Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
Hierarchical relationships breed "reptiles" because of the inherent asymmetric business relationship that results. ... Frankly, I am quite impressed with the address registries.
How would you feel about having the registries serve as the root of a hierarchical certificate system?
So an institution would have its "certificate" signed by its upstream (or one of its upstream) providers.
How is this relationship not a hierarchical, asymmetric business relationship? What happens in this paradigm in de-peering situations? Are you are intending to exclude peering relationships from this web of trust?
The providers could cross-certificate to build a "root free" (as in "default free" zone) mesh (aka "Web of Trust.").
I believe a web of trust can be operationally feasible only if the web is more like a forest - if there are several well known examples of "tops" to the web. Otherwise, you have to be storing a plethora of different signers' certificates to be able to validate all the institution's certificates that come in. After all, there are thousands of different providers out there. If every bgp speaker uses a different certificate in signing updates to provider A than in signing updates to provider B, then the validation can be quite complex. Any trust relationship model would have to deal with (a) Provider independent space (b) Multi-homed organizations, with and without AS's (c) Organizations that are mobile - they might change their attachment point frequently or abruptly. Authorities exist for some number resources - e.g., those registries hand out addresses - should that be validated by the web of trust? (The authority says the address is allocated to A but I've got an update showing the address originating from B validated by my best peer's three best peers' peers) (Sometimes authorities are needed - if you were buying a car from Joe Doe, would you prefer a title signed by the DMV or the testimony of your favorite body shops that Joe Doe has been their customer for this car for awhile now.) That authority extends downward through sub-allocations in a tree, not a mesh. (But the web of trust might be useful for those current special cases that don't devolve from the existing registries, aka legacy space, until that situation can be fixed.) --Sandy
I believe a web of trust can be operationally feasible only if the web is more like a forest - if there are several well known examples of "tops" to the web. Otherwise, you have to be storing a plethora of different signers' certificates to be able to validate all the institution's certificates that come in.
you need those certs to verify the live data anyway randy
In message <17283.32422.105302.757816@roam.psg.com>, Randy Bush writes:
I believe a web of trust can be operationally feasible only if the web is more like a forest - if there are several well known examples of "tops" to the web. Otherwise, you have to be storing a plethora of different signers' certificates to be able to validate all the institution's certificates that come in.
you need those certs to verify the live data anyway
Right. The real issue is the trust determination -- how do you know that the certificate corresponds to something resembling reality (whatever that is)? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
I believe a web of trust can be operationally feasible only if the web is more like a forest - if there are several well known examples of "tops" to the web. Otherwise, you have to be storing a plethora of different signers' certificates to be able to validate all the institution's certificates that come in.
you need those certs to verify the live data anyway
Right. The real issue is the trust determination -- how do you know that the certificate corresponds to something resembling reality (whatever that is)?
for how many years have i been asking you and your evil-minded cert designing friends for a pgp-like web of trust cert that could be used for just this application? randy
In message <17283.33635.774719.679@roam.psg.com>, Randy Bush writes:
I believe a web of trust can be operationally feasible only if the web is more like a forest - if there are several well known examples of "tops" to the web. Otherwise, you have to be storing a plethora of different signers' certificates to be able to validate all the institution's certificates that come in.
you need those certs to verify the live data anyway
Right. The real issue is the trust determination -- how do you know that the certificate corresponds to something resembling reality (whatever that is)?
for how many years have i been asking you and your evil-minded cert designing friends for a pgp-like web of trust cert that could be used for just this application?
Actually, I don't do certs; it's my evil-minded friends... That said, I think the problem is that we need an algebra of trust that will let a program, not a human, decide whether or not to trust a certficate. You don't want to accept something if it's a twisty loop of subsidiaries or allied evil ASs vouching for each other. OTOH, there are some situations where we know that absolute trust is indicated -- say, 701 signing 702's certificate, or an upstream signing the address certificate for a customer. And it's not just honesty, it's competence you're assessing -- we've all seen problems when major ISPs didn't get their filters straight. Furthermore, given that a trust algebra may yield a trust value, rather than a simple 0/1, is it reasonable to use that assessment as a BGP preference selector? That would tie the security very deeply -- too deeply? -- into BGP's guts. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
[ you know all this, but i think it is worth going through the exercise ]
That said, I think the problem is that we need an algebra of trust that will let a program, not a human, decide whether or not to trust a certficate. You don't want to accept something if it's a twisty loop of subsidiaries or allied evil ASs vouching for each other. OTOH, there are some situations where we know that absolute trust is indicated -- say, 701 signing 702's certificate, or an upstream signing the address certificate for a customer.
