Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
On Tue, 22 Nov 2005, Randy Bush wrote: > > the idea is that the *end-user* is supposed to know what's legit > > and what isn't. > > no. all asn admins, including tier 1 through tier 42 and leaf > asns. Bah. Forgive my stupidity, please. We got into the discussion of PKI and PGP-style trust models and I failed to remember the TLA in the subject. You're right, my comment doesn't apply to BGP (at least not for most end-users I know). -- Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED Company website: http://JustThe.net/ Personal blog, resume, portfolio: http://SteveSobol.com/ E: [EMAIL PROTECTED] Snail: 22674 Motnocab Road, Apple Valley, CA 92307
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
> the idea is that the *end-user* is supposed to know what's legit > and what isn't. no. all asn admins, including tier 1 through tier 42 and leaf asns. users are not involved in routing, except of course when the ivtf is desperate to shim up v6. randy
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
On Tue, 22 Nov 2005, william(at)elan.net wrote: > I also seem to remember Bill Woodcock suggesting this at some ARIN > meeting in 2001 or 2002. If I recall he proposed that this be somewhat > like a document trust with no operations (beyond providing NS service) > and when somebody needs a service the ip block would have to be moved > to regional RIR. Right. The idea was to lock down things which were in the legacy space, unless people were prepared to undergo the full scrutiny of having them transferred into an RIR (basically dampen the rash of hijackings), give ARIN a clear way around the free-services-to-legacy-holders issue, and give legacy holders a way around the threat-of-ARIN-trying-to-charge- them issue. Seemed like a good idea to a lot of ARIN folks at the time, and it was starting to get some headway, when the RIPE and APNIC folks realized that it would deprive them of the future possiblity of reclaiming legacy space, which they promptly nabbed using the extraordinarily ill-considered ERX policy, which just took the problem and multiplied it by five. Basically irreversibly. So as nice an idea as it was, I'm not sure it has legs in this post-ERX world. -Bill
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
On Tue, 22 Nov 2005, Randy Bush wrote: [ before you say it, i have suggested that a pseudo-rir be created for legacy asns and prefixes ] I also seem to remember Bill Woodcock suggesting this at some ARIN meeting in 2001 or 2002. If I recall he proposed that this be somewhat like a document trust with no operations (beyond providing NS service) and when somebody needs a service the ip block would have to be moved to regional RIR. If your proposal for separate legacy RIR is different, then you need to have a model on how it would be run and how its operations would be financed (especially security procedures associated with assigning certs, etc). -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
On Tue, 22 Nov 2005, Bora Akyol wrote: Furthermore, given that a trust algebra may yield a trust value, rather than a simple 0/1, is it reasonable to use that assessment as a BGP preference selector? That would tie the security very deeply -- too deeply? -- into BGP's guts. If you take the web of trust model, I think a security value can be assigned to announced information based on a couple variables: 1) Distance from an absolute trusted authority. Who is your absolute trusted authority? May this role possibly be filled by whoever allocates ip addresses to everyone? 2) The feedback rating of the announcer (like Ebay ;-) Why am I suddenly feeling like some parts of the internet are "better" then others (and that I'll even be able to tell which ones to some absolute value)? I wonder how quickly this would lead to fragmentation of the net 3) A statically configured metric based on a field match with a set of extracted fields from the ID presented by the announcer. Did you mean to say a filter based announcer BGP communities? Or a combination of both. I think this was discussed in detail in the pre-formation stages of the BGP Sec. Req. document. And its not in the produced requirements document as far as I can see. I also remember reading about a paper on a PGP like trust mesh with variable trust values assigned based on distance etc, but I can't recall the authors. Web of trust metrics for PGP have been discussed in several papers (don't think it was ever for BGP). One of the problems is that it requires some central server that has access to list to all relationships and is able to quickly calculate trust metric from you to somebody else. Reliance on such central service can be a bit of a problem i.e. a single central point for attack, etc. (This is not say that RIR signed do not present some similar issues as they would have to distribute revocation data, but those can go as CRLs and at not necessarily queried for every path calculation like it would be with central server). You can also just distribute all the relationship certs but then amount of data you have to distribute is going to be huge and each end-node would have to calculate the metrics (which calculation is going to be on the order of trying to use Dijkstra SPF with 50,000+ nodes in single OSPF area - never tried anything close but I don't think such network would converge quickly) where as single server can at least cache the previous results although I think the problem would still be there (it can work at least it appears to be possible with PGP). -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
