BGP in the Washngton Post
Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-... -Bill -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Subject: BGP in the Washngton Post Date: Mon, Jun 01, 2015 at 09:24:33AM -0400 Quoting William Herrin (bill@herrin.us):
Interesting story about BGP and security in the Washington Post today:
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-...
sort of dissappointed they did not quote randy using only lower case. looks weird. once past that, good comment. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Isn't this my STOP?!
On Mon, Jun 1, 2015 at 9:39 AM, Måns Nilsson <mansaxel@besserwisser.org> wrote:
Subject: BGP in the Washngton Post Date: Mon, Jun 01, 2015 at 09:24:33AM -0400 Quoting William Herrin (bill@herrin.us):
Interesting story about BGP and security in the Washington Post today:
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-...
sort of dissappointed they did not quote randy using only lower case. looks weird. once past that, good comment.
and in comic sans you mean?
Excellent find, Thanks! I forwarded this to a bunch of people. Mostly managers. Jeff A. Masiello -----Original Message----- From: NANOG [mailto:nanog-bounces+jmasiello=actionet.com@nanog.org] On Behalf Of William Herrin Sent: Monday, June 01, 2015 9:25 AM To: nanog@nanog.org Subject: BGP in the Washngton Post Interesting story about BGP and security in the Washington Post today: http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-... -Bill -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Mon, Jun 1, 2015 at 6:24 AM, William Herrin <bill@herrin.us> wrote:
Interesting story about BGP and security in the Washington Post today:
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-...
-Bill
The article left me with the feeling that there was a secure version of BGP that is available but network operators are too short-term-focused and foolish to deploy it. I believe the situation is more complicated than that, no? There is no "secure version of BGP". There are a handful of things that help, like RPKI ... but they are far off from hitting the mark of "securing the internet"... not too mention the ARIN RPKI SNAFU with various lawyers that make RPKI impossible for a large part of the internet. CB PS. All my ipv4 and ipv6 routes are RPKI signed, but I can't validate because Cisco does not think validation within a VRF is an IOS-XR worthy features PPS. It does blow my mind that the internet works so well given that its security relies on the good faith and reputation of a few network janitors and plumbers
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Jun 1, 2015, at 10:08 AM, Ca By <cb.list6@gmail.com> wrote: The article left me with the feeling that there was a secure version of BGP that is available but network operators are too short-term-focused and foolish to deploy it.
I believe the situation is more complicated than that, no? There is no "secure version of BGP". There are a handful of things that help, like RPKI ... but they are far off from hitting the mark of "securing the internet"... not too mention the ARIN RPKI SNAFU with various lawyers that make RPKI impossible for a large part of the internet.
CB
PS. All my ipv4 and ipv6 routes are RPKI signed, but I can't validate because Cisco does not think validation within a VRF is an IOS-XR worthy features
PPS. It does blow my mind that the internet works so well given that its security relies on the good faith and reputation of a few network janitors and plumbers
The issue here is that people treat routing security the same way as the Jennifer Anniston character in "Office Space" and her flair. People do the minimum to make it work and forget about it. This can have catastrophic effects if one does that with your sewers, septic fields, etc but we accept it in the BGP and routing universe for some reason. You even see that with the IRR data, people add and never remove. You can explore your objects here, you might be surprised how old they are or who is injecting garbage today. http://irrexplorer.nlnog.net/ at $dayjob we try to do the right thing and as a result see complaints from customers, prospects and even our vendors that what we do pushes their scale limits and capabilities. Gert asks if you enabled IPv6 on something today, (or did you turn IPv4 off soon I think will be a fair question). What have we (You!) done to improve routing security recently? Do we need a photo or t-shirt of randy bush saying “only you can prevent route hijackings?” - Jared
Actually, that's the level of attention given to all kinds of infrastructure just about everywhere. ;-) ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "Jared Mauch" <jared@puck.nether.net> To: "Ca By" <cb.list6@gmail.com> Cc: nanog@nanog.org Sent: Monday, June 1, 2015 10:00:38 AM Subject: Routing Insecurity (Re: BGP in the Washington Post)
On Jun 1, 2015, at 10:08 AM, Ca By <cb.list6@gmail.com> wrote: The article left me with the feeling that there was a secure version of BGP that is available but network operators are too short-term-focused and foolish to deploy it.
