RE: BGP over TLS

[adamv0025]

> From: Christopher Morrow 
> Sent: Friday, October 25, 2019 7:08 AM
> 
> > > > So move from bilateral peering over common IX-LAN to direct
> > > > peering Or if a direct link is still not to be trusted do MACSEC.
> > > > Then it's all about you and the peer -if he/she screws you over de-peer.
> > >
> > > and it burning a 100g port on a chassis for ~1g (or less) of traffic
> > > is worthwhile...
> > Sure cause the usual math is if I have 100G to IX LAN which is half empty
> then going direct means 100G x number of peers I'd like to move to direct
> peering...
> 
> Sorry, I skipped a sentence figuring it wasn't worth typing, but ...
> "100g is the new 10g which was the new 1g ... and on 100g platforms you
> often don't get 1g as well... it's harder to delivery 10G (almost) than 100g 
> :( "
> 
> So default at the edge is moving to 100g for some folk
> 
Nah that's just advertising, 100G is still not quite there yet:
100G SR4 99,-
40G SR4 39,-
10G SR 18,-
1000BASE-T 18,-
1000BASE-SX 6,-

100G LR 799,-
40G LR 279,-
10G LR 24,-
1G LX 7,-


Yes these are just indicative transceiver prices, but it sort of speaks to the 
argument of 100G for anything cause it doesn't matter.
Also from the forwarding chip perspective,
100G being a new 10G is currently has a faint chance only on the most 
"simplest" merchant silicon, it will take a long time till this notion trickles 
down and is reflected in prices of vendor NPUs/PFEs or cards.
e.g. try comparing list prices of a 32 port 10G card to a 32 port 100G card and 
then tell me it doesn't really matter whether you'll burn a 10G or 100G port 
for the 1g peer :)

adam

Re: BGP over TLS

[Christopher Morrow]

On Thu, Oct 24, 2019 at 9:33 AM  wrote:
>
> > From: Christopher Morrow 
> > Sent: Wednesday, October 23, 2019 6:53 PM
> > Subject: Re: BGP over TLS
> >
> > On Wed, Oct 23, 2019 at 10:43 AM  wrote:
> > >
> > > > Sent: Tuesday, October 22, 2019 8:26 PM
> > > > To: Keith Medcalf 
> > > >
> > > > No,
> > > >
> > > >
> > > > > On Oct 22, 2019, at 2:08 PM, Keith Medcalf 
> > > > wrote:
> > > > >
> > > > > At this point further communications are encrypted and secure
> > > > > against
> > > > eavesdropping.
> > > >
> > > > The problem isn't the protocol being eavesdropped on. The data is
> > > > already published publicly by many people.
> > > >
> > > > The problem is one of mutual authentication and authorization of the
> > > > transport.
> > > >
> > > Yes the information is public but if the routing information exchanged
> > > over a given peering session is tempered with that could potentially
> > > cause some problems right?
> >
> > 'mutual authentication' CAN be the thing (via tcp md5 today) that does this
> > 'do not tamper' part.
> > there ARE problems with tcp-md5... some are "because we collectively didnt'
> > squeak enough to get key-tables"
> > some are: "err, doing low-level-kernel-muckery is gross".
> >
> > > But then again, as Jeff mentioned, with GTSM this vector is limited to
> > > a local link between two eBGP speakers (or whole IGP domain for iBGP
> > > sessions but let's leave that one out for now).
> >
> > ibgp, it turns out, is important.
> >
> Well yes and that's why we all have internet plane RR infrastructure separate 
> to the RR infrastructure(s) distributing information for other services right?
> And is also why we all filter non-standard or even non-usual BGP attributes 
> and unusually long AS paths and community lists on ingress to our AS, just to 
> safeguard our BGP infrastructure.
> ...yeah about that.
>

sounds right, yes.
There's at least 1 BCP that talks about this... and some BCOP's from
ripe/nanog as well I think?

> > > So move from bilateral peering over common IX-LAN to direct peering Or
> > > if a direct link is still not to be trusted do MACSEC.
> > > Then it's all about you and the peer -if he/she screws you over de-peer.
> >
> > and it burning a 100g port on a chassis for ~1g (or less) of traffic is
> > worthwhile...
> Sure cause the usual math is if I have 100G to IX LAN which is half empty 
> then going direct means 100G x number of peers I'd like to move to direct 
> peering...

Sorry, I skipped a sentence figuring it wasn't worth typing, but ...
"100g is the new 10g which was the new 1g ... and on 100g platforms
you often don't get 1g as well... it's harder to delivery 10G (almost)
than 100g :( "

So default at the edge is moving to 100g for some folk

> > there's lots of variables here... options are nice to have... better 
> > security for
> > /not just my IX/ bgp would be nice too :)
>
> Well yes I do agree with that statement on a sentimental level almost.
>
> But pragmatically I'd have to ask what big of a problem is BGP over TLS going 
> to solve and how much would it cost.
> Ideally the solution would tick all these 3 together:
> 1) it's a panacea (solves all aspects of the problem),
> 2) it's zero effort (development and getting it to the network)
> 3) it solves a huge problem, (operators are struggling with the effects of 
> this problem on a daily bases)

sure... I don't have a cogent answer to all of these, but if you
believe there's a need for authentication /  integrity / privacy on
some/all of your BGP sessions, you probably want:
  1) something that rotates regularly instead of static md5 would be great
   because everyone's md5 secret is public, regardless of your
efforts to secure that data :(

  2) something that doesn't require operator interference to
enable/rotate/manage would be nice
  one main complaint about md5 is it's very hard to setup
reliably, folk don't record the keys, etc.
   "argh, peer didn't come up, rm-rf-key.. look working now!"
  making that more straightforward and less error prone would be good.

  -chris

RE: BGP over TLS

[adamv0025]

> From: Christopher Morrow 
> Sent: Wednesday, October 23, 2019 6:53 PM
> Subject: Re: BGP over TLS
> 
> On Wed, Oct 23, 2019 at 10:43 AM  wrote:
> >
> > > Sent: Tuesday, October 22, 2019 8:26 PM
> > > To: Keith Medcalf 
> > >
> > > No,
> > >
> > >
> > > > On Oct 22, 2019, at 2:08 PM, Keith Medcalf 
> > > wrote:
> > > >
> > > > At this point further communications are encrypted and secure
> > > > against
> > > eavesdropping.
> > >
> > > The problem isn't the protocol being eavesdropped on. The data is
> > > already published publicly by many people.
> > >
> > > The problem is one of mutual authentication and authorization of the
> > > transport.
> > >
> > Yes the information is public but if the routing information exchanged
> > over a given peering session is tempered with that could potentially
> > cause some problems right?
> 
> 'mutual authentication' CAN be the thing (via tcp md5 today) that does this
> 'do not tamper' part.
> there ARE problems with tcp-md5... some are "because we collectively didnt'
> squeak enough to get key-tables"
> some are: "err, doing low-level-kernel-muckery is gross".
> 
> > But then again, as Jeff mentioned, with GTSM this vector is limited to
> > a local link between two eBGP speakers (or whole IGP domain for iBGP
> > sessions but let's leave that one out for now).
> 
> ibgp, it turns out, is important.
> 
Well yes and that's why we all have internet plane RR infrastructure separate 
to the RR infrastructure(s) distributing information for other services right?
And is also why we all filter non-standard or even non-usual BGP attributes and 
unusually long AS paths and community lists on ingress to our AS, just to 
safeguard our BGP infrastructure.
...yeah about that. 

> > So move from bilateral peering over common IX-LAN to direct peering Or
> > if a direct link is still not to be trusted do MACSEC.
> > Then it's all about you and the peer -if he/she screws you over de-peer.
> 
> and it burning a 100g port on a chassis for ~1g (or less) of traffic is
> worthwhile...
Sure cause the usual math is if I have 100G to IX LAN which is half empty then 
going direct means 100G x number of peers I'd like to move to direct peering... 