And it's not just honesty, it's competence you're assessing -- we've all seen problems when major ISPs didn't get their filters straight.
not exactly. there are two trusts here. i have to accept that asns as incompetent at configuration as i are attesting to prefixes and paths or i won't be able to get to a large part of the net. but this is orthogonal to my trust in their competence to attest to the identity of other asns by cross-signing others' certs. i could have a business relationship with an asn whose routing competence i question. the bottom line is which would i trust more in the latter sense, an asn cert signed by an external hierarchy or a cert signed by one or more of 70x, 1239, 2914, ...? it seems more natural if the identity trust is congruent with the trust of business relationships. a similar reason for my prefering sbgp-like architectures, the attestation model is congruent with the routing model. it turns out most folk have a business relationsip with an rir. but some don't, e.g. jis. and those who do not have become very worried about their ability to route on the internet being at the mercy of organizations some of which have specifically said that legacy cert renewal would be tied directly to the isp or entity paying the rir as if they had gotten the legacy address space from the rir (i think i have sensed some backing off from this rather extreme position). but the point is that some folk are not happy with their identity being controlled by an external party with no skin in the game with whom they would otherwise have no relationship. [ before you say it, i have suggested that a pseudo-rir be created for legacy asns and prefixes ] in particular, i have a business relationship with 1239 and 2914, but no business relationship with ripe. should i trust ripe's signing the identity of anja's asn more or less than 666 signing it and 666's identity being attested to by 1239 and 701, the latter likely being cross-signed by 1239 and 2914?
Furthermore, given that a trust algebra may yield a trust value, rather than a simple 0/1, is it reasonable to use that assessment as a BGP preference selector? That would tie the security very deeply -- too deeply? -- into BGP's guts.
i am aware of other research proposals where routing trust is ordinal or even real depending on various distances. randy
On Tue, 22 Nov 2005, Randy Bush wrote:
[ before you say it, i have suggested that a pseudo-rir be created for legacy asns and prefixes ]
I also seem to remember Bill Woodcock suggesting this at some ARIN meeting in 2001 or 2002. If I recall he proposed that this be somewhat like a document trust with no operations (beyond providing NS service) and when somebody needs a service the ip block would have to be moved to regional RIR. If your proposal for separate legacy RIR is different, then you need to have a model on how it would be run and how its operations would be financed (especially security procedures associated with assigning certs, etc). -- William Leibzon Elan Networks william@elan.net
On Tue, 22 Nov 2005, william(at)elan.net wrote: > I also seem to remember Bill Woodcock suggesting this at some ARIN > meeting in 2001 or 2002. If I recall he proposed that this be somewhat > like a document trust with no operations (beyond providing NS service) > and when somebody needs a service the ip block would have to be moved > to regional RIR. Right. The idea was to lock down things which were in the legacy space, unless people were prepared to undergo the full scrutiny of having them transferred into an RIR (basically dampen the rash of hijackings), give ARIN a clear way around the free-services-to-legacy-holders issue, and give legacy holders a way around the threat-of-ARIN-trying-to-charge- them issue. Seemed like a good idea to a lot of ARIN folks at the time, and it was starting to get some headway, when the RIPE and APNIC folks realized that it would deprive them of the future possiblity of reclaiming legacy space, which they promptly nabbed using the extraordinarily ill-considered ERX policy, which just took the problem and multiplied it by five. Basically irreversibly. So as nice an idea as it was, I'm not sure it has legs in this post-ERX world. -Bill
* Bill Woodcock:
Right. The idea was to lock down things which were in the legacy space, unless people were prepared to undergo the full scrutiny of having them transferred into an RIR (basically dampen the rash of hijackings),
In the end, this boils down to disappropriation. Early address space is owned, not assigned, as far as I can tell.
On Nov 22, 2005, at 2:59 PM, Randy Bush wrote:
[ you know all this, but i think it is worth going through the exercise ]
That said, I think the problem is that we need an algebra of trust that will let a program, not a human, decide whether or not to trust a certficate. You don't want to accept something if it's a twisty loop of subsidiaries or allied evil ASs vouching for each other. OTOH, there are some situations where we know that absolute trust is indicated -- say, 701 signing 702's certificate, or an upstream signing the address certificate for a customer.
