- Forwarded message from [EMAIL PROTECTED] -
Date: Mon, 4 Jun 2007 18:58:26 -0400
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: NIST Special Publication 800-54 Draft - BGP Security
I made an announcement today during the ISP Security session (at NANOG40)
about the release
After reading this thread well after it has ended...why does it seem
that a lot of folks equate "trust" with "paying money?"
Trust isn't about who can pay what but maintaining a system that
conveys trust does *cost* money.
The RIRs are not-for-profit themselves. That doesn't mean
service-
[EMAIL PROTECTED] wrote:
It's hard to imagine an organization who can afford to run
a network using BGP to announce a class C block and not
be able to afford $1250 per year.
The Internet != for-profit-only corporate netspace.
In that case, the organization is not an ISP which
means that they
> > It's hard to imagine an organization who can afford to run
> > a network using BGP to announce a class C block and not
> > be able to afford $1250 per year.
>
> The Internet != for-profit-only corporate netspace.
In that case, the organization is not an ISP which
means that they are not grow
On Tue, 29 Nov 2005, [EMAIL PROTECTED] wrote:
> It's hard to imagine an organization who can afford to run
> a network using BGP to announce a class C block and not
> be able to afford $1250 per year.
The Internet != for-profit-only corporate netspace.
US$1250 may be little more than a urinal m
On 29-Nov-2005, at 12:16, David Barak wrote:
> Maybe my imagination just isn't good enough: could you
> toss me an example-type of organization where that
> would be problematic?
If we consider non-operators e.g. medium sized commercial or NGOs ...
APNIC have a mechanism in-place, but most of t
OTECTED]
Betreff: Re: BGP Security and PKI Hierarchies
On 29-Nov-2005, at 12:16, David Barak wrote:
> Maybe my imagination just isn't good enough: could you
> toss me an example-type of organization where that
> would be problematic?
Oh, my mistake -- you're talking about ne
On 29-Nov-2005, at 12:16, David Barak wrote:
Maybe my imagination just isn't good enough: could you
toss me an example-type of organization where that
would be problematic?
Oh, my mistake -- you're talking about new organisations looking to
acquire PI space. I was talking about organisatio
--- Joe Abley <[EMAIL PROTECTED]> wrote:
> On 29-Nov-2005, at 09:30, David Barak wrote:
> > I have
> > yet to find an organization which is concerned
about
> > getting new PI space which would have a problem
paying
> > that amount per year. They may exist,
>
> They definitely exist.
Okay, I'l
On 29-Nov-2005, at 09:30, David Barak wrote:
I have
yet to find an organization which is concerned about
getting new PI space which would have a problem paying
that amount per year. They may exist,
They definitely exist.
Joe
--- Richard A Steenbergen <[EMAIL PROTECTED]> wrote:
>
> On Tue, Nov 29, 2005 at 10:21:53AM +,
> [EMAIL PROTECTED] wrote:
> >
> > It's hard to imagine an organization who can
> afford to run
> > a network using BGP to announce a class C block
> and not
> > be able to afford $1250 per year
On Tue, Nov 29, 2005 at 10:21:53AM +, [EMAIL PROTECTED] wrote:
>
> It's hard to imagine an organization who can afford to run
> a network using BGP to announce a class C block and not
> be able to afford $1250 per year.
Sounds like a failure of imagination to me.
--
Richard A Steenbergen <
> > >The fees are not charged for past services that were
> > >received for free, only for future services.
>i believe Michael is extrapolating his ideal and
>not the actual practice at RIRs.
Not at all. Past services are anything that was received
for free in the past. Future services a
> >The fees are not charged for past services that were
> >received for free, only for future services.
