> > C2. [Major] Security Considerations. I think that there is one
> > consideration that should be mentioned in this section: Given that the
> > largest value is preferred (2 = invalid), there is an attack vector where a
> > router in the path (yes, even an internal router) can inject a community
> > indicating that the route is invalid; the communities are not protected.
> > This action could result in inconsistent routing or in even a DoS. I know
> > the document is not explicit about what to do with the validation state
> > (which is ok), but the clear intention (from rfc6811 and rfc7115) is that
> > it will be used to make routing decisions. Please add some text about this
> > potential issue.
>
> I started to write something about this and then realized I don't understand
> what you mean. At first I thought you were saying that an attacker that can
> forge an OV community can bias route selection. While this is true of course,
> it's also not unique to OV (Localpref has this property for example). It
> probably wouldn't be hard to write a sentence to summarize this, if
> necessary.
>
> However, you specifically refer to the invalid state: "a router in the path
> ... can inject a community indicating that the route is invalid". This makes
> me think you think there's something special about "invalid", and I don't
> know what it is. You also say something about the sorting order, which I'm
> also not sure why that would matter.
>
> As far as I can tell, injecting "a community indicating that the route is
> invalid" is kind of boring attack -- it just makes the route less likely to
> be selected by the downstream router. The "bad" router could also just fail
> to propagate the route at all ("underclaiming") making it flat-out impossible
> for the downstream to select it, or could use any number of other path
> attribute manipulations (Localpref, AS path, etc) to make the route less
> preferable. Are you suggesting there is some fancier attack than this, or are
> you just asking us to acknowledge BGP doesn't work very well in the face of
> an on-path attacker?
>
> By all means, if anyone has text to send, do.
you have out-sourced your security. the party to which you have out-
sourced it can send you anything. get over it.
as the OV signaling is vanilla bgp, there is no integrity enforcement,
not even a useless checksum; any monkey in the middle can fake anything.
get over it.
none of this is new. you'll really love the wonderful new blackhole
community.
randy
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