And it's not just honesty, it's competence you're assessing -- we've all seen problems when major ISPs didn't get their filters straight.
not exactly. there are two trusts here. i have to accept that asns as incompetent at configuration as i are attesting to prefixes and paths or i won't be able to get to a large part of the net.
but this is orthogonal to my trust in their competence to attest to the identity of other asns by cross-signing others' certs. i could have a business relationship with an asn whose routing competence i question.
What happened to responsibility? Where does it fit in to the issue? And if not, why not? Pushback comes to mind ;-) As much as they enjoy sharing brew sessions, I don't think I've often seen or heard of 701 and 2914 ever having to point out downstream misbehavior to each other. And I *think* they both have sticks that are big enough that they never have to be waved. So if we can assume that this is true of the other folks of "similar" size, then which are the large parts of the net you can't or won't be able to reach? Or are your peers not prepared to own responsibility for their announcements? And if not, why not? And I refuse to accept the reasoning that seems to have smothered pushback - Networks don't have to deploy new code or equipment or capabilities to control internal or downstream announcements. To save some resulting noise on the list; Pointing to the example of spam is mostly a red herring. Today's spam is mostly generated by the hundreds of thousands of compromised machines that originate most of it, which creates its own difficult problems for the geeks who work at that layer. Nonetheless, to a large extent enforced responsibilty has worked for spam. The problem has changed. Paths and prefixes are a lot different to the current spam problem. NOTE: This is *not* an invitation to start a thread on spam or the botnets that enable them. It doesn't belong on this list, so take it elsewhere. As another thought: - Love 'em or hate 'em, the PSTN doesn't have this problem. Is there anything helpful to learn from there, ignoring the perennial layer9 discussion ratholes? /rlj
not exactly. there are two trusts here. i have to accept that asns as incompetent at configuration as i are attesting to prefixes and paths or i won't be able to get to a large part of the net.
but this is orthogonal to my trust in their competence to attest to the identity of other asns by cross-signing others' certs. i could have a business relationship with an asn whose routing competence i question.
What happened to responsibility? Where does it fit in to the issue?
responsibility for what?
As much as they enjoy sharing brew sessions, I don't think I've often seen or heard of 701 and 2914 ever having to point out downstream misbehavior to each other. And I *think* they both have sticks that are big enough that they never have to be waved. So if we can assume that this is true of the other folks of "similar" size, then which are the large parts of the net you can't or won't be able to reach? Or are your peers not prepared to own responsibility for their announcements? And if not, why not? And I refuse to accept the reasoning that seems to have smothered pushback - Networks don't have to deploy new code or equipment or capabilities to control internal or downstream announcements.
uh, i really do not follow what you are saying. the point is that the trust model for attestation of identity need not be the same trust model for the attestation of prefix ownership or of as-path. in operation, this means that there could be isp- (or ufo-)centric isp identity certification (a la web of trust, for example) which could have a very separate cert chain from that of address space allocation, which, aside from the legacy issue, could come via the rirs. randy
On Nov 23, 2005, at 11:09 AM, Randy Bush wrote:
not exactly. there are two trusts here. i have to accept that asns as incompetent at configuration as i are attesting to prefixes and paths or i won't be able to get to a large part of the net.
but this is orthogonal to my trust in their competence to attest to the identity of other asns by cross-signing others' certs. i could have a business relationship with an asn whose routing competence i question.
What happened to responsibility? Where does it fit in to the issue?
responsibility for what?
sorry to be slow/cryptic. My issue is that if ISPs a) only announce networks that they know (for different values of know - but hopefully based on some kind of trust in the RIR's data) they are authorized to announce, and b) took responsibility for the behavior of the paths or prefixes they announce, and the bits that are originated in those paths or prefixes, and took action to stop the bad behavior, the issue of trust paths might not be so critical. I am not arguing in any way with your views or thoughts related to trust models. I was merely drifting back to the original issue of rogue players in the path, and suggesting that there is an alternative method of mitigating the problems caused by those players that doesn't require protocol work. Ignore the deviation in the thread. /rlj
My issue is that if ISPs a) only announce networks that they know (for different values of know - but hopefully based on some kind of trust in the RIR's data) they are authorized to announce, and b) took responsibility for the behavior of the paths or prefixes they announce, and the bits that are originated in those paths or prefixes, and took action to stop the bad behavior, the issue of trust paths might not be so critical.