I believe the situation is more complicated than that, no? There is no "secure version of BGP". There are a handful of things that help, like RPKI ... but they are far off from hitting the mark of "securing the internet"... not too mention the ARIN RPKI SNAFU with various lawyers that make RPKI impossible for a large part of the internet.
CB
PS. All my ipv4 and ipv6 routes are RPKI signed, but I can't validate because Cisco does not think validation within a VRF is an IOS-XR worthy features
PPS. It does blow my mind that the internet works so well given that its security relies on the good faith and reputation of a few network janitors and plumbers
The issue here is that people treat routing security the same way as the Jennifer Anniston character in "Office Space" and her flair. People do the minimum to make it work and forget about it. This can have catastrophic effects if one does that with your sewers, septic fields, etc but we accept it in the BGP and routing universe for some reason. You even see that with the IRR data, people add and never remove. You can explore your objects here, you might be surprised how old they are or who is injecting garbage today. http://irrexplorer.nlnog.net/ at $dayjob we try to do the right thing and as a result see complaints from customers, prospects and even our vendors that what we do pushes their scale limits and capabilities. Gert asks if you enabled IPv6 on something today, (or did you turn IPv4 off soon I think will be a fair question). What have we (You!) done to improve routing security recently? Do we need a photo or t-shirt of randy bush saying “only you can prevent route hijackings?” - Jared
On 1/Jun/15 17:04, Mike Hammett wrote:
Actually, that's the level of attention given to all kinds of infrastructure just about everywhere. ;-)
The difference is that there are standardized (global) guidelines for those infrastructures within their own industry, that lack of compliance can lead to serious fines, jail time or both. A network operator unmaliciously screwing up their BGP configuration and taking one side of a continent out is unlikely to see any punishment beyond being fired by his employer, or losing his customers if self-employed. Mark.
On Mon, Jun 1, 2015 at 8:21 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On 1/Jun/15 17:04, Mike Hammett wrote:
Actually, that's the level of attention given to all kinds of infrastructure just about everywhere. ;-)
The difference is that there are standardized (global) guidelines for those infrastructures within their own industry, that lack of compliance can lead to serious fines, jail time or both.
A network operator unmaliciously screwing up their BGP configuration and taking one side of a continent out is unlikely to see any punishment beyond being fired by his employer, or losing his customers if self-employed.
Mark.
Also, the internet usually works pretty good-ish and the janitors clean up the messes pretty quick-ish. That said, i believe the BGP situation is completely hygienic relative to the DDoS issues going on that could be solved by BCP38 and otherwise fixing poorly admin'd DNS, NTP, CHARGEN, and SSDP nodes. The aforementioned janitors are pretty powerless on this front... and... various parties on all side are looking to cash in (booters on one side, web scrubbers on the other)... which is a very dangerous arms race with real money on both sides looking to escalate the harm / fix. CB
On 1 Jun 2015, at 22:31, Ca By wrote:
scrubbers on the other)... which is a very dangerous arms race with real money on both sides looking to escalate the harm / fix.
My fondest wish is for there to cease to be a need for DDoS mitigation tools and techniques, and I do my best to try and educate and proselytize to that end, and have done so for many years. <https://app.box.com/s/4h2l6f4m8is6jnwk28cg> I would much rather be working on other problem-sets. But needs must. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
In message <CAD6AjGQWs-aKD8axgiRyaYXPB564MswKZsuaOUhjUn--KJXuUg@mail.gmail.com> , Ca By writes:
On Mon, Jun 1, 2015 at 8:21 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On 1/Jun/15 17:04, Mike Hammett wrote:
Actually, that's the level of attention given to all kinds of infrastructure just about everywhere. ;-)
The difference is that there are standardized (global) guidelines for those infrastructures within their own industry, that lack of compliance can lead to serious fines, jail time or both.
A network operator unmaliciously screwing up their BGP configuration and taking one side of a continent out is unlikely to see any punishment beyond being fired by his employer, or losing his customers if self-employed.
Mark.
Also, the internet usually works pretty good-ish and the janitors clean up the messes pretty quick-ish.
That said, i believe the BGP situation is completely hygienic relative to the DDoS issues going on that could be solved by BCP38 and otherwise fixing poorly admin'd DNS, NTP, CHARGEN, and SSDP nodes. The aforementioned janitors are pretty powerless on this front... and... various parties on all side are looking to cash in (booters on one side, web scrubbers on the other)... which is a very dangerous arms race with real money on both sides looking to escalate the harm / fix.
