS that it not configured for you > > as a neighbor. > > > > 2. As you noted, an AS can generate a path only for ASes that it > > holds, and thus, for which it holds private keys. So, a long path > > of the sort you describe is directly traceable to the resources holder, > > creating a "smoking gun" effect, for forensic purposes. > > > > If we can agree on a max path length, based on real world data, and > > RECOMMEND that routers enforce this limit, we can mitigate the > > ability of an AS to Dos it's neighbor (and others). That, combined with > > the ability to identify who added all of the questionable AS entries, > > might provide a deterrent to this behavior. > > > > Still, even with a max path length, there is the potential to add just a > > few, > > unnecessary ASes to every signed route that traverses an evil AS, to add > to > > the burden of neighbors and those beyond. Given all the folks who track > > routing updates, this too will probably be noted by a bunch of folks, and > > because of the signatures, there will be no doubt about the source(s). > So, > > here too, that may prove to be a deterrent. > > > > I believe someone at the meeting observed that smart implementations will > > try to address this sort of concern by postponing BGPsec crypto > processing > > when resources get scarce. While I agree that this represents another > attack > > vector, the ability to identify the perpetrators may diminish the > attraction > > of this attack strategy. > > > > In any case, this is a good topic to address, perhaps in the BGPsec > > security considerations section, plus a separate document that suggests > > implementation notes. > > > > Steve > > > > _______________________________________________ > > sidr mailing list > > sidr@ietf.org > > https://www.ietf.org/mailman/listinfo/sidr > > This communication is the property of CenturyLink and may contain > > confidential or privileged information. Unauthorized use of this > > communication is strictly prohibited and may be unlawful. If you have > > received this communication in error, please immediately notify the > sender > > by reply e-mail and destroy all copies of the communication and any > > attachments. > > > > _______________________________________________ > > sidr mailing list > > sidr@ietf.org > > https://www.ietf.org/mailman/listinfo/sidr > > > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr >
- [sidr] New version : draft-ietf-sidr-bgpsec-proto… Matthew Lepinski
- Re: [sidr] New version : draft-ietf-sidr-bgpsec-p… Sriram, Kotikalapudi
- Re: [sidr] New version : draft-ietf-sidr-bgpsec-p… George, Wes
- Re: [sidr] New version : draft-ietf-sidr-bgpsec-p… Randy Bush
- Re: [sidr] New version : draft-ietf-sidr-bgpsec-p… Warren Kumari
- Re: [sidr] New version : draft-ietf-sidr-bgpsec-p… George, Wes
- Re: [sidr] New version : draft-ietf-sidr-bgpsec-p… Stephen Kent
- Re: [sidr] New version : draft-ietf-sidr-bgpsec-p… Smith, Donald
- Re: [sidr] New version : draft-ietf-sidr-bgpsec-p… Christopher Morrow
- Re: [sidr] New version : draft-ietf-sidr-bgpsec-p… Matthew Lepinski