ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IAB statement on the RPKI.

2010-02-16 10:13:32
from [Phillip Hallam-Baker] [Permanent Link] 
There are two separate functions in the routing layer. There are
security issues in both cases.

The first function is to map IP address ranges to AS numbers. This is
a global mapping, if an IP address range maps to an AS number in
France the same mapping will be good in Brazil.

The second function is to establish rooting maps for AS numbers,
effectively setting up mappings of the AS numbers to Internet endpoint
networks. This mapping is not global. The best route to London is
going to be very different in France and Brazil.

The upshot is that the first problem maps very cleanly to standard PKI
approaches. You can use X.509 certs with extensions, you could use
SAML assertions, the statements are global and work very well.


The second problem is a much harder one to address using PKI. It is
quite possible that PKI is not the right tool at all. The problem is
that if A, B and C are exchanging routing information and Mallet
introduces a bogus route to A, the message A then sends to B
advertising a better route will genuinely have come from A.

There are certainly ways round this problem, if indeed it really is a
persistent problem. There are non cryptographic controls already in
place to verify route quality. It may be that these are sufficient. It
may be that we can employ an accountability based approach to pinpoint
the introduction of bogus routes.

On Sun, Feb 14, 2010 at 7:50 PM, Masataka Ohta
<mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp> wrote:

SM wrote:


The most important factor in choosing a security mechanism is the threat
model.


Right.


That is, who may be expected to attack what resource, using what
sorts of mechanisms? (RFC 3631).


Perhaps, a threat will be by an ISP trying to advertise someone
else's address range as its own.

However, protections against the threat does not prevent the
ISP advertise the range as someone elses'.

That is, the ISP can attach its own AS number to a legitimate AS
path for the range. Then, the ISP can capture packets destined
to addresses within the range, against which, there is no
protection.

                                               Masataka Ohta

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf





-- 
-- 
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IAB statement on the RPKI., Phillip Hallam-Baker
Next by Date:  Re: draft-ietf-dnsext-dnssec-gost, Phillip Hallam-baker
Previous by Thread:  Re: IAB statement on the RPKI., Phillip Hallam-Baker
Next by Thread:  Re: IAB statement on the RPKI., Masataka Ohta
Indexes:  [Date] [Thread] [Top] [All Lists]