If you have secure BGP deployed then you could extend the authenication to securely authenticate source addresses you emit and automate BCP38 filter generation and then you wouldn't have to worry about DNS, NTP, CHARGEN etc. reflecting spoofed traffic.
CB -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On 2 Jun 2015, at 11:07, Mark Andrews wrote:
If you have secure BGP deployed then you could extend the authenication to securely authenticate source addresses you emit and automate BCP38 filter generation and then you wouldn't have to worry about DNS, NTP, CHARGEN etc. reflecting spoofed traffic
This can be and is done by networks which originate routes and which practice good network hygiene, no PKI required. But then we get into the customer of my customer (of my customer, of my customer . . .) problem, and this aren't quite so clear. There are also potentially significant drawbacks to incorporating PKI into the routing space, including new potential DoS vectors against PKI-enabled routing elements, the potential for enumeration of routing elements, and the possibility of building a true 'Internet kill switch' with effects far beyond what various governmental bodies have managed to do so far in the DNS space. Once governments figured out what the DNS was, they started to use it as a ban-hammer - what happens in a PKIed routing system once they figure out what BGP is? But nobody seems to be discussing these potential drawbacks, very much. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
the possibility of building a true 'Internet kill switch' with effects far beyond what various governmental bodies have managed to do so far in the DNS space.
Could you elaborate ? I don't see how it could be worse. Comparing with DNS is not relevant IMHO. Everyone is managing its own routing policy, not everyone is managing its own DNS root. Denis
On 2 Jun 2015, at 15:46, Denis Fondras wrote:
Everyone is managing its own routing policy, not everyone is managing its own DNS root.
Everyone CAN manage his own DNS root; everyone CAN use /etc/hosts; everyone CAN switch to an altogether different name resolution such as PNRP. Everyone CAN'T switch to an alternate global routing table. So, what happens when the authorities in some locale start pressing for the cancellation of relevant certificates utilized in routing PKI, and/or order operators under their jurisdiction to reject same? ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Thus spake Roland Dobbins (rdobbins@arbor.net) on Tue, Jun 02, 2015 at 03:05:13PM +0700:
On 2 Jun 2015, at 11:07, Mark Andrews wrote:
If you have secure BGP deployed then you could extend the authenication to securely authenticate source addresses you emit and automate BCP38 filter generation and then you wouldn't have to worry about DNS, NTP, CHARGEN etc. reflecting spoofed traffic
This can be and is done by networks which originate routes and which practice good network hygiene, no PKI required.
But then we get into the customer of my customer (of my customer, of my customer . . .) problem, and this aren't quite so clear.
There are also potentially significant drawbacks to incorporating PKI into the routing space, including new potential DoS vectors against PKI-enabled routing elements, the potential for enumeration of routing elements, and the possibility of building a true 'Internet kill switch' with effects far beyond what various governmental bodies have managed to do so far in the DNS space.
Once governments figured out what the DNS was, they started to use it as a ban-hammer - what happens in a PKIed routing system once they figure out what BGP is?
But nobody seems to be discussing these potential drawbacks, very much.
Start here: https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf Dale
The same folks also followed up that workshop paper with a longer paper on the topic: https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf On Tue, Jun 2, 2015 at 8:16 AM Dale W. Carder <dwcarder@wisc.edu> wrote:
Thus spake Roland Dobbins (rdobbins@arbor.net) on Tue, Jun 02, 2015 at 03:05:13PM +0700:
On 2 Jun 2015, at 11:07, Mark Andrews wrote:
If you have secure BGP deployed then you could extend the authenication to securely authenticate source addresses you emit and automate BCP38 filter generation and then you wouldn't have to worry about DNS, NTP, CHARGEN etc. reflecting spoofed traffic
This can be and is done by networks which originate routes and which practice good network hygiene, no PKI required.
But then we get into the customer of my customer (of my customer, of my customer . . .) problem, and this aren't quite so clear.
There are also potentially significant drawbacks to incorporating PKI
the routing space, including new potential DoS vectors against PKI-enabled routing elements, the potential for enumeration of routing elements, and
into the
possibility of building a true 'Internet kill switch' with effects far beyond what various governmental bodies have managed to do so far in the DNS space.
Once governments figured out what the DNS was, they started to use it as a ban-hammer - what happens in a PKIed routing system once they figure out what BGP is?
