Your analysis assumes that there a conventional BGP-4 AS_PATH field
and then there is is BGPSEC_Path_Signatures from which AS path info
can be inferred separately. This is not true in the latest BGPSEC
update format as Matt presented it in Paris.
How an optional attribute replace well-known
[sidr-boun...@ietf.orgmailto:sidr-boun...@ietf.org] On Behalf Of Andrew Chi
[a...@bbn.commailto:a...@bbn.com]
Sent: Friday, April 06, 2012 3:21 PM
To: Murphy, Sandra
Cc: sidr wg list
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening
lengthening
On 4/6/2012 2:10 PM
a honest question seeking people's opinion.
Sriram
-Original Message-
From: sidr-boun...@ietf.org [mailto:sidr-boun...@ietf.org] On Behalf Of Robert
Raszuk
Sent: Monday, April 09, 2012 3:19 AM
To: sidr@ietf.org
Cc: i...@ietf.org List
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-threats-02
At 3:04 PM +0200 3/29/12, Shane Amante wrote:
Steve,
Thanks for the response. First, a high-level comment before more
specific responses below.
Shane, sorry to be so late in replying. I think you and Andrew have
already discussed a number of the issues you raised below, so I'll
just
At 9:46 AM -0400 3/29/12, Jakob Heitz wrote:
Let's just require that BGPSEC capable routers
also support 4 byte AS. Then we don't need to worry
about AS4_PTH.
--
Jakob Heitz.
This is already a requirement. See the BGPSEC protocol spec, page 4:
By indicating support for receiving BGPSEC
On 3/29/2012 9:04 AM, Shane Amante wrote:
Regardless, I think
that its best to acknowledge, in this draft, that there is a threat of
DoS to the availability of the BGP control plane
Maybe I'm missing something.
Intermediate routers or MITM entities can always drop updates. If
BGPSEC is
On Apr 6, 2012, at 8:26 AM, Andrew Chi wrote:
On 3/29/2012 9:04 AM, Shane Amante wrote:
Regardless, I think
that its best to acknowledge, in this draft, that there is a threat of
DoS to the availability of the BGP control plane
Maybe I'm missing something.
Intermediate routers or MITM
On 4/6/2012 11:21 AM, Shane Amante wrote:
a) BGP performs loop detection on the AS_PATH attribute *before* verifying any
BGPSEC_Path_Signature, in which case you drop the UPDATE, thus causing a DoS
because you're not propagating what *may* be legitimate reachability info
further downstream.
On Apr 6, 2012, at 10:20 AM, Andrew Chi wrote:
On 4/6/2012 11:21 AM, Shane Amante wrote:
a) BGP performs loop detection on the AS_PATH attribute *before* verifying
any BGPSEC_Path_Signature, in which case you drop the UPDATE, thus causing a
DoS because you're not propagating what *may* be
...@castlepoint.net]
Sent: Friday, April 06, 2012 1:02 PM
To: Andrew Chi
Cc: sidr wg list
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening
lengthening
On Apr 6, 2012, at 10:20 AM, Andrew Chi wrote:
On 4/6/2012 11:21 AM, Shane Amante wrote:
a) BGP performs loop
On 4/6/2012 2:10 PM, Murphy, Sandra wrote:
So where's the dos attack?
(Do note that the bgpsec signatures would detect this at the first point that
checked the signatures, so your neighbor would have spotted the injection -
unless it was the source of the injection.)
So I think I finally
Oops: s/BGPSEC_Path_Signature/BGPSEC_Path_Signatures/
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
Shane,
To expand on my comments at the mic earlier today on this draft, I
think there is universal acknowledgment that there should be
statements that attacks involving path shortening should be
acknowledged as a threat in this document.
Section 4.2, near the top of page 12, addresses this
Steve,
Thanks for the response. First, a high-level comment before more specific
responses below.
The challenge I'm having is trying to reconcile threats against the existing
AS4_PATH attribute vs. threats against the BGP_Path_Signature attribute. More
specifically, the AS4_PATH attribute
To expand on my comments at the mic earlier today on this draft, I think there
is universal acknowledgment that there should be statements that attacks
involving path shortening should be acknowledged as a threat in this document.
OTOH, with respect to path-lengthening, my comment was NOT aimed
15 matches
Mail list logo