Re: [Sidrops] [routing-wg] misconceptions about ROV

Randy Bush <randy@psg.com> Wed, 23 February 2022 12:27 UTC

Return-Path: <randy@psg.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CE373A0C92 for <sidrops@ietfa.amsl.com>; Wed, 23 Feb 2022 04:27:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HlhV64y14YOQ for <sidrops@ietfa.amsl.com>; Wed, 23 Feb 2022 04:27:37 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55C573A0C86 for <sidrops@ietf.org>; Wed, 23 Feb 2022 04:27:37 -0800 (PST)
Received: from [198.180.150.2] (helo=mail.rg.net) by psg.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95 (FreeBSD)) (envelope-from <randy@psg.com>) id 1nMqk2-000DaC-D7; Wed, 23 Feb 2022 12:27:34 +0000
Received: from c-24-21-195-208.hsd1.or.comcast.net ([24.21.195.208] helo=[192.168.0.18]) by mail.rg.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1nMqk1-0004I2-Gj; Wed, 23 Feb 2022 12:27:33 +0000
From: Randy Bush <randy@psg.com>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: sidrops@ietf.org, Geoff Huston <gih@apnic.net>
Date: Wed, 23 Feb 2022 04:27:20 -0800
X-Mailer: MailMate (1.14r5852)
Message-ID: <85D947F4-E2A4-4FFE-86AF-2D129C49FB9C@psg.com>
In-Reply-To: <6D314C7A-8CEC-4B9B-8F80-6B1AC48037E2@nlnetlabs.nl>
References: <m2h78roqbp.wl-randy@psg.com> <7FBC2063-2404-4BF9-836E-210629C4BA63@juicybun.cn> <m28ru3ofyq.wl-randy@psg.com> <3C18BA8C-FA34-4D24-96E4-F85644089513@nlnetlabs.nl> <015C9C28-4230-40D8-A9F2-7420B726C00F@juicybun.cn> <DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl> <YhS/WR3czIP3jNLF@snel> <ABE3FA29-6C9D-492B-A72A-68C20176E76D@nlnetlabs.nl> <949277FD-27AF-40E8-B557-AA58C62BFEA7@apnic.net> <E16290C1-77ED-4CB1-8712-F6163304ED45@nlnetlabs.nl> <m2k0dmmntj.wl-randy@psg.com> <6D314C7A-8CEC-4B9B-8F80-6B1AC48037E2@nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/rxx_wf08RdduunsjCGhn1BFZoGk>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2022 12:27:42 -0000

> Am I correct though that if BGPSec *Path* validation were to be
> applied to unsigned paths they would be considered 'Not Valid'?

no.  not validatable, if you wish.  not valid is a result of
validating the signature chain.  as one can not do that with
a non-bgpsec path, it can be neither valid or not valid.

> And isn't this what the downgrade issue (for which I cannot
> find a ref now) is about? Rather than violating signatures, the
> signatures can just be stripped.

the downgrade attack is a router accepting a bgpsec path and
producing a bgp4 path toward the 'victim'.  in a more likely
operational scenario, the router simply refuses bgpsec from its
incoming peer, so that peer sends it bgp4 which it then sends on
to the 'victim'.  though that make a louder signal of the attack.

> Meaning that even if you would call such a path 'not signed',
> rather than 'not valid' accepting those paths would mean that
> 'not valid' can be easily avoided by adversaries.

yes

> Hence, I believe, the idea to only accept BGPSec *path* 'Valid'
> on BGPSec "islands".

no.  routers on those islands still need to reach non-bgpsec
destinations and even bgpsec speaking destinations on other
islands.  this means they must also accept unsigned paths.

> Is there a way that these "islands" can be recognised
> automatically, and cross transit (i.e. include unknown
> parties)?

you could tunnel between islands; but that is operationally
unlikely.  i remember uucp :)

and you can not take an unsigned path and start signing.  to what
are you attesting?

randy