At 15:26 09-09-2013, The IESG wrote:
The IESG has received a request from the Secure Inter-Domain Routing WG
(sidr) to consider the following document:
- 'Threat Model for BGP Path Security'
<draft-ietf-sidr-bgpsec-threats-06.txt> as Informational RFC
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2013-09-23. Exceptionally, comments
may be
I read this draft to find out whether we have met the enemy, and he is us [1].
The draft mentions PATHSEC in the Introduction section without
explaining the term. I suggest using the following (edited) which is
already in the Abstract:
"The term PATHSEC is used to refer to any BGP path security
technology that makes use of the RPKI."
According to Section 2 anyone or any thing can be an adversary. I
would not use "threat" to determine "adversary" as motivation can
change. I am not sure whether the average reader will understand the
nuance. Please note that I am not suggesting any change.
In Section 3:
'Hackers may be motivated by a desire for "bragging rights" or for
profit or to express support for a cause.'
The above may be applicable for any person.
"The staff could be motivated to do this based on political pressure
from the nation in which the registry operates (see below)
or due to criminal influence (see above)."
Wouldn't the profit angle also be applicable for registries? The
above focuses on staff instead of the registry. Political pressure
would apply for the organization (see definition of entity in Section 2).
"Nations - A nation may be a threat. A nation may control one or more
network operators that operate in the nation, and thus can cause them
to act as rogue network operators."
The are also network operators that operate outside the nation. That
can be used to get the operator to act as a dishonest network
operator outside the nation.
"A nation may have a technical active wiretapping capability (e.g.,
within its territory) that enables it to effect MITM attacks on
inter-network traffic. (This capability may be facilitated by
control or influence over a telecommunications provider operating
within the nation.)"
There is an emphasis that this (the nation) threat only applies
within the territory. There is a sentence after the quoted text that
the nation has the ability to take control in other countries. Would
a reference to NSL be appropriate in that paragraph?
In Section 4.2:
"False (Route) Origination: A router might originate a route for a
prefix, when the AS that the router represents is not authorized
to originate routes for that prefix. This is an attack, but it is
addressed by the use of the RPKI [RFC6480]."
Wouldn't the way to address the attack open the way for other attacks
(see Section 3)?
In Section 4.5:
"Some adversaries might effect an attack on a CA by violating
personnel or physical security controls as well. The distinction
between CA as adversary vs. CA as an attack victim is important.
Only in the latter case should one expect the CA to remedy problems
caused by a attack once the attack has been detected. (If a CA
does not take such action, the effects are the same as if the
CA is an adversary.)"
I gather that the CA would have a CPS and that CPS would take into
consideration the possible attacks and describe the measures to
prevent them. The above looks at it from an after-the-fact
perspective; i.e. once the damage is done, action is taken.
This draft is well-thought. There's a cryptography angle to one of
the references. I wondered about the why for that reference.
Regards,
-sm
1. The explanation was that "each individual is wholly involved in
the democratic process, work at it or no. The results of the process
fall on the head of the public and he who is recalcitrant or
procrastinates in raising his voice can blame no one but himself".