>
> So you are saying that legacy space holder who signed a memberhsip
> agreement would not owe the usual yearly fee associated with their
> legacy space holdings but only those fees associate
On Mon, 28 Nov 2005, Randy Bush wrote:
proof of identity
S(withRIRkey, AS_A_key, AS_A)
or
S(withwebofttrustkeys, AS_A_key, AS_A)
maybe Randy is saying this is two steps, not an "OR"
S(withRIRkey, someNonRIRidentity, asA)
Good idea. And this "someNonRIRidentity" may actually
> proof of identity
> S(withRIRkey, AS_A_key, AS_A)
> or
> S(withwebofttrustkeys, AS_A_key, AS_A)
> maybe Randy is saying this is two steps, not an "OR"
S(withRIRkey, someNonRIRidentity, asA)
i.e. the rir attests that the entity whose identity is externally
certified has been issued
On Mon, Nov 28, 2005 at 11:48:13AM -0500, Sandy Murphy wrote:
>
> Michael Dillon said:
>
> >The fees are not charged for past services that were
> >received for free, only for future services.
>
> So you are saying that legacy space holder who signed a memberhsip
> agreement would not owe the u
Michael Dillon said:
>The fees are not charged for past services that were
>received for free, only for future services.
So you are saying that legacy space holder who signed a memberhsip
agreement would not owe the usual yearly fee associated with their
legacy space holdings but only those fees
> The/One difficulty is that signing up for this new service,
> for at least one registry, requires that you sign up for the
> same membership relationship as the non-legacy-holders. That
> means you submit to the registry authority over the address
> you were allocated for "free", and obligates
>Regardless of what the legacy space users think, if the
>RIRs decided to sign certificates for use in BGP route
>for a small fee to recover costs, and if those legacy
>space holders wish to make use of this new service (like
>a new version of Windows) then they have to sign up and
>pay the fees.
>I am placing the module to test the
>UPDATE message before the formation of Adj-RIB-out. So that the false /
>malicious information wont go beyond my router
>...
>Would like to know ur views
>about this approach.
I think all the various published approaches have this goal in mind,
so the appr
Of course we could all quickly move to IPv6 and then IPv4 legacy allocations
and related legal challenges wouldn't be an issue any more ... :)
On Mon, 28 Nov 2005 [EMAIL PROTECTED] wrote:
Do you suppose that if a Microsoft salesman had given me a free copy
of Windows back in 1990, I would h
> > Do you suppose that if a Microsoft salesman had given me a free copy
> > of Windows back in 1990, I would have a right to use any version of
> > Windows for free forever?
>
> I don't think this analogy exactly fits. I'm pretty sure that the
legacy
> space holders think of this as: a Microso
In message <[EMAIL PROTECTED]>, Kaustubh Atrawalkar writes:
>
>I am working over BGP security. Trying to guard router itself rather
>than trying to find the attacker. I am placing the module to test the
>UPDATE message before the formation of Adj-RIB-out. So that the f
I am working over BGP security. Trying to guard router itself rather
than trying to find the attacker. I am placing the module to test the
UPDATE message before the formation of Adj-RIB-out. So that the false /
malicious information wont go beyond my router and so that my router and
the next
* Valdis Kletnieks:
> On Thu, 24 Nov 2005 20:26:56 +0100, Florian Weimer said:
>
>> Wouldn't this provide significant economic incentive towards gaining a
>> high value on this metric? I'm not sure if this a good idea because
>> even if you call it a "trust metric", it does not have to correspon
On Thu, 24 Nov 2005 20:26:56 +0100, Florian Weimer said:
> Wouldn't this provide significant economic incentive towards gaining a
> high value on this metric? I'm not sure if this a good idea because
> even if you call it a "trust metric", it does not have to correspond
> to ethical behavior.
Wr
On 25 nov 2005, at 02.07, Sean Donelan wrote:
Although techincal folks may think its just about math,
unfortunately some
people think certificates and signatures mean more than just
mathmatical
formulas. I'm a bit confused why people think network service
providers
will be willing to "ce
Michael Dillon:
> Do you suppose that if a Microsoft salesman had given me a
> free copy of Windows back in 1990, I would have a right to
> use any version of Windows for free forever?
Any version? No. That version, particularly its fixed representation as an
unchanged string of binary digits?
> Do you suppose that if a Microsoft salesman had given me a free copy
> of Windows back in 1990, I would have a right to use any version of
> Windows for free forever?
I don't think this analogy exactly fits. I'm pretty sure that the legacy
space holders think of this as: a Microsoft salesman h
On 24 nov 2005, at 03.54, George Michaelson wrote:
If you want to see member-certificates which gate access to RIR/NIR
specific services common across all registries, I think you want to
get
that onto an RIR meeting agenda Randy.
