On Nov 13, 2016, at 1:40 AM, Alvaro Retana (aretana) <aret...@cisco.com> wrote:
> C1. The reference to rfc7607 should be Informative.

Done (in -10 candidate source).
 
> C2. [Major] Security Considerations.  I think that there is one consideration 
> that should be mentioned in this section:  Given that the largest value is 
> preferred (2 = invalid), there is an attack vector where a router in the path 
> (yes, even an internal router) can inject a community indicating that the 
> route is invalid; the communities are not protected.  This action could 
> result in inconsistent routing or in even a DoS.  I know the document is not 
> explicit about what to do with the validation state (which is ok), but the 
> clear intention (from rfc6811 and rfc7115) is that it will be used to make 
> routing decisions.  Please add some text about this potential issue.

I started to write something about this and then realized I don't understand 
what you mean. At first I thought you were saying that an attacker that can 
forge an OV community can bias route selection. While this is true of course, 
it's also not unique to OV (Localpref has this property for example). It 
probably wouldn't be hard to write a sentence to summarize this, if necessary. 

However, you specifically refer to the invalid state: "a router in the path ... 
can inject a community indicating that the route is invalid". This makes me 
think you think there's something special about "invalid", and I don't know 
what it is. You also say something about the sorting order, which I'm also not 
sure why that would matter.

As far as I can tell, injecting "a community indicating that the route is 
invalid" is kind of boring attack -- it just makes the route less likely to be 
selected by the downstream router. The "bad" router could also just fail to 
propagate the route at all ("underclaiming") making it flat-out impossible for 
the downstream to select it, or could use any number of other path attribute 
manipulations (Localpref, AS path, etc) to make the route less preferable. Are 
you suggesting there is some fancier attack than this, or are you just asking 
us to acknowledge BGP doesn't work very well in the face of an on-path attacker?

By all means, if anyone has text to send, do.

Thanks,

--John
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Reply via email to