In article <103128.211654.21906@avi.netaxs.com> Barry wrote: : Now - show me an operational environment on the Internet were this authorization : chain is _working_ today. RIRs and RADB do not count. As you mention before, : those databases and keeping them up to date are a "pulling teeth" exercise. Well, while I don't advocate S-BGP *in particular*, I think starting with something based on in-addr, which is already delegated right down to the level of an origin AS owner (almost always), is the right idea. It wouldn't be too hard for me to trust: 4969.24.origin.0.254.200.10.in-addr.arpa returning something like "true." to check whether 4969 is allowed to originaate 10.200.254.0/24. First level use of something like that would be for detection of unauthorized routing, second could be some level of filtering - perhaps eventually in routing devices, perhaps not. Want authentication? DNSSEC perhaps - but poisoning attacks aside, I assert that if you get root on the in-addr box for a typical network, there are other problems you can cause anyway, especially at edge-y type networks. I think (as usual) we have this political problem with the idea of getting routing databases updated, either because of people who don't want others to see routing policy, or because of those who won't use anything that isn't 100% complete. All I assert about that is that building filters from the existing databases would indeed be silly. : As mentioned here and NANOGs in the past, our biggest problem are providers not : using the tools that they have to build incident resistance into today's : network. Agreed. :> My own opinion is that sophisticated routing attacks are the :> single biggest threat to the Internet. Well, I think redistribution attacks and worms that slam connected IPs with forged-source packets of various types are more worrisome than people leaking malformed BGP updates or trying mass blackholio attacks like the 7007 effect. Those may be sophisticated routing attacks (the former), but I don't really think so. Re: S-BGP in particular, I think that the analysis on S-BGP has been... limited. Ironic for a security protocol that I haven't seen any real analysis of the effect on router CPUs when *under attack*. I am not saying "oh, the authentication will drive things way too high". I'm just saying that we don't know because the simulations have used very conservative parameters. I have problems with statements from S-BGP-land like - "Networks upgrade their routers every 2 years" (paraphrase) Not the last 2 or the next 1. "Router CPUs average 50%, and S-BG adds 10%" (paraphrase) Average is somewhat less relevant than common peaks. GSRs and 7500s and 7200s all get up there at 90+% on the real Internet. And with the assumption that people will be willing to front their big iron with offboard routing CPU boxes. I just don't see these things happening. And even if they could/would, I think S-BGP needs more paranoid simulation/attack/analysis before it in particular could be the grand fix. I like the idea of people being able to START on the authentication datbase of ownership/announcement in a distributed fashion, but perhaps there are other ways (perhaps DNS-based) of getting there as well... : My opinion is that lazy operational practices are the single biggest threat to : the Internet. What's the point of building security and robustness into a system : when people choose not to turn it on? Agreed on point 1! Not on point 2... It is still worth considering what security and robustness one can build in, esp. those things that allow you to do something even if the rest of the 'net doesn't... Avi
Thank you very much, but no. DNS (and DNSSEC) relies on working IP transport for its operation. Now you effectively propose to make routing (and so operation of IP transport) dependent on DNS(SEC). Am I the only one who sees the problem? --vadim PS. The only sane method for routing info validation I've seen so far is the plain old public-key crypto signatures. On 1 Mar 2003, Paul Vixie wrote:
It wouldn't be too hard for me to trust:
4969.24.origin.0.254.200.10.in-addr.arpa returning something like "true." to check whether 4969 is allowed to originaate 10.200.254.0/24. ...
at last, an application for dnssec!
On Fri, 28 Feb 2003, Vadim Antonov wrote:
Thank you very much, but no.
DNS (and DNSSEC) relies on working IP transport for its operation.
Doesn't sBGP also have this problem? A catch-22 where you have to have good routing to get good routing? Or did I miss something?
Now you effectively propose to make routing (and so operation of IP transport) dependent on DNS(SEC).
Am I the only one who sees the problem?
--vadim
PS. The only sane method for routing info validation I've seen so far is the plain old public-key crypto signatures.
On 1 Mar 2003, Paul Vixie wrote:
It wouldn't be too hard for me to trust:
4969.24.origin.0.254.200.10.in-addr.arpa returning something like "true." to check whether 4969 is allowed to originaate 10.200.254.0/24. ...
at last, an application for dnssec!