But nobody seems to be discussing these potential drawbacks, very much.
Start here: https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf
Dale
On 3 Jun 2015, at 9:04, Ethan Katz-Bassett wrote:
The same folks also followed up that workshop paper with a longer paper on the topic: https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf
Thanks to you and to Dale Carter - I was unaware of these papers. Nonetheless, the risk remains of authorities interfering with the BGP as they've interfered with the DNS. I'm very cognizant of the non-trivial effects of route-hijacking, having been involved in helping get a few of them resolved. Nonetheless, my natural skepticism leads me to wonder whether we aren't better off with the problematic, error-prone system we have (not to mention the enumeration and enhanced DDoS impact of packeting routers doing crypto for their BGP sessions and which aren't protected via iACLs/GTSM). ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 06/03/2015 04:27 AM, Roland Dobbins wrote:
(not to mention the enumeration and enhanced DDoS impact of packeting routers doing crypto for their BGP sessions and which aren't protected via iACLs/GTSM).
Could you elaborate on your enumeration and DDoS concerns? If you're concerned about the public finding out exactly how many routers you have because you've published one BGPsec router key per router, you can choose to use the same router key on multiple routers. If you're concerned about all the crypto work overloading a router, the plan (as far as I've heard) is for the routers to do the BGPsec crypto work in the background as a low priority. I.e., incoming signed routes will initially be treated like unsigned routes, and the BGPsec validation will be kicked off in the background. Once the validation is complete, then routing decisions can be made based on the BGPsec validity. -- David Eric Mandelberg / dseomn http://david.mandelberg.org/
On 5 Jun 2015, at 10:56, David Mandelberg wrote:
Could you elaborate on your enumeration and DDoS concerns?
Crypto = more overhead. Less priority to crypto plus DDoS = routing update issues. One can infer peering relationships in a way not possible before. What about bogus signatures? ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 2015-06-05 02:40, Roland Dobbins wrote:
On 5 Jun 2015, at 10:56, David Mandelberg wrote:
Could you elaborate on your enumeration and DDoS concerns?
Crypto = more overhead. Less priority to crypto plus DDoS = routing update issues.
I don't think there's an update issue here. The crypto verification is probably going to be deferred in addition to being low priority. If I understand it correctly, this means that a route can be passed along right away without waiting for the crypto checks.
One can infer peering relationships in a way not possible before.
How?
What about bogus signatures?
If I understand correctly, these routes (and all newly received routes) will initially be treated similarly to unsigned routes. Once BGPsec validation completes, then local policy determines what to do with the validation results. -- David Eric Mandelberg / dseomn http://david.mandelberg.org/
On Tue, 09 Jun 2015 19:09:45 -0400, David Mandelberg said:
I don't think there's an update issue here. The crypto verification is probably going to be deferred in addition to being low priority. If I understand it correctly, this means that a route can be passed along right away without waiting for the crypto checks.
Forward the route and then check it? Didn't we have a very amusing afternoon a number of years ago when $VENDOR did exactly that with some invalid routing data? Or am I mis-remembering history, and therefor doomed to mis-repeat it?
On Tue, 09 Jun 2015 21:19:23 -0400, Valdis.Kletnieks@vt.edu said:
Didn't we have a very amusing afternoon a number of years ago when $VENDOR did exactly that with some invalid routing data? Or am I mis-remembering history, and therefor doomed to mis-repeat it?
Actually, it was collusion. $VENDOR-A forwarded the bad data all over, and every $VENDOR-B router that saw it went walkies... It's the memory that goes first. I can't remember what goes second....
Crypto = more overhead. Less priority to crypto plus DDoS = routing update issues.
I don't think there's an update issue here. The crypto verification is probably going to be deferred in addition to being low priority. If I understand it correctly, this means that a route can be passed along right away without waiting for the crypto checks.
I don't think this quite fits with Postel's law... There's also the size of the table and the ability to pack (compress) the information to consider.
One can infer peering relationships in a way not possible before.
How?