We currently have no cross-certification activity in member
* Michael Dillon:
>> > How would you feel about having the registries serve as the root of
>> > a hierarchical certificate system?
>>
>> What about the swamp space?
>
> Presumably if the users of class C blocks in the swamp
The class B assignments are even more interesting because some of them
> > How would you feel about having the registries serve as the root of
> > a hierarchical certificate system?
>
> What about the swamp space?
Presumably if the users of class C blocks in the swamp
want to use the certficate services that the registry
provides then the registries would sell that
On Wed, 23 Nov 2005, Steven M. Bellovin wrote:
> I think the problem is both easier and harder than painted. First, you
> need a business agreement that you will accept each others' assertions
> of member identities, aka certificates. Second, you have to agree on a
> common format and meaning fo
* Bill Woodcock:
> Right. The idea was to lock down things which were in the legacy space,
> unless people were prepared to undergo the full scrutiny of having them
> transferred into an RIR (basically dampen the rash of hijackings),
In the end, this boils down to disappropriation. Early add
* Steven M. Bellovin:
> Furthermore, given that a trust algebra may yield a trust value, rather
> than a simple 0/1, is it reasonable to use that assessment as a BGP
> preference selector? That would tie the security very deeply -- too
> deeply? -- into BGP's guts.
Wouldn't this provide sign
* Sandy Murphy:
> How would you feel about having the registries serve as the root of
> a hierarchical certificate system?
What about the swamp space?
>>So an institution would have its "certificate" signed
>>by its upstream (or one of its upstream) providers.
(Don't know where that quote come
>the rir attests to the delegation of the prefix and an asn to the
>identified isp.
>
>the isp signs, using their isp identity to
> o originating from the asn
> o originating that prefix (in sbgp, toward another isp)
Looks to me like:
proof of allocation:
S(withRIRkey, Prefix_p_key, prefix_p)
In message <[EMAIL PROTECTED]>, Randy Bush writes:
>> We need prefix ownership certs; these need a special field identifying the
>> prefix owned. (See RFC 3779, which also describes AS certificates). We
>> need the latter in CA form, for delegation.
>
>sorry to complicate, by iana allocates as r
On Wed, 23 Nov 2005 17:42:21 -1000
Randy Bush <[EMAIL PROTECTED]> wrote:
> > We need prefix ownership certs; these need a special field
> > identifying the prefix owned. (See RFC 3779, which also describes
> > AS certificates). We need the latter in CA form, for delegation.
yes. the resource c
> We need prefix ownership certs; these need a special field identifying the
> prefix owned. (See RFC 3779, which also describes AS certificates). We
> need the latter in CA form, for delegation.
sorry to complicate, by iana allocates as ranges which are then
subbed to rirs. so the ca bit coul
In message <[EMAIL PROTECTED]>, Randy Bush writes:
>
We are discussing how we can do subsidiary certificate services like
this in APNIC but I think this goes outside of routing policy and
into registry business practices which are unlikely to be common
for all RIR and NIR in th
In message <[EMAIL PROTECTED]>, George Michaelson writes
:
>
>On Wed, 23 Nov 2005 17:54:44 -0800 (PST)
>"william(at)elan.net" <[EMAIL PROTECTED]> wrote:
>
>>
>>
>> On Thu, 24 Nov 2005, George Michaelson wrote:
>>
>> > According to what I understand, there have to be two certificates
>> > per en
>>> We are discussing how we can do subsidiary certificate services like
>>> this in APNIC but I think this goes outside of routing policy and
>>> into registry business practices which are unlikely to be common
>>> for all RIR and NIR in the ways that resource certificates *have*
>>> to be.
>>
>
On Wed, 23 Nov 2005 16:39:11 -1000
Randy Bush <[EMAIL PROTECTED]> wrote:
> >> [0] - i'll want the business cert to have the ca bit if i am
> >> large enough to have internal authorization process, and
> >> thus want to create and manage different certs for dns,
> >> billing, ...
>> [0] - i'll want the business cert to have the ca bit if i am
>> large enough to have internal authorization process, and
>> thus want to create and manage different certs for dns,
>> billing, ...
