IETF Logo Mail Archive

Re: [Sidrops] [routing-wg] misconceptions about ROV

Tim Bruijnzeels <tim@nlnetlabs.nl> Tue, 22 February 2022 21:38 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12E453A082D for <sidrops@ietfa.amsl.com>; Tue, 22 Feb 2022 13:38:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qSrxE50wJ7zP for <sidrops@ietfa.amsl.com>; Tue, 22 Feb 2022 13:38:25 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:65::8:228]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC7053A00C3 for <sidrops@ietf.org>; Tue, 22 Feb 2022 13:37:52 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 9AB83809; Tue, 22 Feb 2022 21:37:48 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net []) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1645565867; bh=UtDAuIgeV5DL9M+nBF08sSJ5FMq5jE6yAgjcKw1pCLk=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=xkMVEI0+0LBeEMSZbxbbqi3i0cEAeNwIe1GOyhGu0Q+nuKOrHZq4su8y78QwM/i6g DOtbQ2VLFWo9H954k1q9S011JggOszWoHuFMBAFwMXM42iPvUOYlILMBghH7Qq2bGu IPo81ixq5bCRfGZGapU88D+4e9wGmdWmSRgTwLiFFgooiQFkkB87WzB1brVYxeFfxR fdW2KiEDwr9xImhlOBZe+dFvcDiF33Nd+uACkT/Wa3+7peVUYflglTNVkJvTNroBFQ PljFL1ti2w3/B2h9wLKrOOOJZkex6vhfwAiZ4UeRDETprTDSVWaz5afHacoorF3E7A nc6zxahYcCMjg==
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.40.0.1.81\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <949277FD-27AF-40E8-B557-AA58C62BFEA7@apnic.net>
Date: Tue, 22 Feb 2022 22:37:43 +0100
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E16290C1-77ED-4CB1-8712-F6163304ED45@nlnetlabs.nl>
References: <m2h78roqbp.wl-randy@psg.com> <7FBC2063-2404-4BF9-836E-210629C4BA63@juicybun.cn> <m28ru3ofyq.wl-randy@psg.com> <3C18BA8C-FA34-4D24-96E4-F85644089513@nlnetlabs.nl> <015C9C28-4230-40D8-A9F2-7420B726C00F@juicybun.cn> <DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl> <YhS/WR3czIP3jNLF@snel> <ABE3FA29-6C9D-492B-A72A-68C20176E76D@nlnetlabs.nl> <949277FD-27AF-40E8-B557-AA58C62BFEA7@apnic.net>
To: Geoff Huston <gih@apnic.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/T9hV4hbGJ7yncArJh9PvO0APh_Y>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2022 21:38:31 -0000


> On 22 Feb 2022, at 20:13, Geoff Huston <gih@apnic.net> wrote:
> 
> 
>>> 
>>> Are there any scenarios in which one would want to accept BGPsec invalid
>>> paths? Similarly, RP implementations discard malformed ROAs, network
>>> operators reject RPKI ROV-invalid BGP updates.
>> 
>> Currently you need to accept BGPSec invalid path on any path where
>> at least one ASN does NOT participate in BGPSec. Applying BGPSec path
>> validation is only safe when you know that ALL ASNs on the path
>> participate.
> 
> 
> I can’t parse these two sentences Tim. They seem to contradict each other
> when I read em. The AS signing chain is stripped as soon as an update leaves the
> original BGPSEC “island”. I thought that an AS can’t just restart the signing chain
> subsequently.

Let me try to be more clear then. I am not trying to suggest the signing
chain is restarted.

BGPSec path validation procedure results in one of two states: 'Valid' and
'Not Valid'. (section 5.1 of 8205).

A BGPSec path as a whole can only be 'Valid' if all signatures are present,
and they are all valid.

The absence of any signature, whether it's because the update left a
capable island, or an adversary removed signatures, results in 'Not Valid'.

Rejecting 'Not Valid' is therefore only safe on known islands.

Outside of these islands all paths are BGPSec 'Not Valid'. Therefore
validation cannot be enabled outside of known islands. You would accept
'Not Valid' outside of islands, even though you are not checking that state
in that context. Sorry if that was cryptic.


>>> If people perceive risk: don't enable BGPsec, let others be the early
>>> adaptors. It is early days, lots of software still has to be written,
>>> lots of testing is required.
>> 
>> What I am hoping for, essentially, is that a partial deployment model
>> would be more feasible where people are not expected to form islands,
>> which merge, without specifying how those islands form or merge.
> 
> This desire seems rather inexplicable to me, in that if one allows routes where
> the AS signing chain is broken then it could be broken becuase of
> tampering or other malicious acts as much as they are broken for more
> benign reasons. How would the BGP speaker receiving the route tell the 
> difference? And if it can’t, then it seems to me that there is no point in
> adding this additional workload to update processing if in fact it is
> incapable of detecting tampered AS Paths.

Although I used the terms 'not found' and 'unknown' somewhat loosely
elsewhere I did not mean to say that broken chains should be acceptable.

One take on this could be that routers can know whether a path consists
of only "participating" ASNs and then treat it as an "island" automatically
without the need to be manually enabled. Such automation could allow
operators to opt-in to validation for parties that they don't have a direct
relationship with - e.g. cross transit.

If the "island" decision can be automated then stripping of signatures
on them could be interpreted as malicious.

This limits path spoofing option to non-participating ASNs. This will
be harder to do as more ASNs participate in BGPSec *and* ASPA validation
(if deployed) will further limit the adjacency options. This also enables
ASNs to protect themselves in two (orthogonal) ways - giving them
immediate benefits to deploy.

Of course the above could only ever work if the router can know that
an ASN "participates". The presence of a router certificate for the
ASN could give a clue - but I am not sure that it is enough. Is creating
such a router certificate a valid pledge? If it is, then that means
much less standards work would be needed.

If it isn't then a separate signed statement by the ASN that they
will do BGPSec whenever they get a signed path could help. This could
be done using a new RPKI signed object type, or by way of an extension
in the existing BGPSec router certificate perhaps. But this would also
require a new RPKI-RTR version as well.


Tim


> 
> Geoff
> 
> 
>

v2.8.7 | Report a Bug | By Email