The keys are per router, not per AS. You could use a single private/public key pair across the entire AS -- but that's not good security hygiene. There's no way to sign an update without exposing the signer; if you sign at anything below the AS level, you're exposing new information. What about the per NLRI timer? The timer is essentially the amount of time you'd like someone to be able to advertise a route once the peering session is broken. How long are you comfortable with someone advertising your routes after you've taken down your peering with them? What's the performance impact of forcing every route in the table to expire, say, every 24 hours? Given your cost of setting your timers to a few minutes or hours is nil (you're transferring the cost of your increased security onto "everyone else"), why not set it lower? Tragedy of the commons? I'm not saying BGPSEC a bad solution for the questions asked -- I'm saying it's is too heavyweight given the tradeoffs, and that we probably started with the wrong questions in the first place. What's needed is to spend some time thinking about what questions really need to be answered, the lowest cost way to answer those questions, and a complete examination of the tradeoffs involved. Is "what path did this update travel," or "are the BGP semantics being properly followed," really questions that want asking? Or are there other, more pertinent questions available? :-) Russ
rtfm. bgpsec key aggregation is at the descretion of the operator. they could use one key to cover 42 ASs.
I've been reading the presentations and the mailing lists, both of which imply you should use one key per router for security reasons. I would tend to agree with that assessment, BTW. Russ
rtfm. bgpsec key aggregation is at the descretion of the operator. they could use one key to cover 42 ASs.
I've been reading the presentations and the mailing lists, both of which imply you should use one key per router for security reasons. I would tend to agree with that assessment, BTW.
folk have different threat models. yours (and mine) may be propagation of router compromise. for others, it might be a subtle increase in disclosure of router links. contrary to your original assertion, the protocol supports both. randy
folk have different threat models. yours (and mine) may be propagation of router compromise. for others, it might be a subtle increase in disclosure of router links. contrary to your original assertion, the protocol supports both.
The increased disclosure is not "subtle." The alternate -- deploying a new key to every eBGP speaker in your network while the security of all your routes is compromised, isn't so "subtle" either. It's a bad tradeoff in either direction -- typical of solutions that ask the wrong questions in the first place. Russ
There have been suggestions that a key-per-AS is easier to manage than a key-per-router, like in provisioning. Key-per-router was brought up as providing the means to excise one misbehaving router that is in some risky sort of environment, which is a different management pain. In terms of security, from outside the AS, you are basing your decisions on your trust in the AS in the key-per-AS case, and you are basing your decisions on your trust in the AS that certified the router in the key-per-router case. The local operator's environment and policy rule in choosing the technique. The draft draft-ietf-sidr-bgpsec-ops-05 says: A site/operator MAY use a single certificate/key in all their routers, one certificate/key per router, or any granularity in between. --Sandy On Jun 10, 2015, at 9:17 AM, "Russ White" <russw@riw.us> wrote:
rtfm. bgpsec key aggregation is at the descretion of the operator. they could use one key to cover 42 ASs.
I've been reading the presentations and the mailing lists, both of which imply you should use one key per router for security reasons. I would tend to agree with that assessment, BTW.
Russ
There have been suggestions that a key-per-AS is easier to manage than a key-per-router, like in provisioning.
Two points -- First, if a single person with console access leaves the company, I must roll the key for all my BGP routes, with the attendant churn, etc. I can't imagine anyone deploying such a thing. Second, a secret only remains secret if two people know it, and one of them is dead -- a basic rule of security is prevent the spread of knowledge. If every person in the organization with console access knows the private key for every router in the network, it's no longer secret. So you can have one key pair per AS, and risk your security. Or you can add more key pairs, either per router, per POP, per region, or at some other level of granularity, and advertise more information about your network as well as make the key pair database larger. Either you weaken your security in one way, or you weaken your security in another. Doesn't sound like much of a "tradeoff" to me. What astounds me is the quietness on this list about this stuff... :-) Russ
On 2015-06-11 07:30, Russ White wrote:
There have been suggestions that a key-per-AS is easier to manage than a key-per-router, like in provisioning.
Two points --
First, if a single person with console access leaves the company, I must roll the key for all my BGP routes, with the attendant churn, etc. I can't imagine anyone deploying such a thing.
I assume the vast majority of these cases are when the person leaves with no indication of malicious intent. In those cases, it might be possible to perform the key rollover with a relatively long grace period in which both keys are valid. Wouldn't that help reduce churn? -- David Eric Mandelberg / dseomn http://david.mandelberg.org/
On Thu, Jun 11, 2015 at 3:10 PM, David Mandelberg <david@mandelberg.org> wrote:
On 2015-06-11 07:30, Russ White wrote:
There have been suggestions that a key-per-AS is easier to manage than a key-per-router, like in provisioning.