> there's lots of variables here... options are nice to have... better security 
> for
> /not just my IX/ bgp would be nice too :)
Well yes I do agree with that statement on a sentimental level almost.
But pragmatically I'd have to ask what big of a problem is BGP over TLS going 
to solve and how much would it cost. 
Ideally the solution would tick all these 3 together: 
1) it's a panacea (solves all aspects of the problem), 
2) it's zero effort (development and getting it to the network)
3) it solves a huge problem, (operators are struggling with the effects of this 
problem on a daily bases)

adam

Re: BGP over TLS

[Randy Bush]

> there ARE problems with tcp-md5... some are "because we collectively
> didnt' squeak enough to get key-tables"

i believe many vendors implement key scheduling.  no one uses it, and i
do not suggest they do.

randy

Re: BGP over TLS

[Christopher Morrow]

On Wed, Oct 23, 2019 at 11:18 AM Alain Hebert  wrote:
>
> I do not have much to contribute but this.
>
> We already have ( choose your poison(s) )
>
> Dark Fiber + MACsec + BCP38 + ACL + MD5 + MPLS + IRRD + GRE + IPsec + 
> yadi yada

much of this isn't solving the problem though, and adding complexity
and layers to the problem, right?

> PS: Yup, I have SRX300s doing BGP over NNI -and- a GRE + IPsec on LTE 
> as a backup.
>

sure everyone can cook up a loony solution.. but in the general case
of my iBGP cross-country (or cross-ocean) it'd be nice to not have to
do a bunch of really heavyweight things just to get better
authen/integrity/ for my bgp traffic, I think.

> What is the real endgame from the people(s) proposing "BGP over TLS"?  It 
> feel like someone is trying to create a job for himself over a solution in 
> search of a problem.
>
> -
> Alain Hebertaheb...@pubnix.net
> PubNIX Inc.
> 50 boul. St-Charles
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
>
> On 2019-10-23 10:42, adamv0...@netconsultings.com wrote:
>
> Sent: Tuesday, October 22, 2019 8:26 PM
> To: Keith Medcalf 
>
> No,
>
>
> On Oct 22, 2019, at 2:08 PM, Keith Medcalf 
>
> wrote:
>
> At this point further communications are encrypted and secure against
>
> eavesdropping.
>
> The problem isn't the protocol being eavesdropped on. The data is already
> published publicly by many people.
>
> The problem is one of mutual authentication and authorization of the
> transport.
>
> Yes the information is public but if the routing information exchanged over
> a given peering session is tempered with that could potentially cause some
> problems right?
>
> But then again, as Jeff mentioned, with GTSM this vector is limited to a
> local link between two eBGP speakers (or whole IGP domain for iBGP sessions
> but let's leave that one out for now).
> So move from bilateral peering over common IX-LAN to direct peering
> Or if a direct link is still not to be trusted do MACSEC.
> Then it's all about you and the peer -if he/she screws you over de-peer.
>
> adam
>
>
>
>
>

Re: BGP over TLS

[Christopher Morrow]

On Wed, Oct 23, 2019 at 10:43 AM  wrote:
>
> > Sent: Tuesday, October 22, 2019 8:26 PM
> > To: Keith Medcalf 
> >
> > No,
> >
> >
> > > On Oct 22, 2019, at 2:08 PM, Keith Medcalf 
> > wrote:
> > >
> > > At this point further communications are encrypted and secure against
> > eavesdropping.
> >
> > The problem isn't the protocol being eavesdropped on. The data is already
> > published publicly by many people.
> >
> > The problem is one of mutual authentication and authorization of the
> > transport.
> >
> Yes the information is public but if the routing information exchanged over
> a given peering session is tempered with that could potentially cause some
> problems right?

'mutual authentication' CAN be the thing (via tcp md5 today) that does
this 'do not tamper' part.
there ARE problems with tcp-md5... some are "because we collectively
didnt' squeak enough to get key-tables"
some are: "err, doing low-level-kernel-muckery is gross".

> But then again, as Jeff mentioned, with GTSM this vector is limited to a
> local link between two eBGP speakers (or whole IGP domain for iBGP sessions
> but let's leave that one out for now).

ibgp, it turns out, is important.

> So move from bilateral peering over common IX-LAN to direct peering
> Or if a direct link is still not to be trusted do MACSEC.
> Then it's all about you and the peer -if he/she screws you over de-peer.

and it burning a 100g port on a chassis for ~1g (or less) of traffic
is worthwhile...
there's lots of variables here... options are nice to have... better
security for /not just my IX/ bgp would be nice too :)

Re: BGP over TLS

[Alain Hebert]

    I do not have much to contribute but this.

    We already have ( choose your poison(s) )

        Dark Fiber + MACsec + BCP38 + ACL + MD5 + MPLS + IRRD + GRE + 
IPsec + yadi yada


        PS: Yup, I have SRX300s doing BGP over NNI -and- a GRE + IPsec 
on LTE as a backup.


    What is the real endgame from the people(s) proposing "BGP over 
TLS"?  It feel like someone is trying to create a job for himself over a 
solution in search of a problem.


-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 2019-10-23 10:42, adamv0...@netconsultings.com wrote:

Sent: Tuesday, October 22, 2019 8:26 PM
To: Keith Medcalf 

No,



On Oct 22, 2019, at 2:08 PM, Keith Medcalf 

wrote:

At this point further communications are encrypted and secure against

eavesdropping.

The problem isn't the protocol being eavesdropped on. The data is already
published publicly by many people.

The problem is one of mutual authentication and authorization of the
transport.


Yes the information is public but if the routing information exchanged over
a given peering session is tempered with that could potentially cause some
problems right?

But then again, as Jeff mentioned, with GTSM this vector is limited to a
local link between two eBGP speakers (or whole IGP domain for iBGP sessions
but let's leave that one out for now).
So move from bilateral peering over common IX-LAN to direct peering
Or if a direct link is still not to be trusted do MACSEC.
Then it's all about you and the peer -if he/she screws you over de-peer.

adam

RE: BGP over TLS

[adamv0025]

> Sent: Tuesday, October 22, 2019 8:26 PM
> To: Keith Medcalf 
> 
> No,
> 
> 
> > On Oct 22, 2019, at 2:08 PM, Keith Medcalf 
> wrote:
> >
> > At this point further communications are encrypted and secure against
> eavesdropping.
> 
> The problem isn't the protocol being eavesdropped on. The data is already
> published publicly by many people.
> 
> The problem is one of mutual authentication and authorization of the
> transport.
> 
Yes the information is public but if the routing information exchanged over
a given peering session is tempered with that could potentially cause some
problems right?

But then again, as Jeff mentioned, with GTSM this vector is limited to a
local link between two eBGP speakers (or whole IGP domain for iBGP sessions
but let's leave that one out for now).
So move from bilateral peering over common IX-LAN to direct peering 
Or if a direct link is still not to be trusted do MACSEC.
Then it's all about you and the peer -if he/she screws you over de-peer.

adam

Re: BGP over TLS

[Jared Mauch]

> On Oct 22, 2019, at 6:31 PM, Keith Medcalf  wrote:
> 
> I see.  It is an AIC problem, not a CIA problem.  TLS in its default
> usage is a CIA thing because, well, it was designed to solve CIA
> problems where even temporary secrecy is more important than being down
> for a week.  As had been pointed out though, TLS does allow for non-CIA
> configuration and usage such as by using PSK or fingerprint
> authentication.  SSH is also an AIC thing.  It solves the problem by
> recording the fingerprint on first connect and alarming if the
> fingerprint is not subsequently what was expected.  Cannot TLS be
> configured to do the same thing bidirectionally?