agreed up to the last clause. but my base concern is not config problems, but rather intentional attacks on the routing system. not to deny that there are config problems, they're rife and a major pita. but i suspect that the most agregious will be dealt with by direct approaches to the security issues, e.g. ip address ownership, as-path intent, etc. randy
Rodney Joffe wrote:
As another thought: - Love 'em or hate 'em, the PSTN doesn't have this problem.
Uh, PSTN does have this problem too. If you are part of SS7 you can totally fake call origination information. This has been and still is abused for criminal-malicous activities and 'billing-optimization'. Remember the lawsuit of SBC et al against WCOM regarding termination charge misrepresentation? In the actual PSTN routing of a call the destination information is not authenticated either. The national regulators run registries where the carrier-owner of each number block is registered. Very much like in the RIR system. Depends on country a bit though. In some it's more strict and in others less. -- Andre
Randy:
for how many years have i been asking you and your evil-minded cert designing friends for a pgp-like web of trust cert that could be used for just this application?
Steven B:
of subsidiaries or allied evil ASs vouching for each other. OTOH, there are some situations where we know that absolute trust is indicated -- say, 701 signing 702's certificate, or an upstream signing the address certificate for a customer.
Well, there's the rub. You know who runs AS701 and AS702. Presumably most of us do (although I don't know who runs 702 off the top of my head. 701 is UUNET/MCI, no? I don't do BGP). I like the web 'o' trust idea, but the idea is that the *end-user* is supposed to know what's legit and what isn't. In most cases, we're not the end-users. -- Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED Company website: http://JustThe.net/ Personal blog, resume, portfolio: http://SteveSobol.com/ E: sjsobol@JustThe.net Snail: 22674 Motnocab Road, Apple Valley, CA 92307
the idea is that the *end-user* is supposed to know what's legit and what isn't.
no. all asn admins, including tier 1 through tier 42 and leaf asns. users are not involved in routing, except of course when the ivtf is desperate to shim up v6. randy
On Tue, 22 Nov 2005, Randy Bush wrote:
the idea is that the *end-user* is supposed to know what's legit and what isn't.
no. all asn admins, including tier 1 through tier 42 and leaf asns.
Bah. Forgive my stupidity, please. We got into the discussion of PKI and PGP-style trust models and I failed to remember the TLA in the subject. You're right, my comment doesn't apply to BGP (at least not for most end-users I know). -- Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED Company website: http://JustThe.net/ Personal blog, resume, portfolio: http://SteveSobol.com/ E: sjsobol@JustThe.net Snail: 22674 Motnocab Road, Apple Valley, CA 92307
* Steven M. Bellovin:
Furthermore, given that a trust algebra may yield a trust value, rather than a simple 0/1, is it reasonable to use that assessment as a BGP preference selector? That would tie the security very deeply -- too deeply? -- into BGP's guts.
Wouldn't this provide significant economic incentive towards gaining a high value on this metric? I'm not sure if this a good idea because even if you call it a "trust metric", it does not have to correspond to ethical behavior.
On Thu, 24 Nov 2005 20:26:56 +0100, Florian Weimer said:
Wouldn't this provide significant economic incentive towards gaining a high value on this metric? I'm not sure if this a good idea because even if you call it a "trust metric", it does not have to correspond to ethical behavior.
Wrong concept of "trust". There exist vendors that I *expect* will treat me in an unethical way, while being totally open as to their identity. Think of it as going to buy a used car, and *knowing* that there are shady and unethical dealings going on, but knowing to a high degree of certainty that the salesmen perpetrating the fraud are in fact authorized and are acting on behalf of the dealership, and aren't somebody in a cheap suit that came in off the street and borrowed the office while the real salesman was out for a few days for a family emergency.... (And yes, there actually *was* somebody who pulled that fraud a while back nearby here - I wish I could find a citation...)
* Valdis Kletnieks:
On Thu, 24 Nov 2005 20:26:56 +0100, Florian Weimer said:
Wouldn't this provide significant economic incentive towards gaining a high value on this metric? I'm not sure if this a good idea because even if you call it a "trust metric", it does not have to correspond to ethical behavior.