Two points --
First, if a single person with console access leaves the company, I must roll the key for all my BGP routes, with the attendant churn, etc. I can't imagine anyone deploying such a thing.
I assume the vast majority of these cases are when the person leaves with no indication of malicious intent. In those cases, it might be possible to
it's actually nearly impossible to tell this... so the 'best' option is to do the changes required as quickly as is safe for your network. yes, it sucks... you know what sucks more? when 2 people leave on adjacent days.
On Jun 10, 2015, at 7:51 AM, "Russ White" <russw@riw.us> wrote:
I'm not saying BGPSEC a bad solution for the questions asked -- I'm saying it's is too heavyweight given the tradeoffs, and that we probably started with the wrong questions in the first place.
What's needed is to spend some time thinking about what questions really need to be answered, the lowest cost way to answer those questions, and a complete examination of the tradeoffs involved. Is "what path did this update travel," or "are the BGP semantics being properly followed," really questions that want asking? Or are there other, more pertinent questions available?
Not liking the solution is not a reason to abandon the problem. This sounds like "I don't like eating right and exercising, so keeping my weight under control is the wrong question" All protocols rely on certain assumptions of what the fields mean - when you send them and when you receive them. Analyzing a protocol for vulnerabilities starts with identifying what happens if those assumptions are broken. (Like the assumption in IP that the source address is the node that sent the packet - spoofing breaks that assumption.) Breaking the semantics creates attacks. --Sandy
Not liking the solution is not a reason to abandon the problem. This sounds like "I don't like eating right and exercising, so keeping my weight under control is the wrong question"
All protocols rely on certain assumptions of what the fields mean - when you send them and when you receive them. Analyzing a protocol for vulnerabilities starts with identifying what happens if those assumptions are broken. (Like the assumption in IP that the source address is the node
Two points. First, I did NOT say, "I don't like this." What I did say was technically precise, and, I think, perfectly clear. It's telling that the folks defending BGPSEC must immediately redirect the discussion into the side alleys of who "likes" what, and "rtfm," and "you can do this only it will cost you, so don't do that even though it's probably the right thing to do," straw man arguments, etc. Second, if you said, "If I eat one carrot a day, and I still can't keep my weight under control," you have some other problem than not being able to control your eating, and you might want to check into it a bit with a doctor. BGPSEC can eat one carrot a day and it's still too fat, IMHO -- it has a very high cost for some gain, counterbalanced by a slate of new risks and problems that must be solved. Again -- the ROI just isn't there. that
sent the packet - spoofing breaks that assumption.) Breaking the semantics creates attacks.
Sorry, Sandy, but this is a narrow view of security. The question is -- "what information is being transmitted, and how can it be validated (once you've actually defined validated?" One possible answer is, "by making certain the protocol's semantics are being followed." There are other possible answers to that questions, however. When your first attempt doesn't meet ROI, you don't ask the same questions -- you go back to the original requirements to see if you asked the right questions in the first place. To do anything else will quickly resolve to the insanity pattern. Russ
On 06/02/2015 10:04 PM, Ethan Katz-Bassett wrote:
The same folks also followed up that workshop paper with a longer paper on the topic: https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf
And a different set of folks (including me) are working on a different mechanism to protect against attacks from on high. Any feedback would be appreciated. https://tools.ietf.org/html/draft-kent-sidr-suspenders-03 -- David Eric Mandelberg / dseomn http://david.mandelberg.org/
In message <20150602151233.GA29050@DOIT-2NW1MRFY-X.doit.wisc.edu>, "Dale W. Car der" writes:
Thus spake Roland Dobbins (rdobbins@arbor.net) on Tue, Jun 02, 2015 at 03:05: 13PM +0700:
On 2 Jun 2015, at 11:07, Mark Andrews wrote:
If you have secure BGP deployed then you could extend the authenication to securely authenticate source addresses you emit and automate BCP38 filter generation and then you wouldn't have to worry about DNS, NTP, CHARGEN etc. reflecting spoofed traffic
This can be and is done by networks which originate routes and which practice good network hygiene, no PKI required.
But it is a manual process or trust the information added to this database is correct. Automating the process even if it is only at the customer/isp edge were customer == isp is tagged as a exception would be a big win.
But then we get into the customer of my customer (of my customer, of my customer . . .) problem, and this aren't quite so clear.