I’ve had enough of a problem with the management side of my router w/ SSH(host) 
keys that imagining trying to scale that to lets say 200 peers at an IXP would 
make it insane to touch.

In my home network I ended up placing a rule due to how often I would play with 
embedded devices, eg:

Host 10.0.0.*
   StrictHostKeyChecking no
   UserKnownHostsFile=/dev/null

Because each time I have a new device come up with a hostname (eg: 
raspberrypi.local) I would have to clear out my known hosts file.  This local 
policy allows me to make this simpler.  I think something like that is really 
what’s desired, but when was the last time you managed to keep the ssh daemon 
key on your router when you swap hardware?

The simpler the tools the better.  Things like ACME made it much easier for 
someone to manage their TLS certs and config.  There’s much to be desired from 
the management plane of these devices.  No wonder people with scale roll their 
own code.. 

Routers haven’t advanced much past the early 90s in sophistication in how you 
configure them.  We’re still in the late 90s with kickstart techniques and 
manual patching vs enmasse configuration changes.  I see the limitations on 
both the technical side and the human side.  Try to tell someone who has been 
caretaking all the routers to become a sysadmin and watch what happens.

It’s up to us as consumers of the technology to push our vendors for something 
better.  I can’t have a router reboot itself when you type commit or similar 
which is still the state of the industry.

- Jared

RE: BGP over TLS

[Keith Medcalf]

On Tuesday, 22 October, 2019 13:26, Jared Mauch 
wrote:

>No,

>> On Oct 22, 2019, at 2:08 PM, Keith Medcalf 
wrote:

>> At this point further communications are encrypted and secure against
>>eavesdropping.

>The problem isn't the protocol being eavesdropped on. The data is
already
>published publicly by many people.

>The problem is one of mutual authentication and authorization of the
>transport.

I see.  It is an AIC problem, not a CIA problem.  TLS in its default
usage is a CIA thing because, well, it was designed to solve CIA
problems where even temporary secrecy is more important than being down
for a week.  As had been pointed out though, TLS does allow for non-CIA
configuration and usage such as by using PSK or fingerprint
authentication.  SSH is also an AIC thing.  It solves the problem by
recording the fingerprint on first connect and alarming if the
fingerprint is not subsequently what was expected.  Cannot TLS be
configured to do the same thing bidirectionally?

--
The fact that there's a Highway to Hell but only a Stairway to Heaven
says a lot about anticipated traffic volume.

Re: BGP over TLS

[Jared Mauch]

No,


> On Oct 22, 2019, at 2:08 PM, Keith Medcalf  wrote:
> 
> At this point further communications are encrypted and secure against 
> eavesdropping.

The problem isn't the protocol being eavesdropped on. The data is already 
published publicly by many people. 

The problem is one of mutual authentication and authorization of the transport. 

- Jared 

Re: BGP over TLS

[Christopher Morrow]

On Tue, Oct 22, 2019 at 2:21 PM Bjørn Mork  wrote:
>
> Christopher Morrow  writes:
>
> > The x.509 system, to be effective here would require a TrustAnchor /
> > Root-of-Trust that both parties agreed was acceptable...
>
> As in a shared TrustAnchor?  No.  Both ends could use a simple self

as an option, sure. not a great one as you say. (and I agree, today's
'web pki' model just isn't sane for networking)

> signed certificate and be configured to trust the other.  A hash of the
> peers public key would be sufficient for the BGP peer configuration.
>

This is effectively the same as the md5 problem, right? and there'd
have to be a bunch of not-standard machinations in the tls connection
to support this behavior... never mind: "Was that E5S or E5s gosh..
can you send me this over IM please?" :) (passing around the
fingerprints is hard)

> Or you could use more complex PKI models, with a CA hierarchy or
> whatever.  The point is that TLS doesn't force you to do that
>

right, I think I said that in the next paragraph: "Hey, you could use psk..."

> Authenticating the peer by its public key hash is as simple as using an
> TCP-MD5 password.

err... is it though?
  'foobarbaz' is a long simpler than:
   SHA1 Fingerprint=A2:A8:74:E7:3C:20:49:E4:2D:5A:6E:97:EF:B2:65:C7:59:44:1A:6E

> > To get around that you propose we hopscotch over to 'TLS with
> > preshared keys (PSK)'...ok, that smells nice,
>
> Maybe.  Personally I don't see the point.

I think ... if we are working away from a static 'key' and to
something that could be machine managed in a secure fashion (certs,
for instance) we'd be in a better place for:
   bgp session security
   bgp session integrity
   bgp session authentication

> >> My personal major gripe with certificate based systems is that many
> >> routers don't have an RTC and won't know what time it is until they can
> >> NTP, which likely requires protocol adjacencies, and then a dependency 
> >> loop.
> >
> > this is also a problem, but really ... your igp should get you to an
> > NTP source... or we'd all get to that fairly quickly, right? :)
> >   (some of this is updating 'best practices' in building / maintaining
> > a network, right?)
>
> You may ignore notAfter and notBegin like DANE does. The ntp issue is

I don't know what those fields are but:
notBefore=Oct  3 17:13:51 2019 GMT
notAfter=Dec 26 17:13:51 2019 GMT

maybe you mean these? sure, you CAN ignore those, but that's also
'non-standard, outside openssl-like behavior' so likely to cause
problems :(
and, you really do want certs with expiry that's 'short' so you don't
need to worry about CRL distribution and such. I think anyway.

> another reason.  But IMHO the most important one is that you don't want
> any sort of forced key rotation, where the configuration that was valid
> yesterday suddenly becomes invalid.  That's a policy designed for a
> completely different usecase than running a routing protocol.

there are  many examples of (outside x509/ssl) key management systems
that use date initiated keys though, on network devices.
most vendors support a key table for ISIS and OSPF... and LDP (I believe)

> You'll probably want to trust your configured pinned peer key for as
> long as it is part of your configuration.  And if you are using a CA,

that seems .. bad. What if someone gets the key material that's not your peer?
  
https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/

this doesnt' happen too often... wait, yes it does.
You want the ability to CRL or expire or make a lost cert less useful.
keys/certs/secrets that last forever are not a thing.

> then you'll probably want to use a CRL to withdraw specific certificates
> instead of depending on a timeout.

CRLs imply some external dependency, maybe that's ok depending on your
deployment, but I imagine that if we get to a world with a CA per
peer-as, there are going to be folk very busy getting CRLs and not so
busy getting routes done.

there's a tradeoff for each of these things, I imagine a well reasoned
paper (juilien?) and some standards (possibly) + implementer work
would be necessary to get true forward movement. (and desire to
actually do this work)

> And before someone claims that notAfter and notBegin validation is
> mandated by the RFC 5280 certificate policy - The good authors of RFC
> 5280 anticipated that their "Internet applications" policy wouldn't
> necessarily fit all:
>
>Some communities will need to supplement, or possibly replace, this
>profile in order to meet the requirements of specialized application
>domains or environments with additional authorization, assurance, or
>operational requirements.  However, for basic applications, common
>representations of frequently used attributes are defined so that
>application developers can obtain necessary information without
>regard to the issuer of a particular certificate or certificate
>

Re: BGP over TLS

[Brandon Martin]

On 10/22/2019 14:07, Keith Medcalf wrote:

That is incorrect.

I believe that an endpoint (lets call it Alice) can connect to another endpoint (lets call it Bob) and Alice can say to Bob, 
"Hello Dude, lets negotiate a secret key between us".  "Yokkely dokelly", says Bob, "Lets do that". 
 They then exchange some stuff to and fro and then Alice says "Righty then, lets encrypt!" and Bob says, "Yabba 
Doodle Doo".

