IETF Logo Mail Archive

Re: [Sidrops] [routing-wg] misconceptions about ROV

Tim Bruijnzeels <tim@nlnetlabs.nl> Thu, 24 February 2022 09:16 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EF163A0D0F for <sidrops@ietfa.amsl.com>; Thu, 24 Feb 2022 01:16:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M93kOhfdW3oO for <sidrops@ietfa.amsl.com>; Thu, 24 Feb 2022 01:16:50 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:65::8:228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 640353A0D75 for <sidrops@ietf.org>; Thu, 24 Feb 2022 01:16:48 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 8412D261; Thu, 24 Feb 2022 09:16:43 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net []) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1645694202; bh=tkIghFRKImeYDKfhFrmyIT22XxGILONu8R9ss1lU90U=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Qu1ICKmxpLgZtH0ZlD+ATKcOpR9vm6Enq3NLsf21g9/7MKL6ojhDq44p2lZB720ws ahGJIvzU/TmBvOMf0JacU1p5/knhOVNY4LIMDD7RZ/ZnT3WNlCEhLN8OJ68pFAmUlp S0nYcS9f+qqlfVR021fQ+/wp+oFdo1fNYydguCPB5DhKFCDZOT8NT5kz7xnKFf9aB9 ndbI2UQ143hYxKBBfyVN+Tylq1Tf3iIUkE2Ly5VxVzcBC2BCAbHV7e/J+yWLV59sZ+ o4r+Us3HgQgedE/lMDD49lGeU8ZM2JASyixsJby5p/yuZlN64zdgmDMDvBWFoa4GDP UHF51VF7W61fw==
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.40.0.1.81\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <YhdCYjS+yDVsFgNF@snel>
Date: Thu, 24 Feb 2022 10:16:39 +0100
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <60B6D863-047D-40A6-80DD-95C05391A0BA@nlnetlabs.nl>
References: <015C9C28-4230-40D8-A9F2-7420B726C00F@juicybun.cn> <DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl> <YhS/WR3czIP3jNLF@snel> <ABE3FA29-6C9D-492B-A72A-68C20176E76D@nlnetlabs.nl> <949277FD-27AF-40E8-B557-AA58C62BFEA7@apnic.net> <E16290C1-77ED-4CB1-8712-F6163304ED45@nlnetlabs.nl> <m2k0dmmntj.wl-randy@psg.com> <6D314C7A-8CEC-4B9B-8F80-6B1AC48037E2@nlnetlabs.nl> <85D947F4-E2A4-4FFE-86AF-2D129C49FB9C@psg.com> <8413F0CA-F50A-42B7-B0DA-19A0A90ABE6F@nlnetlabs.nl> <YhdCYjS+yDVsFgNF@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/DcbDU25miO0Rcc9Hbd85kaDvDx0>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2022 09:16:56 -0000

Hello Job, others

> On 24 Feb 2022, at 09:31, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> Hello Tim, others,
> 
>> What I meant here by "accept... on islands" is that the operator would
>> have to know - somehow - where to enable BGPSec validation.
>> 
>> I believe that the idea was that this would be done on a BGP session
>> basis. E.g. providers would insist on BGPSec from customers, or peers
>> between each other etc.
> 
> "In order to indicate that a BGP speaker is willing to send BGPsec
> UPDATE messages (for a particular address family), a BGP speaker
> sends the BGPsec capability"
> source: https://datatracker.ietf.org/doc/html/rfc8205#section-2.2
> 
> Indeed, it is an operator choice whether to enable BGPsec or not, and it
> is choosen per-session. Luckily most large operators have automated the
> provisioning of BGP sessions.
> 
>> I wondered if (new) signed statements in the RPKI could be used to
>> conclude that ASNs have pledged to use BGP Sec when possible. I.e.
>> such ASNs would sign a path if they are the origin / or if the receive
>> a signed path.
>> 
>> The receiving router could then conclude that IFF all ASNs in a path
>> had made these signed statements - BGPSec validation on *that* path
>> could be performed. It would be an error if signatures were missing or
>> invalid.
>> 
>> This way operators would not have to enable this manually on a per
>> session basis, and because it would be based on signed validated
>> statements they could trust that it would be safe to apply for ASNs
>> who issued those statements - without the need to know these ASNs
>> first hand - e.g. across transit.
>> 
>> It would still allow for path spoofing and signature removal by
>> injecting an ASN that did not sign a statement that they would do
>> BGPSec. However, the options would become more limited as more ASNs
>> participate - and ASPA validation would further limit the available
>> choices.
>> 
>> As for how an ASN could sign such a statement.. one could overload
>> existing router certificates but I think that is probably a bad idea -
>> it could very well lead to timing issues when adopting. An alternative
>> could be to have a new separate signed object for this, which would
>> allow that BGPSec is tested first, before letting the world know.
>> 
>> Just an idea.. hoping it might help.
> 
> I am not sure it is helpful at this stage.
> 
> It seems you overlook some deployment aspects, for example: within a
> given Autonomous System (during the incremental deployment of BGPsec -
> which may take years) there will be ASBRs that support BGPsec and ASBRs
> that are unable to negotiate support for BGPsec. For example, it is
> entirely possible that at a given moment in time only half the
> adjacencies for 206238_15562$ are BGPsec capable, and half are not (yet).

Not at all - any adjacencies that are not BGPSec capable would not issue
any statement that they are capable. So stripping the signatures there
would be entirely expected.

I am talking about something else: signalling deployment beyond direct
sessions in order to enable detection of downgrade attacks. If router
can detect that the *entire* path is not only capable but also committed
to do BGPSec then removal of signatures can be flagged as an attack.

> See this posting for a similar story on RPKI ROV invalids:
> https://mailman.nanog.org/pipermail/nanog/2021-April/213346.html
> 
> Frankly speaking, wouldn't it make far more sense to implement the
> specifications AS SPECIFIED AND PEER-REVIEWED BY MANY PEOPLE,
> *before* advocating new object profiles?
> 
> Especially since the CA side of BGPsec is so straight-forward and
> simple to implement ... ?

There is no need to shout Job..

I was trying to have a discussion about a possible way to help
operational future deployment. This is in no way preventing the
development and deployment of current standards. And should the
idea be useful and accepted then of course it would be handled
as a WG document, be peer-reviewed etc.

I know - it's naive to think that that would be what the IETF
is for. Fine. I will stop here. Discussion once again seems
entirely pointless.

> 
> Regards,
> 
> Job
> 
> ps. Since you asked, here are required reading materials:
> 
> BGPsec Protocol Specification
> 	https://datatracker.ietf.org/doc/html/rfc8205
> 
> BGPsec Considerations for Autonomous System (AS) Migration
> 	https://datatracker.ietf.org/doc/html/rfc8206
> 
> BGPsec Operational Considerations
> 	https://datatracker.ietf.org/doc/html/rfc8207
> 
> BGPsec Algorithms, Key Formats, and Signature Formats
> 	https://datatracker.ietf.org/doc/html/rfc8208
> 
> BGPsec Design Choices and Summary of Supporting Discussions
> 	https://datatracker.ietf.org/doc/html/rfc8374
> 
> Router Keying for BGPsec
> 	https://datatracker.ietf.org/doc/html/rfc8635

Thank you Job - somehow I managed to find these documents myself.

I did not ask about these. I asked about the downgrade issue.
Randy was kind enough to answer.

Tim



> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.8.7 | Report a Bug | By Email