There are also potentially significant drawbacks to incorporating PKI into the routing space, including new potential DoS vectors against PKI-enabled routing elements, the potential for enumeration of routing elements, and th e possibility of building a true 'Internet kill switch' with effects far beyond what various governmental bodies have managed to do so far in the DN S space.
Yes, there are trade offs. As for that "Internet kill switch", ISP could theoretically be ordered to block all traffic to a prefix. I know that this is theoretically possible today with Australian legistation and basically has been since the very begining as it is in the telecomunication acts.
Once governments figured out what the DNS was, they started to use it as a ban-hammer - what happens in a PKIed routing system once they figure out what BGP is?
But nobody seems to be discussing these potential drawbacks, very much.
Start here: https://www.cs.bu.edu/~goldbe/papers/hotRPKI_full.pdf
Dale -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On 2015-06-01 22:07, Mark Andrews wrote:
If you have secure BGP deployed then you could extend the authenication to securely authenticate source addresses you emit and automate BCP38 filter generation and then you wouldn't have to worry about DNS, NTP, CHARGEN etc. reflecting spoofed traffic.
I don't believe this is entirely true, and BGPSEC certainly doesn't solve most of what I'm concerned about from a routing security perspective. See, e.g.: https://tools.ietf.org/html/draft-ietf-grow-simple-leak-attack-bgpsec-no-hel... That said, a Internet number resource certification infrastructure, be it RPKI or something with s single root and scalable(!), is certainly necessary, and can be used to bootstrap policy databases (e.g., IRRs) that address both the inter-domain routing (e.g., origin "validation") and data plane anti-spoofing security problems, and perhaps not require operators (enterprises and nation states alike) to trade the autonomy and flexibility they have in routing today for what others see as their infrastructure security needs. After all, stability, resiliency, and availability are ALSO factors in the risk management gumbo that need to be considered by organizations, and the tight coupling of RPKI and BGPSEC as designed, are quite possibly not as attractive to some operators as the designers might suggest, particularly in light of new external dependencies, competitive markets, Internet governance, geopolitical climate, etc.. Many that haven't deployed or have lost interest in having the conversation have done so deliberately, and would prefer a routing by rumor paradigm that affords autonomy and flexibility to one where new control points and exorbitant costs and complexity simply scare the heck out of them, the primitives of which surely extend to many of the luminaries quoted in those articles. YMMV, -danny
On 1 Jun 2015, at 22:21, Mark Tinka wrote:
The difference is that there are standardized (global) guidelines for those infrastructures within their own industry, that lack of compliance can lead to serious fines, jail time or both.
1. Ensuring insurance underwriters understand the amount of unsecured risk they have, and working with them to develop the *verifiable* checklists they should be going through before they write 'cyber-' policies. 2. Working with ISO to develop relevant outcome-based standards (e.g., not what you type into your config, but rather the desired result, such as source address validation, detection/classification/traceback/mitigation capabilities, et. al.). 3. Working with regulatory bodies in various regulated verticals to require aforementioned ISOs, same with insurance companies serving those industries (this will have an ink-blot effect reaching down into their supply/service chains). 4. Working with governmental bodies to require aforementioned ISOs in the regulated industries. 5. Working with PCI/DSS to add an availability component, as well as all relevant integrity BCPs. 6. Adding outcome-based requirements surrounding all the relevant BCPs to peering/transit agreements, getting regulators and governments to require same. I really think the insurance industry is going to be the best/easiest route to take (pardon the pun); this has the advantage of not requiring further governmental regulation, and does offer a market-based solution. I know Bill Woodcock has some experience in this general arena. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 1/Jun/15 17:00, Jared Mauch wrote:
This can have catastrophic effects if one does that with your sewers, septic fields, etc but we accept it in the BGP and routing universe for some reason.
Because our industry (for better or worse) is not as regulated as other "life-concerning" things in the world such as health, aviation, education, construction, finance, electricity, e.t.c., are, it is up to us to make sure we do the right thing. But if there is no "official" or "standard" metric against which we can hold one another accountable, we are all bound to do our own things, as you say, that are enough to make it work and forget about it. As the saying goes, "You can't blame a monkey for botching a brain surgery". Our lack of regulation means we can quickly scramble up a global routing protocol on three napkins and get it into production. This is a good thing. The question now is - how important is this Internetnetwork to us that we are willing to accept a moderate to significant amount of inconvenience in order to improve its long term utility the same way we expect the sewer companies to do a decent job keeping the filth out of sight? Mark.