At this point further communications are encrypted and secure against 
eavesdropping.  Alice still has no idea who she is talking to (other than it is 
the dude that picked up the phone), and Bob has no idea who he is talking too 
other than the fact it is whoever rang him up.

The Security part in Transport Layer Security is Encryption.  Authentication is 
lathered on top as an afterthought and requires external measures be taken in 
order to have*any*  effect whatsoever.


This is unauthenticated Diffie-Hellmann key agreement, essentially.  As 
has been pointed out, it only works if you know that, during the initial 
agreement, you can trust that you are talking directly to who you want 
to talk to without fear of a man in the middle (a passive observer will 
still be foiled).


TLS supports this in the form of anonymous TLS.

Something similar is normally used for opportunistic TLS upgrade with 
e.g. SMTP, but there at least one end (the "server") still presents a 
certificate; the client just doesn't validate it.


Password-authenticated DHKA fixes the above problem, but then you're 
back to the status quo of a preshared secret.  This is, in fact, how the 
DHE* suite of TLS ciphersuites works, AFAIK.  Use PKI to exchange one 
secret (with trust of who you're talking to, where applicable, due to 
the PKI), then use authenticated DH to establish a session secret using 
that as the PSK.  Then throw away that session secret when you're done.


One thing that comes to mind in the context of what others have done is 
to have each router maintain, internally, its own long-term CA and issue 
a peer certificate when a session is first started to its peer.  This 
has the same problem in that the initial session establishment could be 
meddled with but, assuming that does not happen (and it does not, in 
practice, seem especially likely except maybe on an IX), the peer can 
identify itself for the long term.  THrow alarm bells if an unknown peer 
again tries to talk on that configured peer.


That at least gets you some form of long-term security (at the cost of 
possibly NO security if the above assumptions are not met), and it 
happens automatically.


You could do the same thing with a symmetric secret being automatically 
established using DHKA or similar, too, of course.


--
Brandon Martin

Re: BGP over TLS

[Bjørn Mork]

Christopher Morrow  writes:

> The x.509 system, to be effective here would require a TrustAnchor /
> Root-of-Trust that both parties agreed was acceptable...

As in a shared TrustAnchor?  No.  Both ends could use a simple self
signed certificate and be configured to trust the other.  A hash of the
peers public key would be sufficient for the BGP peer configuration.

Or you could use more complex PKI models, with a CA hierarchy or
whatever.  The point is that TLS doesn't force you to do that

Authenticating the peer by its public key hash is as simple as using an
TCP-MD5 password.

> To get around that you propose we hopscotch over to 'TLS with
> preshared keys (PSK)'...ok, that smells nice,

Maybe.  Personally I don't see the point.

>> My personal major gripe with certificate based systems is that many
>> routers don't have an RTC and won't know what time it is until they can
>> NTP, which likely requires protocol adjacencies, and then a dependency loop.
>
> this is also a problem, but really ... your igp should get you to an
> NTP source... or we'd all get to that fairly quickly, right? :)
>   (some of this is updating 'best practices' in building / maintaining
> a network, right?)

You may ignore notAfter and notBegin like DANE does. The ntp issue is
another reason.  But IMHO the most important one is that you don't want
any sort of forced key rotation, where the configuration that was valid
yesterday suddenly becomes invalid.  That's a policy designed for a
completely different usecase than running a routing protocol.

You'll probably want to trust your configured pinned peer key for as
long as it is part of your configuration.  And if you are using a CA,
then you'll probably want to use a CRL to withdraw specific certificates
instead of depending on a timeout.

And before someone claims that notAfter and notBegin validation is
mandated by the RFC 5280 certificate policy - The good authors of RFC
5280 anticipated that their "Internet applications" policy wouldn't
necessarily fit all:

   Some communities will need to supplement, or possibly replace, this
   profile in order to meet the requirements of specialized application
   domains or environments with additional authorization, assurance, or
   operational requirements.  However, for basic applications, common
   representations of frequently used attributes are defined so that
   application developers can obtain necessary information without
   regard to the issuer of a particular certificate or certificate
   revocation list (CRL).


BTW, using TLS for management protocols is not completely unknown.  We
already have RADSEC (RFC 6614) and syslog-tls (RFC 5425), and probably
others I haven't touched yet.  The certificate management problem is
pretty much the same for all these.  You have a closed group of
clients/servers/peers using explicitly configured sessions.  You want
both ends to authenticate each other.  You don't necessarily want an
umbrella trust anchor in the form of a CA.  Defining trust per session
is fine, using pinned certificates.


Bjørn

Re: BGP over TLS

[Chris Adams]

Once upon a time, Keith Medcalf  said:
> I believe that an endpoint (lets call it Alice) can connect to another 
> endpoint (lets call it Bob) and Alice can say to Bob, "Hello Dude, lets 
> negotiate a secret key between us".  "Yokkely dokelly", says Bob, "Lets do 
> that".  They then exchange some stuff to and fro and then Alice says "Righty 
> then, lets encrypt!" and Bob says, "Yabba Doodle Doo".
> 
> At this point further communications are encrypted and secure against 
> eavesdropping.  Alice still has no idea who she is talking to (other than it 
> is the dude that picked up the phone), and Bob has no idea who he is talking 
> too other than the fact it is whoever rang him up.

But if Alice and Bob don't know that they're talking to each other, they
could already be being eavesdropped on.  Chuck could have answered
Alice's call, turned around and called Bob, connected the two, and be
listening in (and potentially even modifying communications between
Alice and Bob).

This is why encryption without some type of endpoint authentication is
not secure.

I could see BGP over TLS requiring each end sharing a CA public cert in
advance - this would allow each end to re-gen keys at will.  The BGP
config could easily limit a particular peer to a particular CA (so when
I peer with Google, they send me or otherwise publish their BGP CA, and
I limit my Google peers to that CA).

This could replace trying to securely share MD5 keys today - a BGP CA
could be published (possibly even at RIRs).
-- 
Chris Adams 

RE: BGP over TLS

[Keith Medcalf]

>TLS in the traditional sense 'requires' that there be an X.509
>certificate to use in authenticating (and to some extent authorizing -
>can you be a CA? sign email? etc...) endpoints, ideally you do 'tls
>mutual authentication'...

That is incorrect.

I believe that an endpoint (lets call it Alice) can connect to another endpoint 
(lets call it Bob) and Alice can say to Bob, "Hello Dude, lets negotiate a 
secret key between us".  "Yokkely dokelly", says Bob, "Lets do that".  They 
then exchange some stuff to and fro and then Alice says "Righty then, lets 
encrypt!" and Bob says, "Yabba Doodle Doo".

At this point further communications are encrypted and secure against 
eavesdropping.  Alice still has no idea who she is talking to (other than it is 
the dude that picked up the phone), and Bob has no idea who he is talking too 
other than the fact it is whoever rang him up.

The Security part in Transport Layer Security is Encryption.  Authentication is 
lathered on top as an afterthought and requires external measures be taken in 
order to have *any* effect whatsoever.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.