>
> We are discussing how we can do subsidiary certificate services like
> this
On Wed, 23 Nov 2005 16:03:35 -1000
Randy Bush <[EMAIL PROTECTED]> wrote:
> > According to what I understand, there have to be two certificates
> > per entity:
> >
> > one is the CA-bit enabled certificate, used to sign
> > subsidiary certificates about resources being given to other people
>
> According to what I understand, there have to be two certificates per
> entity:
>
> one is the CA-bit enabled certificate, used to sign subsidiary
> certificates about resources being given to other people to use.
>
> the other is a self-signed NON-CA certificate, used to sig
On Wed, 23 Nov 2005 17:54:44 -0800 (PST)
"william(at)elan.net" <[EMAIL PROTECTED]> wrote:
>
>
> On Thu, 24 Nov 2005, George Michaelson wrote:
>
> > According to what I understand, there have to be two certificates
> > per entity:
> >
> > one is the CA-bit enabled certificate, used to sign
On Thu, 24 Nov 2005, George Michaelson wrote:
According to what I understand, there have to be two certificates per
entity:
one is the CA-bit enabled certificate, used to sign subsidiary
certificates about resources being given to other people to use.
the other is a s
In message <[EMAIL PROTECTED]>, George Michaelson writes
:
>
>
>According to what I understand, there have to be two certificates per
>entity:
>
> one is the CA-bit enabled certificate, used to sign subsidiary
> certificates about resources being given to other people to use.
>
>
According to what I understand, there have to be two certificates per
entity:
one is the CA-bit enabled certificate, used to sign subsidiary
certificates about resources being given to other people to use.
the other is a self-signed NON-CA certificate, used to sign
> So when one receives an update, which part is it that you verify with
> the certificate derived from the RIR chain and which part is it that you
> verify with the certificate derived from the web-of-trust? I'm guessing
> the answer in part is that there's a signature attesting to the
> prefix o
>My issue is that if ISPs a) only announce networks that they know
>(for different values of know - but hopefully based on some kind of
>trust in the RIR's data) they are authorized to announce, and b) took
>responsibility for the behavior of the paths or prefixes they
>announce, and the bits tha
>in operation, this means that there could be isp- (or ufo-)centric
>isp identity certification (a la web of trust, for example) which
>could have a very separate cert chain from that of address space
>allocation, which, aside from the legacy issue, could come via the
>rirs.
So when one receives
Rodney Joffe wrote:
As another thought: - Love 'em or hate 'em, the PSTN doesn't have this
problem.
Uh, PSTN does have this problem too. If you are part of SS7 you can totally
fake call origination information. This has been and still is abused for
criminal-malicous activities and 'billin
> My issue is that if ISPs a) only announce networks that they know
> (for different values of know - but hopefully based on some kind of
> trust in the RIR's data) they are authorized to announce, and b) took
> responsibility for the behavior of the paths or prefixes they
> announce, and
On Nov 23, 2005, at 11:09 AM, Randy Bush wrote:
not exactly. there are two trusts here. i have to accept that
asns as incompetent at configuration as i are attesting to prefixes
and paths or i won't be able to get to a large part of the net.
but this is orthogonal to my trust in their compe
>> not exactly. there are two trusts here. i have to accept that
>> asns as incompetent at configuration as i are attesting to prefixes
>> and paths or i won't be able to get to a large part of the net.
>>
>> but this is orthogonal to my trust in their competence to attest to
>> the identity of
On Nov 22, 2005, at 2:59 PM, Randy Bush wrote:
[ you know all this, but i think it is worth going through the
exercise ]
That said, I think the problem is that we need an algebra of trust
that will let a program, not a human, decide whether or not to
trust a
certficate. You don't want
On Tue, 22 Nov 2005, Randy Bush wrote:
> > the idea is that the *end-user* is supposed to know what's legit
> > and what isn't.
>
> no. all asn admins, including tier 1 through tier 42 and leaf
> asns.
