IETF Logo Mail Archive

Re: [Sidrops] [routing-wg] misconceptions about ROV

Tim Bruijnzeels <tim@nlnetlabs.nl> Tue, 22 February 2022 08:41 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA073A08AE for <sidrops@ietfa.amsl.com>; Tue, 22 Feb 2022 00:41:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ix7ZrB9kYgfa for <sidrops@ietfa.amsl.com>; Tue, 22 Feb 2022 00:41:45 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.126.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4473F3A13B7 for <sidrops@ietf.org>; Tue, 22 Feb 2022 00:41:44 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id A857566; Tue, 22 Feb 2022 08:41:40 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net []) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1645519299; bh=O6Pjlmlh8oakBssNbqRf1cQwe3tdJAHvcMBYCWFU8wo=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Wo3a0y995rKIvjdzkl8bbYrXhgq3xbjwdlJlW7NSXjmHnGD5UEO6AIKb19yY3NoX8 ix2w5ycbcRIqodv7nk2uaGhCfqlLdGK0kqkf9aHs8F5gi8mBzzQWbqKQgePNgNpZKP to71Y8h2qaAdS6j410qcgQCSDY8Z4zWt8MB1YP1ygO0xdGa25LlMGxRNh7dsv/OVcy HqGxfuv4D/orWR0n5JUzThispf/oTi10gdUXA39x/66RT1yF+87z6h3uvIfdF5DBf+ HU4QhSmaej675C8O/7KCLrneT9/jNZeuLCCdYU9iCKSpr2MBv9eqeRw/hmujWB7L/J Bf2MmeNNRqMsg==
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.40.0.1.81\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <m28ru3ofyq.wl-randy@psg.com>
Date: Tue, 22 Feb 2022 09:41:36 +0100
Cc: Di Ma <madi@juicybun.cn>, SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3C18BA8C-FA34-4D24-96E4-F85644089513@nlnetlabs.nl>
References: <m2h78roqbp.wl-randy@psg.com> <7FBC2063-2404-4BF9-836E-210629C4BA63@juicybun.cn> <m28ru3ofyq.wl-randy@psg.com>
To: Randy Bush <randy@psg.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/qGnv3vNvDxsEPRcveTif9kH31c8>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2022 08:41:51 -0000

Hi,

> On 22 Feb 2022, at 02:19, Randy Bush <randy@psg.com> wrote:
> 
> di:
> 
>> I don’t care the way we/they see ROV but the way we use it.
>> 
>> ROV is good as long as it can remedy accidental misconfigurations that
>> bring about routing security problem/catastrophe.
>> 
>> If someone doesn't think ROV is not a security mechanism from
>> cryptography perspective, I settle for that.
> 
> operationally, it is trivial to subvert/attack ROV; and that has
> nothing to do with the cryptography.  it's simple net ops.

Which is why I think it would be very good to re-double the WG efforts
on moving ASPA forward.

It was also suggested in the past few months that BGPSec should get
a new impulse by supporting it in the RIPE NCC hosted RPKI:
https://www.ripe.net/ripe/mail/archives/routing-wg/2021-September/004410.html

My responses in that thread were a bit skeptical to the point of being
misunderstood as obstruction to the idea. I am not against BGPSec itself.
Far from it. I just want to believe that it can work.

My issue was about how BGPSec can be implemented incrementally and 
scale *automatically*. I know of the idea that operators turn it on (and off?)
because they somehow know (out-of-band?) that it's safe to do so. But,
(1) I don't see this scale, (2) this can result in outages if operators get
it wrong (path invalid), and (3) I don't see this work cross-transit - 
which is probably where the problem of spoofed origin attacks is worse.

In my view, this comes from the property that BGPSec validated paths can
only be valid or invalid. There is no 'unknown' - because in a nutshell
then adversaries could do a simple downgrade attack.

All that said, if we could have a constructive discussion about solving
the BGPSec deployment challenges then I would welcome it very much. Perhaps,
it would be possible to signal (with signed objects in the RPKI) when
BGPSec is applicable - and when a downgrade has happened.. somehow? No, I
don't have the answer but we may want to put our minds together.

Tim

> 
> randy
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.8.7 | Report a Bug | By Email