Re: BGP over TLS

[Christopher Morrow]

On Tue, Oct 22, 2019 at 6:35 AM Julien Goodwin  wrote:
>
>
>
> On 22/10/19 4:04 am, Jared Mauch wrote:
> >
> >
> >> On Oct 21, 2019, at 12:30 PM, Joe Abley  wrote:
> >>
> >> On 21 Oct 2019, at 12:05, Keith Medcalf  wrote:
> >>
> >>> On Monday, 21 October, 2019 09:44, Robert McKay  wrote:
> >>>
>  The MD5 authentication is built into TCP options.. not obvious how you
>  would transport it over TLS which afaik doesn't offer similar
>  functionality.
> >>>
> >>> AHA!  I understand now and sit corrected.  I was under the mistaken 
> >>> impression that MD5 authentication was an application level thing, not a 
> >>> TCP level thing.
> >>
> >> Well, TLS exists within a TCP session, and that TCP session could 
> >> incorporate the MD5 signature option. I guess.
> >>
> >> Julien's BGP-STARTTLS idea is interesting. I wonder about the practicality 
> >> of deploying certificates to every BGP speaker that are useful for strict 
> >> checking by neighbours, though. Perhaps I've been too long with my hands 
> >> out of routers and things have moved on, but it seems to me that the 
> >> history of certificate management in routers is not a rich tapestry of 
> >> triumph.
> >
> > It’s not.  I talked about this in the security area session at IETF several 
> > meetings ago — the requirements operators have around this space, and it’s 
> > quite a pain to be honest.
> >
> > I’ve seen enough people have issues with managing a password that 
> > certificates would be even harder when there’s a router swap.
> >
> > The issue isn’t that most people want privacy, it’s they want transport 
> > integrity which in general the TLS community seems to think everyone NEEDS 
> > both.
>
> Yeah, I come from the perspective not just of a (now former AS15169)
> operator, but also often being one of a network's very few peers,
> sometimes the only non-transit a network had.
>
> IMO, *requiring* certificates or similar is a step too far at the
> moment, however building something that allows for easy extension to
> certificates (or whatever) is sensible.

TLS in the traditional sense 'requires' that there be an X.509
certificate to use in authenticating (and to some extent authorizing -
can you be a CA? sign email? etc...) endpoints, ideally you do 'tls
mutual authentication'...

The x.509 system, to be effective here would require a TrustAnchor /
Root-of-Trust that both parties agreed was acceptable...
Julien, you are asserting that: "yea, but that's hard, because
Julien-net and Chris-net may agree on 'bobs bait and tackle CA', but
certainly Jared-net is obstinate and will required only the CA at
"Sams Veggie Hut & CA"" ... so we'd end up with managing a 'worse'
version of the web-PKI on network devices.

To get around that you propose we hopscotch over to 'TLS with
preshared keys (PSK)'... ok, that smells nice, it's NOT a kernel/tcp
option (hurray) it's possibly safer-ish. I think Jared's point that;
"this is just gussied up md5..." isn't wrong, it is nice that this
isn't in the kernel path (tcp-md5/tcp-ao HA)... I think that really
it'd need some method to change PSK though over time in a sane
fashion, ie the 'key table' that is used in other places for this sort
of problem.

Internally folk that wanted could use their own CA infra to operate /
use certs on their iBGP sessions, or customer sessions... and maybe
later in our lifetime we could re-use the certs that RPKI distributes
as the certs for bgp session security ? (I think there are some pretty
draconian restrictions on the certs here, but I don't remember off the
top of my head what those are right now.)

> >> Without strict checking in both directions, the threat model with TLS 
> >> looks pretty similar to that with TCP-MD5 with not very secret secrets, 
> >> which I gather is one of the deficiencies that the TLS proposal seeks to 
> >> address.
> >
> > This is a whole mess of trouble here due to the disconnect in how routers 
> > are managed, the technical capabilities of vendors and where the protocol 
> > split lives here.
> >
> > I will take routers that don’t reboot when we commit them and devices that 
> > can be managed automatically vs the keyboard jockey days that we’re all 
> > used to.
> >
>
> My personal major gripe with certificate based systems is that many
> routers don't have an RTC and won't know what time it is until they can
> NTP, which likely requires protocol adjacencies, and then a dependency loop.

this is also a problem, but really ... your igp should get you to an
NTP source... or we'd all get to that fairly quickly, right? :)
  (some of this is updating 'best practices' in building / maintaining
a network, right?)

Re: BGP over TLS

[Julien Goodwin]

On 22/10/19 5:42 am, Jakob Heitz (jheitz) via NANOG wrote:
> The article linked says no mainstream BGP implementation supports TCP-AO.
> IOS-XE and IOS-XR support it.
> 
> While I do not represent the Cisco view, personally I like the idea of BGP 
> over TLS.

Excellent, that's news to me.

I had been told Juniper finally also shipped TCP-AO in a very recent JunOS.

Both of those are great, but without upstream OS support that leaves a
bunch of purely software implementations out in the cold.

Re: BGP over TLS

[Julien Goodwin]

On 22/10/19 4:04 am, Jared Mauch wrote:
> 
> 
>> On Oct 21, 2019, at 12:30 PM, Joe Abley  wrote:
>>
>> On 21 Oct 2019, at 12:05, Keith Medcalf  wrote:
>>
>>> On Monday, 21 October, 2019 09:44, Robert McKay  wrote:
>>>
 The MD5 authentication is built into TCP options.. not obvious how you
 would transport it over TLS which afaik doesn't offer similar
 functionality.
>>>
>>> AHA!  I understand now and sit corrected.  I was under the mistaken 
>>> impression that MD5 authentication was an application level thing, not a 
>>> TCP level thing.
>>
>> Well, TLS exists within a TCP session, and that TCP session could 
>> incorporate the MD5 signature option. I guess.
>>
>> Julien's BGP-STARTTLS idea is interesting. I wonder about the practicality 
>> of deploying certificates to every BGP speaker that are useful for strict 
>> checking by neighbours, though. Perhaps I've been too long with my hands out 
>> of routers and things have moved on, but it seems to me that the history of 
>> certificate management in routers is not a rich tapestry of triumph.
> 
> It’s not.  I talked about this in the security area session at IETF several 
> meetings ago — the requirements operators have around this space, and it’s 
> quite a pain to be honest.
> 
> I’ve seen enough people have issues with managing a password that 
> certificates would be even harder when there’s a router swap.
> 
> The issue isn’t that most people want privacy, it’s they want transport 
> integrity which in general the TLS community seems to think everyone NEEDS 
> both.

Yeah, I come from the perspective not just of a (now former AS15169)
operator, but also often being one of a network's very few peers,
sometimes the only non-transit a network had.

IMO, *requiring* certificates or similar is a step too far at the
moment, however building something that allows for easy extension to
certificates (or whatever) is sensible.

>> Without strict checking in both directions, the threat model with TLS looks 
>> pretty similar to that with TCP-MD5 with not very secret secrets, which I 
>> gather is one of the deficiencies that the TLS proposal seeks to address.
> 
> This is a whole mess of trouble here due to the disconnect in how routers are 
> managed, the technical capabilities of vendors and where the protocol split 
> lives here.
> 
> I will take routers that don’t reboot when we commit them and devices that 
> can be managed automatically vs the keyboard jockey days that we’re all used 
> to.
> 

My personal major gripe with certificate based systems is that many
routers don't have an RTC and won't know what time it is until they can
NTP, which likely requires protocol adjacencies, and then a dependency loop.

Re: BGP over TLS

[Grant Taylor via NANOG]

On 10/21/19 11:04 AM, Jared Mauch wrote:
I’ve seen enough people have issues with managing a password that 
certificates would be even harder when there’s a router swap.


I think that's an unfortunate state of affair.  I don't know how to get 
around the PEBKAC problem.


The issue isn’t that most people want privacy, it’s they want 
transport integrity which in general the TLS community seems to think 
everyone NEEDS both.


The biggest argument that I've seen is that you can't truly have privacy 
without integrity.  Lest you be speaking over an encrypted channel with 
an unauthenticated MitM.


My understanding is that authentication is the most important issue and 
that privacy is a nice add-on.