Randy: > >for how many years have i been asking you and your evil-minded cert > >designing friends for a pgp-like web of trust cert that could be > >used for just this application? > > Steven B: > of subsidiaries or allied evil ASs vouching for each other. OTOH, > there are some situations where we know that absolute trust is > indicated -- say, 701 signing 702's certificate, or an upstream signing > the address certificate for a customer. Well, there's the rub. You know who runs AS701 and AS702. Presumably most of us do (although I don't know who runs 702 off the top of my head. 701 is UUNET/MCI, no? I don't do BGP). I like the web 'o' trust idea, but the idea is that the *end-user* is supposed to know what's legit and what isn't. In most cases, we're not the end-users. -- Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED Company website: http://JustThe.net/ Personal blog, resume, portfolio: http://SteveSobol.com/ E: [EMAIL PROTECTED] Snail: 22674 Motnocab Road, Apple Valley, CA 92307
RE: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Steven M. Bellovin > Sent: Tuesday, November 22, 2005 12:54 PM > To: Randy Bush > Cc: [EMAIL PROTECTED] > Subject: Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security) > <..> > Furthermore, given that a trust algebra may yield a trust > value, rather than a simple 0/1, is it reasonable to use that > assessment as a BGP preference selector? That would tie the > security very deeply -- too deeply? -- into BGP's guts. If you take the web of trust model, I think a security value can be assigned to announced information based on a couple variables: 1) Distance from an absolute trusted authority. 2) The feedback rating of the announcer (like Ebay ;-) 3) A statically configured metric based on a field match with a set of extracted fields from the ID presented by the announcer. Or a combination of both. I think this was discussed in detail in the pre-formation stages of the BGP Sec. Req. document. I also remember reading about a paper on a PGP like trust mesh with variable trust values assigned based on distance etc, but I can't recall the authors. All in all, this is not totally different from Viterbi decoding of digital signals in the presence of noise in the way the trust values would be constructed.
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
[ you know all this, but i think it is worth going through the exercise ] > That said, I think the problem is that we need an algebra of trust > that will let a program, not a human, decide whether or not to trust a > certficate. You don't want to accept something if it's a twisty loop > of subsidiaries or allied evil ASs vouching for each other. OTOH, > there are some situations where we know that absolute trust is > indicated -- say, 701 signing 702's certificate, or an upstream > signing the address certificate for a customer. > And it's not just honesty, it's competence you're assessing -- we've > all seen problems when major ISPs didn't get their filters > straight. not exactly. there are two trusts here. i have to accept that asns as incompetent at configuration as i are attesting to prefixes and paths or i won't be able to get to a large part of the net. but this is orthogonal to my trust in their competence to attest to the identity of other asns by cross-signing others' certs. i could have a business relationship with an asn whose routing competence i question. the bottom line is which would i trust more in the latter sense, an asn cert signed by an external hierarchy or a cert signed by one or more of 70x, 1239, 2914, ...? it seems more natural if the identity trust is congruent with the trust of business relationships. a similar reason for my prefering sbgp-like architectures, the attestation model is congruent with the routing model. it turns out most folk have a business relationsip with an rir. but some don't, e.g. jis. and those who do not have become very worried about their ability to route on the internet being at the mercy of organizations some of which have specifically said that legacy cert renewal would be tied directly to the isp or entity paying the rir as if they had gotten the legacy address space from the rir (i think i have sensed some backing off from this rather extreme position). but the point is that some folk are not happy with their identity being controlled by an external party with no skin in the game with whom they would otherwise have no relationship. [ before you say it, i have suggested that a pseudo-rir be created for legacy asns and prefixes ] in particular, i have a business relationship with 1239 and 2914, but no business relationship with ripe. should i trust ripe's signing the identity of anja's asn more or less than 666 signing it and 666's identity being attested to by 1239 and 701, the latter likely being cross-signed by 1239 and 2914? > Furthermore, given that a trust algebra may yield a trust value, > rather than a simple 0/1, is it reasonable to use that assessment > as a BGP preference selector? That would tie the security very > deeply -- too deeply? -- into BGP's guts. i am aware of other research proposals where routing trust is ordinal or even real depending on various distances. randy
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