Wrong concept of "trust". There exist vendors that I *expect* will treat me in an unethical way, while being totally open as to their identity.
But ensuring identity is a good measure of trust, either. Identity only matters if you want to do something to the perpetrator in the real world. This seems to be the rare exception, not the norm. I expect people just to tweak their filters and move on. (It would be more interesting if each real-world entity could only have one digital entity, but this is impossible to achieve, especially in context of IP routing.)
* Sandy Murphy:
How would you feel about having the registries serve as the root of a hierarchical certificate system?
What about the swamp space?
So an institution would have its "certificate" signed by its upstream (or one of its upstream) providers.
(Don't know where that quote comes from.) Why is this significantly better than ISP filters which prevent bogus announcements from reaching wide propagation? I've seen bogus annoucements for which big ISPs have created corresponding RADB entries. Wouldn't they just create certificates in the new "secure BGP", and nothing is won?
How would you feel about having the registries serve as the root of a hierarchical certificate system?
What about the swamp space?
Presumably if the users of class C blocks in the swamp want to use the certficate services that the registry provides then the registries would sell that service for some reasonable fee. Some people labor under the misunderstanding that users of swamp space actually "own" IP addresses and therefore have the right to not pay anybody for anything at anytime. However, since "ownership" is a legal concept and since IP address ownership has never been tested in the courts, it is a moot point. Do you suppose that if a Microsoft salesman had given me a free copy of Windows back in 1990, I would have a right to use any version of Windows for free forever? --Michael Dillon
* Michael Dillon:
How would you feel about having the registries serve as the root of a hierarchical certificate system?
What about the swamp space?
Presumably if the users of class C blocks in the swamp
The class B assignments are even more interesting because some of them have been split (with or without the consent of the original assignee).
want to use the certficate services that the registry provides then the registries would sell that service for some reasonable fee.
Which registry? In many cases, there are two natural choices.
Some people labor under the misunderstanding that users of swamp space actually "own" IP addresses and therefore have the right to not pay anybody for anything at anytime. However, since "ownership" is a legal concept and since IP address ownership has never been tested in the courts, it is a moot point.
I can't follow your argument. You seem to be saying that we should not worry *because* we enter uncharted legal terrain. This attitude is completely alien to me.
Do you suppose that if a Microsoft salesman had given me a free copy of Windows back in 1990, I would have a right to use any version of Windows for free forever?
I guess I had the right to use that version of Windows forever. Software is not a good example because life cycles are so much shorter. But no one is really comfortable with retroactively revoking software licenses, and it's often impossible because of first sales doctrine, special copyright regulations (especially in European countries), antitrust regulations etc.
Michael Dillon:
Do you suppose that if a Microsoft salesman had given me a free copy of Windows back in 1990, I would have a right to use any version of Windows for free forever?
Any version? No. That version, particularly its fixed representation as an unchanged string of binary digits? Probably, but maybe not.. But that's because Microsoft can copyright long strings of binary digits as software and sell you a restricted license to use it. Note that small integers, unlike software, aren't easy to copyright, trademark, or "own" in any of the other traditional senses. Back in the early 1990s, I proposed to number my machines that I planned to attach to the Internet with small integers chosen from a small range. Conveniently, at the time, there was an organization that helped, at no charge to the end users, to make sure that no two people chose the same numbers, and so I allowed them to help make sure there was no conflict. Since that time, I've arranged to have those numbers listed in one or more BGP announcements on the global Internet. And, over that time, nobody else that I've noticed has also tried to use and announce the same numbers... I suppose if that sort of thing happened a lot, the Internet would be much less stable and useful (and filled with lawyers, no doubt, arguing over their proposed "solutions" to the problem), so it is nice that nobody has chosen to do so. If there ever comes a time when there's an actual shortage of unique numbers that are routable, I suspect things will get more Interesting. Matthew Kaufman matthew@eeph.com
participants (12)
-
Andre Oppermann
-
Bill Woodcock
-
Florian Weimer
-
Matthew Kaufman
-
Michael.Dillon@btradianz.com
-
Randy Bush
-
Rodney Joffe
-
Sandy Murphy
-
Steven J. Sobol
-
Steven M. Bellovin
-
Valdis.Kletnieks@vt.edu
-
william(at)elan.net