With that in mind, I wonder if we couldn't have each router be it's own 
CA and issue /client/ certificates for and to each neighbor to use to 
authenticate back to the local router.  This has the added advantage 
that you wouldn't need to worry about different routers trusting the 
same CA or bother with PKI.  Everything would be local router centric. 
The neighbor would effectively be using a super fancy key that a 
neighbor provided for use when talking to said neighbor.


I think that using /client/ certificates would also allow for 
certificate rotation in that the router can issue a new /client/ 
certificate while still trusting the existing /client/ certificate. 
Then once the client updates to using the new /client/ certificate, the 
router can revoke the old /client/ certificate using standard CRL methods.


All of this would be centric to the local router.

I suspect that it would likely be okay to have longer lived certificates 
in such a configuration.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Brandon Martin]

On 10/21/19 4:41 PM, Jeffrey Haas wrote:

I'm not someone qualified, but I'll regurgitate what I've distilled from past 
conversations with those who are.:-)

Presuming your key is strong enough, it may be infeasible to break it in a time 
that's of interest to the parties involved.  The primary issue is the usual 
issue of trying to keep anything secret: eventually disclosure becomes an 
issue.  And if you have no procedure for periodically updating your keys, it 
becomes a problem.


Going back to my thought of using IKE vs. a static SPI, we run into the 
same problem with rekeying the long-term secret.  If it's symmetric, you 
have to get both parties involved.  That will be true if it's IKE with a 
PSK, a static SPI, or TCP-MD5.


I guess the meat of my question is, given modern cryptography 
(algorithms, best practices, actual system implementations, etc.), is 
the periodic re-keyed offered by IKE with PSK any better than simply 
establishing a static SPI (treating the SPI session secret as a slightly 
less human-friendly PSK)?  If not, then you can do away with IKE 
entirely which drastically simplifies things.  It's also the status quo 
for many implementations of OSPFv3-over-IPsec that I've seen.


My impression is that any means by which a long-lived session using the 
same symmetric cipher secret can compromise the security of either that 
session or any other session keyed using the same "parent" keying 
material is now considered a weakness in the cipher or cryptosystem, as 
appropriate, and modern ciphers and systems as such do not exhibit such 
deficiencies.


It's also no worse than TCP-MD5 which, as you pointed out, requires both 
ends to cooperate in a re-keying, too.  I'm not even aware of any 
mechanisms to allow key overlap during a re-keying process in TCP-MD5 
which might otherwise be one advantage of IKE using PSK.  If your SPI 
secret gets disclosed, you re-key manually.  If your TCP-MD5 secret gets 
disclosed, you rep-key manually.  If your IKE PSK secret gets disclosed, 
you re-key manually.


My only real goal, here, is to be as good or better than TCP-MD5 to 
address earlier concerns about people not liking TCP options while also 
not resorting to TLS.  (As a note, I'm thinking out loud with all this, 
not trying to suggest policy proposal)


--
Brandon Martin

Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Jeffrey Haas]

> On Oct 21, 2019, at 4:17 PM, Brandon Martin  wrote:
> 
> On 10/21/19 3:37 PM, Jeffrey Haas wrote:
>> BGP over ipsec works fine.  But that said, it's mostly done with pre-shared 
>> keys.
> 
> Is anybody actually doing it in practice?

Absolutely.  In the SP sector?  Less clear.

>> The ugly issue of ipsec is that the ecosystem really wants IKE to do the 
>> good things people associate with long lived sessions.  I don't even vaguely 
>> pretend to be an ipsec/ike expert, but the wrangling over this and router 
>> bootstrapping issues generated a lot of heat and a small amount of light in 
>> IETF a while back.
> 
> Yes.  ipsec (IP layer) itself isn't too bad.  IKE is a complex mess.  A 
> functional mess, perhaps, but a mess nonetheless.  I'd really like to hear 
> from someone actually qualified on the cryptography side of things to chime 
> in on whether long-lived symmetric keys are even really a problem anymore.  
> If they're not, just generating a decent "session" key and statically 
> defining an SPI is a lot more straightforward.

I'm not someone qualified, but I'll regurgitate what I've distilled from past 
conversations with those who are. :-)

Presuming your key is strong enough, it may be infeasible to break it in a time 
that's of interest to the parties involved.  The primary issue is the usual 
issue of trying to keep anything secret: eventually disclosure becomes an 
issue.  And if you have no procedure for periodically updating your keys, it 
becomes a problem.

The problem is exacerbated by the fact that inter-provider key sharing is a 
PITA.  If you're having situations where you have to hit this list as a NOC of 
last resort, now try to imagine a regular cadence of conversations to update 
your key.  And then deal with the fact that key rotation for TCP-MD5 can be hit 
or miss.  In practice, this means that if you had someone that knew your keys 
and was kicked out of your company, they have the ability to do bad stuff.

The ability to more easily update your session keys is one of the big wins for 
tcp-ao.

A lot of the issues behind transport security are mitigated - and this is a 
point I end up raising to various IETF security reviewers on a regular basis 
when talking about control plane protocols:
- It's possible to reduce the attack surface by using things like GTSM.  You've 
acquired the key somehow?  Great - now get packets to that link.
- Similarly, protecting the link itself through things like MACSEC is a way to 
reduce the attack surface.
- What are the actual attacks they can do?  For BGP, knocking over the session 
is often the goal.  The necessary man in the middle for an active hijack if you 
can insert yourself into the conversation is absolutely doable... but you're 
better off just hijacking a router through another compromise and then simply 
injecting bad routing data.

Where much of this puts us is iBGP is of far more interest to an active 
attacker.  Protection of internal routing infrastructure, including firewalls 
that are properly configured, again can help here.  And this becomes even more 
tasty if you're in an environment making use of SDN-ish stuff.


> 
> OSPFv3 hopefully taught people some lessons with its initial lack of built-in 
> authentication.  "Just use ipsec".

This one, IMNSHO, can be blamed on specific IETF religion at the time.  The 
fallouts around this are one of my more favored examples of "this needed 
operational review".
> 
>> And if you have a rather scaled out router, imagine the cpu melting that 
>> goes with a cold startup scenario where you have to get all of those IKE 
>> sessions up to start up your BGP.  Now think what that does to your restart 
>> time. 
> 
> Indeed, though I've seen a trend toward putting rather hefty CPUs on the 
> control planes of "real" routers, nowadays, which I guess is welcome.  It 
> doesn't really contribute much to the overall cost of something that can push 
> 100s of Gbps in hardware, anyway.

Believe me, implementors are happy to have some extra cycles available.  
However, too many target platforms are either still under-powered or have 
operational requirements that push them toward slower CPUs.  

And even for large enough platforms, security computation can eat every spare 
cycle you have.  Generally, a conversation with crypto experts will eventually 
devolve to "key lengths/cipher is now considered weak, use the next one" - 
which is shorthand for saying "if you have available cpu, you're not using 
strong enough crypto". :-)

-- Jeff

Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Jared Mauch]

This was one thing I highlighted to the people telling me how I secure my 
network wrong. If it's HTTP and you lose a few clients maybe they don't care. 
If it's BGP I have one client and I care a lot and that session dropping can be 
gigs to tbps of traffic. 

Sent from my iCar

> On Oct 21, 2019, at 4:20 PM, Jeffrey Haas  wrote:
> 
> Exactly how the cert lifetime interacts with peering sessions is likely to be 
> several flavors of ugly.

Re: BGP over TLS

[Bjørn Mork]

Jeffrey Haas  writes:

>  Exactly how the cert lifetime interacts with peering sessions is
>  likely to be several flavors of ugly.

If you pin the key, then there is no reason to care about expiration.
You could define the certificate as valid for as long as the pinned key
matches.  This is similar to what DANE does.