In message <[EMAIL PROTECTED]>, Randy Bush writes: I believe a web of trust can be operationally feasible only if the web is more like a forest - if there are several well known examples of "tops" to the web. Otherwise, you have to be storing a plethora of different signers' certificates to be able to validate all the institution's certificates that come in. >>> >>> you need those certs to verify the live data anyway >>> >> Right. The real issue is the trust determination -- how do you know >> that the certificate corresponds to something resembling reality >> (whatever that is)? > >for how many years have i been asking you and your evil-minded cert >designing friends for a pgp-like web of trust cert that could be >used for just this application? > Actually, I don't do certs; it's my evil-minded friends... That said, I think the problem is that we need an algebra of trust that will let a program, not a human, decide whether or not to trust a certficate. You don't want to accept something if it's a twisty loop of subsidiaries or allied evil ASs vouching for each other. OTOH, there are some situations where we know that absolute trust is indicated -- say, 701 signing 702's certificate, or an upstream signing the address certificate for a customer. And it's not just honesty, it's competence you're assessing -- we've all seen problems when major ISPs didn't get their filters straight. Furthermore, given that a trust algebra may yield a trust value, rather than a simple 0/1, is it reasonable to use that assessment as a BGP preference selector? That would tie the security very deeply -- too deeply? -- into BGP's guts. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
>>> I believe a web of trust can be operationally feasible only if the web >>> is more like a forest - if there are several well known examples of >>> "tops" to the web. Otherwise, you have to be storing a plethora of >>> different signers' certificates to be able to validate all the >>> institution's certificates that come in. >> >> you need those certs to verify the live data anyway >> > Right. The real issue is the trust determination -- how do you know > that the certificate corresponds to something resembling reality > (whatever that is)? for how many years have i been asking you and your evil-minded cert designing friends for a pgp-like web of trust cert that could be used for just this application? randy
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
>Otherwise, you have to be storing a plethora of >> different signers' certificates to be able to validate all the >> institution's certificates that come in. > >you need those certs to verify the live data anyway Yes, the reason why you want to validate the institution's certificates is so you can verify the data signed with that cert (signed with the private key associated with the public key in the cert, to be explicit). --Sandy
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
In message <[EMAIL PROTECTED]>, Randy Bush writes: > >> I believe a web of trust can be operationally feasible only if the web >> is more like a forest - if there are several well known examples of >> "tops" to the web. Otherwise, you have to be storing a plethora of >> different signers' certificates to be able to validate all the >> institution's certificates that come in. > >you need those certs to verify the live data anyway > Right. The real issue is the trust determination -- how do you know that the certificate corresponds to something resembling reality (whatever that is)? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
> I believe a web of trust can be operationally feasible only if the web > is more like a forest - if there are several well known examples of > "tops" to the web. Otherwise, you have to be storing a plethora of > different signers' certificates to be able to validate all the > institution's certificates that come in. you need those certs to verify the live data anyway randy
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
>Hierarchical relationships breed "reptiles" because of the inherent >asymmetric business relationship that results. >... >Frankly, I am quite impressed with the address registries. How would you feel about having the registries serve as the root of a hierarchical certificate system? >So an institution would have its "certificate" signed >by its upstream (or one of its upstream) providers. How is this relationship not a hierarchical, asymmetric business relationship? What happens in this paradigm in de-peering situations?Are you are intending to exclude peering relationships from this web of trust? >The providers could cross-certificate to build a "root free" (as in >"default free" zone) mesh (aka "Web of Trust."). I believe a web of trust can be operationally feasible only if the web is more like a forest - if there are several well known examples of "tops" to the web. Otherwise, you have to be storing a plethora of different signers' certificates to be able to validate all the institution's certificates that come in. After all, there are thousands of different providers out there. If every bgp speaker uses a different certificate in signing updates to provider A than in signing updates to provider B, then the validation can be quite complex. Any trust relationship model would have to deal with (a) Provider independent space (b) Multi-homed organizations, with and without AS's (c) Organizations that are mobile - they might change their attachment point frequently or abruptly. Authorities exist for some number resources - e.g., those registries hand out addresses - should that be validated by the web of trust? (The authority says the address is allocated to A but I've got an update showing the address originating from B validated by my best peer's three best peers' peers) (Sometimes authorities are needed - if you were buying a car from Joe Doe, would you prefer a title signed by the DMV or the testimony of your favorite body shops that Joe Doe has been their customer for this car for awhile now.) That authority extends downward through sub-allocations in a tree, not a mesh. (But the web of trust might be useful for those current special cases that don't devolve from the existing registries, aka legacy space, until that situation can be fixed.) --Sandy
Re: route-views.routeviews.org down?