Is there *IN THEIORY* any possibility to make BGP secure enough now? Yes, RPKI protects from fat fingered people, but NOT protects from people doing hijacks knowlingly. The global routing registry really can be the solution, but it automatically gives one authority a power to cut off any network. Imagine how fast it will be used for censorship. On 01.06.15 16:24, William Herrin wrote:
Interesting story about BGP and security in the Washington Post today:
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-...
-Bill
In message <556C8EBC.7080109@netassist.ua>, Max Tulyev writes:
Is there *IN THEIORY* any possibility to make BGP secure enough now?
Yes, RPKI protects from fat fingered people, but NOT protects from people doing hijacks knowlingly.
At the moment because not enough of the net is covered. When you get enough coverage then yes it will protect you because there is no way to get a valid CERT to authenticate the hijack. Even before that RPKI will limit the impact of the hijack by isolating the attack to the networks close to the injection points. Think of this as herd immunity.
The global routing registry really can be the solution, but it automatically gives one authority a power to cut off any network. Imagine how fast it will be used for censorship.
On 01.06.15 16:24, William Herrin wrote:
Interesting story about BGP and security in the Washington Post today:
http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-...
-Bill
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Yes, RPKI protects from fat fingered people, but NOT protects from people doing hijacks knowingly.
the rpki protects from fat fingers as well as the telephone white pages protects from wrong number dialing. it doesn't. for the 312th time (i had to make this clear once again from the floor of nanog this week), ... The RPKI is an X.509 based hierarchy [rfc 6481] which is congruent with the internet IP address allocation administration, the IANA, RIRS, ISPs, ... It is just a database, but is the substrate on which the next two mechanisms are based. It is currently deployed in all five administrative regions. RPKI-based Origin Validation [RFC 6811] uses some of the RPKI data to allow a router to verify that the autonomous system originating an IP address prefix is in fact authorized to do so. This is not crypto checked so can be violated. But it should prevent the vast majority of accidental 'hijackings' on the internet today, e.g. the famous Pakistani accidental announcement of YouTube's address space. RPKI-based origin validation is in shipping code from AlcaLu, Cisco, Juniper, and possibly others. RPKI-based Path Validation, a future technology still being designed [draft-ietf-sidr-bgpsec-overview-06.txt], uses the full crypto information of the RPKI to make up for the embarrassing mistake that, like much of the internet BGP was designed with no thought to securing the BGP protocol itself from being gamed/violated. It allows a receiver of a BGP announcement to cryptographically validate that the autonomous systems through which the announcement passed were indeed those which the sender/forwarder at each hop intended. randy
On (2015-06-02 21:51 -0700), Randy Bush wrote:
The RPKI is an X.509 based hierarchy [rfc 6481] which is congruent with the internet IP address allocation administration, the IANA,
Hijacking this thread. I've requested both our main vendors for 'loose rpki' years ago, nothing has happened. SP trying to deploy RPKI may have negative business impact, if far-end fat-fingers and fail RPKI, then my connectivity to them is broken, while competitor who isn't running RPKI still works fine. Essentially suits may view deploying RPKI as spending money to lose money. Comfortable slow-start would be to have 'loose rpki' which essentially has 3 adj-ribs, verified-rpki, missing-rpki, failed-rpki. Then loc-rib is build from each of these, so that no overlapping routes are installed from inferior ribs. That is, if verified-rpki has 192.0.2.0/24, missing/failed-rpki cannot install it or more-specific of it. Net result is, we will always use verified-rpki route if existing, but if no other options exist, we're happy to use any available route. JunOS allows routing-policy to match on verified status, but this cannot obviously override more-specifics. -- ++ytti
participants (21)
-
Ca By -
Christopher Morrow -
Dale W. Carder -
Danny McPherson -
David Mandelberg -
Denis Fondras -
Ethan Katz-Bassett -
Jared Mauch -
Jeff Masiello -
Mark Andrews -
Mark Tinka -
Max Tulyev -
Mike Hammett -
Måns Nilsson -
Randy Bush -
Roland Dobbins -
Russ White -
Saku Ytti -
Sandra Murphy -
Valdis.Kletnieks@vt.edu -
William Herrin