Bjørn

Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Jeffrey Haas]

> On Oct 21, 2019, at 3:25 PM, Brandon Martin  wrote:
> 
> On 10/21/19 11:30 AM, Keith Medcalf wrote:
>> Why cannot one just put the MD5 authenticated connection inside a TLS 
>> connection?  What is the advantage to be gained by replacing the 
>> authentication mechanism with weaker certificate authentication method 
>> available with TLS?
> 
> Self-issued certificates with either CA pinning or end-certificate hash 
> pinning is arguably more secure than a shared passphrase as used by TCP-MD5 
> in that someone with knowledge of the secrets of one end cannot use it to 
> impersonate the other end whereas a shared passphrase is inherently shared 
> and symmetric in that respect.  Whether that really provides much value in 
> the context of a BGP session is perhaps questionable.

Considering a lot of hand-wringing from the various security conscious folk is 
over the ability to easily re-key, I think it mostly just complicates things.  
Certs are effectively a much nicer single use key.  Exactly how the cert 
lifetime interacts with peering sessions is likely to be several flavors of 
ugly.

> 
> Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations 
> and difficulty of configuration aside)?  It would also solve the TCP-RST 
> injection issues that TCP-MD5 was intended to resolve.  You can use null 
> encryption with ESP or even just AH if you want authentication without 
> confidentiality, too.  Or are we all going to admit that ipsec is almost dead 
> in that it's just too darned complex?  Just run BGP over TCP as normal and 
> install a security policy that says it must use ipsec with appropriate 
> (agreed-upon) authentication.  "Just", right?

BGP over ipsec works fine.  But that said, it's mostly done with pre-shared 
keys.

The ugly issue of ipsec is that the ecosystem really wants IKE to do the good 
things people associate with long lived sessions.  I don't even vaguely pretend 
to be an ipsec/ike expert, but the wrangling over this and router bootstrapping 
issues generated a lot of heat and a small amount of light in IETF a while back.

And if you have a rather scaled out router, imagine the cpu melting that goes 
with a cold startup scenario where you have to get all of those IKE sessions up 
to start up your BGP.  Now think what that does to your restart time. 

-- Jeff

Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Brandon Martin]

On 10/21/19 3:37 PM, Jeffrey Haas wrote:
> BGP over ipsec works fine.  But that said, it's mostly done with pre-shared 
> keys.

Is anybody actually doing it in practice?  Every transit and peering document 
I've ever seen just talks about TCP-MD5 (if it talks about authentication at 
all).
 
> The ugly issue of ipsec is that the ecosystem really wants IKE to do the good 
> things people associate with long lived sessions.  I don't even vaguely 
> pretend to be an ipsec/ike expert, but the wrangling over this and router 
> bootstrapping issues generated a lot of heat and a small amount of light in 
> IETF a while back.

Yes.  ipsec (IP layer) itself isn't too bad.  IKE is a complex mess.  A 
functional mess, perhaps, but a mess nonetheless.  I'd really like to hear from 
someone actually qualified on the cryptography side of things to chime in on 
whether long-lived symmetric keys are even really a problem anymore.  If 
they're not, just generating a decent "session" key and statically defining an 
SPI is a lot more straightforward.

OSPFv3 hopefully taught people some lessons with its initial lack of built-in 
authentication.  "Just use ipsec".  Ever tried to configure ipsec for multicast 
destinations/sources?  Ugh.  Authentication trailer is much simpler AND solves 
other issues as noted in the spec for it.  Unfortunately, it's still new enough 
that getting gear that supports it can be somewhat difficult, and it certainly 
rules out most end-of-sale or extended-support gear that might otherwise be 
perfectly serviceable but isn't receiving feature updates.

> And if you have a rather scaled out router, imagine the cpu melting that goes 
> with a cold startup scenario where you have to get all of those IKE sessions 
> up to start up your BGP.  Now think what that does to your restart time. 

Indeed, though I've seen a trend toward putting rather hefty CPUs on the 
control planes of "real" routers, nowadays, which I guess is welcome.  It 
doesn't really contribute much to the overall cost of something that can push 
100s of Gbps in hardware, anyway.
-- 
Brandon Martin

Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Brielle]

On 10/21/2019 1:25 PM, Brandon Martin wrote:

Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and 
difficulty of configuration aside)?  It would also solve the TCP-RST injection issues that TCP-MD5 
was intended to resolve.  You can use null encryption with ESP or even just AH if you want 
authentication without confidentiality, too.  Or are we all going to admit that ipsec is almost 
dead in that it's just too darned complex?  Just run BGP over TCP as normal and install a security 
policy that says it must use ipsec with appropriate (agreed-upon) authentication.  
"Just", right?


I've used BGP over IPSec before in my labs between EdgeRouter models for 
testing purposes.


Other then making sure there is either a connected route or static route 
(if doing multihop) to the other side, its works.  But like you said, 
interop issues and all may cause issues...


Speaking of issues, if you run StrongSwan for IPSec with BGP on the same 
router/system, make sure to disable charon's processing of routes or 
you'll be burning major CPU cycles.  See:


https://wiki.strongswan.org/issues/1196


--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Brandon Martin]

On 10/21/19 11:30 AM, Keith Medcalf wrote:
> Why cannot one just put the MD5 authenticated connection inside a TLS 
> connection?  What is the advantage to be gained by replacing the 
> authentication mechanism with weaker certificate authentication method 
> available with TLS?

Self-issued certificates with either CA pinning or end-certificate hash pinning 
is arguably more secure than a shared passphrase as used by TCP-MD5 in that 
someone with knowledge of the secrets of one end cannot use it to impersonate 
the other end whereas a shared passphrase is inherently shared and symmetric in 
that respect.  Whether that really provides much value in the context of a BGP 
session is perhaps questionable.

As has been pointed out elsewhere in the thread, TLS does also support 
PSK-based authentication and keying rather than certificates.  It's not 
commonly used since the normal uses of TLS are one-server<->many-clients which 
doesn't lend itself well to such things, but it's at least defined.

Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and 
difficulty of configuration aside)?  It would also solve the TCP-RST injection 
issues that TCP-MD5 was intended to resolve.  You can use null encryption with 
ESP or even just AH if you want authentication without confidentiality, too.  
Or are we all going to admit that ipsec is almost dead in that it's just too 
darned complex?  Just run BGP over TCP as normal and install a security policy 
that says it must use ipsec with appropriate (agreed-upon) authentication.  
"Just", right?
-- 
Brandon Martin

RE: BGP over TLS

[Jakob Heitz (jheitz) via NANOG]

The article linked says no mainstream BGP implementation supports TCP-AO.
IOS-XE and IOS-XR support it.

While I do not represent the Cisco view, personally I like the idea of BGP over 
TLS.

Regards,
Jakob.

-Original Message-

Date: Mon, 21 Oct 2019 19:21:03 +1100
From: Julien Goodwin 


On 21/10/19 6:30 pm, Bjørn Mork wrote:
> Christopher Morrow  writes:
> 
>> isn't julien's idea more akin to DOT then DOH ?
> 
> Yes, and I really like Julien's proposal.  It even looks pretty
> complete.  There are just a few details missing around how to make the
> MD5 => TLS transition smooth.

At least for those systems that run on Linux (which is most all of the
major's except Juniper) I suspect if we went to the relevant kernel folk
with a clear plan on how handling TCP-MD5 in a way that would make
transitions much easier they'd listen.

The troll response at the top of my post was actually based on a
response from one of the kernel folk, who dislike TCP options even more
than network operators.

> Sorry for any confusion caused by an attempt to make a joke on DoH.  I
> didn't anticipate the sudden turn to serious discussion :-)  Which
> obviously was a good one.  I am all for BGP over TLS, so let's discuss
> https://laptop006.livejournal.com/60532.html

If anyone is at all interested in this I'm happy to discuss and flesh
out anything that's not clear. After I wrote this (over a few bottles of
red on the flight to linux.conf.au this year) I sent it to a bunch of
people that had expressed interest, including a few BGP implementations,
but nobody bit.