>> bummer that. data not being collected. one weeps to think of >> all those announcements lost forever. >> >> is a data gap like a mineshaft gap? Just to be clear: The box that hung was route-views.routeviews.org. We collect 'sh ip bgp' RIBs from this box on 2 hour intervals. So (sadly) there will be a few holes in that data set. However, the MRT format RIB and UPDATE data sets are collected on other boxes, and as a result were not effected by this outage. Please let me know if you have other questions or comments, and again, sorry about the outage. We'll try to tighten up our monitoring/coverage so that we don't get a prolonged outage again. Thanks, Dave pgpyCi2x8CwIb.pgp Description: PGP signature
Re: route-views.routeviews.org down?
On Tue, Nov 22, 2005 at 10:16:11AM +0200, Hank Nussbacher wrote: > > I am unable to telnet or ping route-views.routeviews.org. No event listed > at http://www.routeviews.org/update.html > > Is it just me? Sorry folks, we've been having a memory fragmentation problem. Should be back RSN. Thanks for the report. Dave pgphW3tv2jg6I.pgp Description: PGP signature
Box with (H)VPLS hub+spoke (martini EoMPLS) support in the market?
Hey, Could someone please point me out if there is already boxes that support acting as (H)VLPS HUB's for Martini EoMPLS spokes, with VLAN rewrite? Hopefully this helps more than hurts: L2_cust--L2--PE1---EoMPLS-+ | L2_cust--L2--PE2---EoMPLSPE4-L2-L3_Cust_Router | L2_cust--L2--PE3---EoMPLS-+ PE4 would be running (H)VPLS aggregating the EoMPLS + native L2 to single broadcast domain. L2_custs would need to take round-trip via L3_Cust_Router to reach each other (so local-proxy-arp). PE1-PE3 would be running plain old martini EoMPLS without any MAC knownledge, they could be running on different VLAN, which PE4 would then rewrite. Is there any box in market doing this yet? My top runners would be Timetra (now alcatel) and Riverstone 15[12]00. Thanks, -- ++ytti
RE: route-views.routeviews.org down?
thanks! > gin-ldn-core1>sh ip b s | i 6447 > 128.223.60.102 4 6447 126140 15302644 13717324100 6w0d 0 > 128.223.60.103 4 6447 233238 16068732 000 01:03:48 Active bummer that. data not being collected. one weeps to think of all those announcements lost forever. is a data gap like a mineshaft gap? randy
RE: route-views.routeviews.org down?
> -Message d'origine- > De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De > la part de Randy Bush > Envoyé : mardi 22 novembre 2005 09:35 > À : Edward W. Ray > Cc : [EMAIL PROTECTED] > Objet : RE: route-views.routeviews.org down? > > > > 1555 ms55 ms55 ms www.routeviews.org [128.223.61.18] > > he did not mean the web server. try route views, > >route-views.oregon-ix.net 128.223.60.103 > > as i peer with rv2 and not rv, i can not tell you how bgp > sessions are. could some noc which peers with rv please > check and report. > > and i tried some relevant mobile phones. no go. I (AS6453) see: gin-ldn-core1>sh ip b s | i 6447 128.223.60.102 4 6447 126140 15302644 13717324100 6w0d 0 128.223.60.103 4 6447 233238 16068732000 01:03:48 Active gin-ldn-core1> mh > > randy > > >
RE: route-views.routeviews.org down?
> 1555 ms55 ms55 ms www.routeviews.org [128.223.61.18] he did not mean the web server. try route views, route-views.oregon-ix.net 128.223.60.103 as i peer with rv2 and not rv, i can not tell you how bgp sessions are. could some noc which peers with rv please check and report. and i tried some relevant mobile phones. no go. randy
RE: route-views.routeviews.org down?
No problem here 754 ms53 ms52 ms as-0-0.mp1.Seattle1.Level3.net [209.247.10.137] 851 ms51 ms51 ms ge-10-1.hsa2.Seattle1.Level3.net [4.68.105.71] 951 ms56 ms57 ms unknown.Level3.net [63.211.200.246] 1042 ms40 ms41 ms ptck-core2-gw.nero.net [207.98.64.138] 1164 ms56 ms59 ms eugn-core2-gw.nero.net [207.98.64.1] 1254 ms54 ms55 ms eugn-car1-gw.nero.net [207.98.64.165] 1358 ms60 ms58 ms uonet8-gw.nero.net [207.98.64.66] 1460 ms61 ms57 ms ge-5-1.uonet1-gw.uoregon.edu [128.223.2.1] 1555 ms55 ms55 ms www.routeviews.org [128.223.61.18] -Ed
Re: route-views.routeviews.org down?
> Is it just me? no, but i can get to rv2 randy
route-views.routeviews.org down?
I am unable to telnet or ping route-views.routeviews.org. No event listed at http://www.routeviews.org/update.html Is it just me? -Hank