It wouldn't be too hard for me to trust:
4969.24.origin.0.254.200.10.in-addr.arpa returning something like "true." to check whether 4969 is allowed to originaate 10.200.254.0/24. ...
at last, an application for dnssec!
er, thats been one of the objectives for the last eight+ years. --bill
On Sat, 1 Mar 2003, Avi Freedman wrote:
Re: S-BGP in particular, I think that the analysis on S-BGP has been... limited. Ironic for a security protocol that I haven't seen any real analysis of the effect on router CPUs when *under attack*. I am not saying "oh, the authentication will drive things way too high". I'm just saying that we don't know because the simulations have used very conservative parameters.
My two cents: By looking at the packet formats I estimate that the memory requirements for S-BGP are about 4 times those of regular BGP (mind you - just the BGP table, RIB and FIB remain the same). This gets us pretty close to common 32-bit CPU address space limits. For receiving updates: you are expected to check the validity of each hop in each AS path in the global routing table using a public key signature verification. A Pentium-class CPU can do a few thousand of those per second, so that adds several minutes of pure CPU time to the initialization of each full feed. This means crypto hardware. For sending updates: you must include the identity of the receiver in each update (and then sign the update, unless I remember incorrectly). That means sending out updates to a large number of peers (such as on a public internet exchange) becomes a rather expensive operation, even discounting the crypto. However, there is an alternative to S-BGP: soBGP (secure origin BGP, see URL in my sig for links). Unlike S-BGP, soBGP mainly focusses on the origin of a route. At first sight this would make soBGP less secure than S-BGP, but it looks like S-BGP can't protect the entire path under all circumstances anyway. Also, soBGP is a more open protocol, which can easily be extended with additional security checks. And a big plus for soBGP is that unlike S-BGP, where the security information is stored in path attributes (which means you can easily bring down an existing router by sending it S-BGP info, no filtering on unknown attributes AFAIK), this information is exchanged using a new type of message. This makes it possible to offload the security processing to an external box. The problem with fully protecting the path (such as S-BGP wants to do) is that the only way to do this well is to have the source say which paths are good, but this is simply too much information. Without this, it becomes possible for someone who legitimately received the route to propagate it even though the source didn't intend this. Also, giving the source full control makes dynamic rerouting (like 9/11 emergency transit) much, much harder. Obviously we all want routes we know are good, and don't want routes we know are bad. That's wat S-BGP and soBGP can do. But what if we can't determine if routes are good or bad? If you reject the routes you break a lot of connecitvity. If you don't, nobody will bother jumping through all the hoops to make their route authenticity verifiable. I really don't envy the first operator to deploy (S-|so)BGP... -- Iljitsch van Beijnum - http://www.bgpexpert.com/ (updated: Feb 27, 0:40:21)
From: "Avi Freedman"
"Router CPUs average 50%, and S-BG adds 10%" (paraphrase) Average is somewhat less relevant than common peaks. GSRs and 7500s and 7200s all get up there at 90+% on the real Internet.
I agree. I'm have a tricked 7200 managing 3 peers. Normal traffic utilization rate is 30% cpu usage. The BGP scan kicks 90%+ cpu. During DDOS attacks, the hardest part to stabilizing the system is CPU resource management and in particular BGP stability. Often, one peer has to be shut down to maintain stability on the other two. At that point, work can continue to track and block the DDOS. Then all peers can be brought up, but depending on the severity of the attack, cpu can still be cranking 90-96%, but at least stable traffic. Changes to how we do BGP have effects beyond just BGP routing. It also effects other routing and network issues.
And with the assumption that people will be willing to front their big iron with offboard routing CPU boxes.
Offload routing? To where? A server running an OS that can't run 1/2 the life of my router without a reboot? To a port adapter that my router doesn't have room for? Or do I need to call Cisco and say, "Congrats! You finally get to sell me that $140,000 7500 series router I previously couldn't afford and didn't quite need yet." Here's the kicker. I couldn't inject a route that wasn't mine into any of my peers without calling them first and asking permission. My network doesn't gain anything, but I lose alot.
I just don't see these things happening. And even if they could/would, I think S-BGP needs more paranoid simulation/attack/analysis before it in particular could be the grand fix.
I agree. Deployment would also be long in coming. I may run an all Cisco network, but I don't run any code past 12.0, and when possible, GD releases only. From deployment of the finalized protocol, I'd expect a 3-5 year wait (probably longer) before the protocol reaches a Cisco GD maturity level. -Jack
participants (7)
-
Avi Freedman
-
bmanning@karoshi.com
-
Christopher L. Morrow
-
Iljitsch van Beijnum
-
Jack Bates
-
Paul Vixie
-
Vadim Antonov