Bah. Forgive my stupidity, please. We got into the discussion of PKI and
PGP-style trust m
> the idea is that the *end-user* is supposed to know what's legit
> and what isn't.
no. all asn admins, including tier 1 through tier 42 and leaf
asns.
users are not involved in routing, except of course when the
ivtf is desperate to shim up v6.
randy
On Tue, 22 Nov 2005, william(at)elan.net wrote:
> I also seem to remember Bill Woodcock suggesting this at some ARIN
> meeting in 2001 or 2002. If I recall he proposed that this be somewhat
> like a document trust with no operations (beyond providing NS service)
> and when so
On Tue, 22 Nov 2005, Randy Bush wrote:
[ before you say it, i have suggested that a pseudo-rir be created
for legacy asns and prefixes ]
I also seem to remember Bill Woodcock suggesting this at some ARIN
meeting in 2001 or 2002. If I recall he proposed that this be somewhat
like a document
On Tue, 22 Nov 2005, Bora Akyol wrote:
Furthermore, given that a trust algebra may yield a trust
value, rather than a simple 0/1, is it reasonable to use that
assessment as a BGP preference selector? That would tie the
security very deeply -- too deeply? -- into BGP's guts.
If you take the
Randy:
> >for how many years have i been asking you and your evil-minded cert
> >designing friends for a pgp-like web of trust cert that could be
> >used for just this application?
> >
Steven B:
> of subsidiaries or allied evil ASs vouching for each other. OTOH,
> there are some situations
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Steven M. Bellovin
> Sent: Tuesday, November 22, 2005 12:54 PM
> To: Randy Bush
> Cc: [EMAIL PROTECTED]
> Subject: Re: BGP Security and PKI Hierarchies (w
[ you know all this, but i think it is worth going through the
exercise ]
> That said, I think the problem is that we need an algebra of trust
> that will let a program, not a human, decide whether or not to trust a
> certficate. You don't want to accept something if it's a twisty loop
> of su
In message <[EMAIL PROTECTED]>, Randy Bush writes:
I believe a web of trust can be operationally feasible only if the web
is more like a forest - if there are several well known examples of
"tops" to the web. Otherwise, you have to be storing a plethora of
different signers' c
>>> I believe a web of trust can be operationally feasible only if the web
>>> is more like a forest - if there are several well known examples of
>>> "tops" to the web. Otherwise, you have to be storing a plethora of
>>> different signers' certificates to be able to validate all the
>>> institut
>Otherwise, you have to be storing a plethora of
>> different signers' certificates to be able to validate all the
>> institution's certificates that come in.
>
>you need those certs to verify the live data anyway
Yes, the reason why you want to validate the institution's certificates
is so you c
In message <[EMAIL PROTECTED]>, Randy Bush writes:
>
>> I believe a web of trust can be operationally feasible only if the web
>> is more like a forest - if there are several well known examples of
>> "tops" to the web. Otherwise, you have to be storing a plethora of
>> different signers' certifi
> I believe a web of trust can be operationally feasible only if the web
> is more like a forest - if there are several well known examples of
> "tops" to the web. Otherwise, you have to be storing a plethora of
> different signers' certificates to be able to validate all the
> institution's cert
>Hierarchical relationships breed "reptiles" because of the inherent
>asymmetric business relationship that results.
>...
>Frankly, I am quite impressed with the address registries.
How would you feel about having the registries serve as the root of
a hierarchical certificate system?
>So an inst
Oh, I am quite aware of the BGP RP-Sec work and many people have heard
my opinion on this topic, including some on this mailing list. But I'll
re-iterate.
Hierarchical relationships breed "reptiles" because of the inherent
asymmetric business relationship that results. The "leaves" *must* do
busi
On Mon, 4 Nov 2002, Eric Anderson wrote:
> Time for a new metaphor, methinks.
There's one. Defensive networking :)
--vadim
Yes, but... A protocol in which principal A's misconfiguration can
seriously harm principle B is more broken than one in which it
cannot. That's why the protocol for crossing a busy street includes
"In addition to the light status, look for actual moving vehicles."
That way, you don't get run o
> I didn't say that MD5 would solve the configuration problems, but
> that the fact that just mis-configuration errors can cause lots of
> damage should clue people into the fact that the protocol has
> vulnerabilities to deliberate attack.
Every protocol is vulnerable if the principals are mis-
78 matches
Mail list logo