Re: BGP over TLS

[Jared Mauch]

> On Oct 21, 2019, at 12:30 PM, Joe Abley  wrote:
> 
> On 21 Oct 2019, at 12:05, Keith Medcalf  wrote:
> 
>> On Monday, 21 October, 2019 09:44, Robert McKay  wrote:
>> 
>>> The MD5 authentication is built into TCP options.. not obvious how you
>>> would transport it over TLS which afaik doesn't offer similar
>>> functionality.
>> 
>> AHA!  I understand now and sit corrected.  I was under the mistaken 
>> impression that MD5 authentication was an application level thing, not a TCP 
>> level thing.
> 
> Well, TLS exists within a TCP session, and that TCP session could incorporate 
> the MD5 signature option. I guess.
> 
> Julien's BGP-STARTTLS idea is interesting. I wonder about the practicality of 
> deploying certificates to every BGP speaker that are useful for strict 
> checking by neighbours, though. Perhaps I've been too long with my hands out 
> of routers and things have moved on, but it seems to me that the history of 
> certificate management in routers is not a rich tapestry of triumph.

It’s not.  I talked about this in the security area session at IETF several 
meetings ago — the requirements operators have around this space, and it’s 
quite a pain to be honest.

I’ve seen enough people have issues with managing a password that certificates 
would be even harder when there’s a router swap.

The issue isn’t that most people want privacy, it’s they want transport 
integrity which in general the TLS community seems to think everyone NEEDS both.

> Without strict checking in both directions, the threat model with TLS looks 
> pretty similar to that with TCP-MD5 with not very secret secrets, which I 
> gather is one of the deficiencies that the TLS proposal seeks to address.

This is a whole mess of trouble here due to the disconnect in how routers are 
managed, the technical capabilities of vendors and where the protocol split 
lives here.

I will take routers that don’t reboot when we commit them and devices that can 
be managed automatically vs the keyboard jockey days that we’re all used to.

Re: BGP over TLS

[Tony Finch]

Joe Abley  wrote:
>
> Well, TLS exists within a TCP session, and that TCP session could
> incorporate the MD5 signature option. I guess.

AIUI this might be useful to make it a bit harder to kill the TCP session,
tho I think modern TCPs are less vulnerable to off-path RST injection
than TCPs were when TCP-MD5 was introduced

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
German Bight, Humber, Thames: Cyclonic, mainly northeast, becoming west later,
3 to 5, occasionally 6 at first. Slight or moderate. Occasional rain. Good,
occasionally poor.

Re: BGP over TLS

[Joe Abley]

On 21 Oct 2019, at 12:05, Keith Medcalf  wrote:

> On Monday, 21 October, 2019 09:44, Robert McKay  wrote:
> 
>> The MD5 authentication is built into TCP options.. not obvious how you
>> would transport it over TLS which afaik doesn't offer similar
>> functionality.
> 
> AHA!  I understand now and sit corrected.  I was under the mistaken 
> impression that MD5 authentication was an application level thing, not a TCP 
> level thing.

Well, TLS exists within a TCP session, and that TCP session could incorporate 
the MD5 signature option. I guess.

Julien's BGP-STARTTLS idea is interesting. I wonder about the practicality of 
deploying certificates to every BGP speaker that are useful for strict checking 
by neighbours, though. Perhaps I've been too long with my hands out of routers 
and things have moved on, but it seems to me that the history of certificate 
management in routers is not a rich tapestry of triumph.

Without strict checking in both directions, the threat model with TLS looks 
pretty similar to that with TCP-MD5 with not very secret secrets, which I 
gather is one of the deficiencies that the TLS proposal seeks to address.


Joe

RE: BGP over TLS

[Keith Medcalf]

On Monday, 21 October, 2019 09:44, Robert McKay  wrote:

>On 2019-10-21 16:30, Keith Medcalf wrote:

>> Why do you need to do anything?  TLS is Transport Layer Security and
>> it's sole purpose is to protect communications from eavesdropping or
>> modification by wiretappers on/in the line between points A and B.
>> MD5 in BGP is used for authentication (rudimentary, but authentication
>> nonetheless).

>> Why cannot one just put the MD5 authenticated connection inside a TLS
>> connection?  What is the advantage to be gained by replacing the
>> authentication mechanism with weaker certificate authentication method
>> available with TLS?

>The MD5 authentication is built into TCP options.. not obvious how you
>would transport it over TLS which afaik doesn't offer similar
>functionality.

AHA!  I understand now and sit corrected.  I was under the mistaken impression 
that MD5 authentication was an application level thing, not a TCP level thing.

>You'd probably have to basically tunnel TCP frames inside TLS, which
>doesn't really sound ideal (reimplement TCP in userspace?)

>Either that or maybe use some other simpler MD5 based authentication
>(unrelated to the TCP implementation currently used in BGP).. but then
>that raises lots of questions like why even use MD5.

You are correct.  There is no point in using or moving the current MD5 
authentication method when it can just be "turned off" and some (perhaps better 
alternate) authentication method used as provided by the TLS wrapper.  This of 
course presumes that if one turns off MD5 that the additional TCP option header 
is not used ...

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.

RE: BGP over TLS

[Robert McKay]

On 2019-10-21 16:30, Keith Medcalf wrote:

On 21/10/19 6:30 pm, Bjørn Mork wrote:



Yes, and I really like Julien's proposal.  It even looks pretty
complete.  There are just a few details missing around how to make 
the

MD5 => TLS transition smooth.



At least for those systems that run on Linux (which is most all of the
major's except Juniper) I suspect if we went to the relevant kernel 
folk

with a clear plan on how handling TCP-MD5 in a way that would make
transitions much easier they'd listen.


Why do you need to do anything?  TLS is Transport Layer Security and
it's sole purpose is to protect communications from eavesdropping or
modification by wiretappers on/in the line between points A and B.
MD5 in BGP is used for authentication (rudimentary, but authentication
nonetheless).

Why cannot one just put the MD5 authenticated connection inside a TLS
connection?  What is the advantage to be gained by replacing the
authentication mechanism with weaker certificate authentication method
available with TLS?


The MD5 authentication is built into TCP options.. not obvious how you 
would transport it over TLS which afaik doesn't offer similar 
functionality.


You'd probably have to basically tunnel TCP frames inside TLS, which 
doesn't really sound ideal (reimplement TCP in userspace?)


Either that or maybe use some other simpler MD5 based authentication 
(unrelated to the TCP implementation currently used in BGP).. but then 
that raises lots of questions like why even use MD5.


Rob

Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Radu-Adrian Feurdean]

On Mon, Oct 21, 2019, at 17:30, Keith Medcalf wrote:

> Why do you need to do anything?  TLS is Transport Layer Security and 
> it's sole purpose is to protect communications from eavesdropping or 
> modification by wiretappers on/in the line between points A and B.  MD5 
> in BGP is used for authentication (rudimentary, but authentication 
> nonetheless).

TLS can also be used for authentication (in several ways), even if it's not the 
most appropriate for this situation.

RE: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Keith Medcalf]

>On 21/10/19 6:30 pm, Bjørn Mork wrote:

>> Yes, and I really like Julien's proposal.  It even looks pretty
>> complete.  There are just a few details missing around how to make the
>> MD5 => TLS transition smooth.

>At least for those systems that run on Linux (which is most all of the
>major's except Juniper) I suspect if we went to the relevant kernel folk
>with a clear plan on how handling TCP-MD5 in a way that would make
>transitions much easier they'd listen.

Why do you need to do anything?  TLS is Transport Layer Security and it's sole 
purpose is to protect communications from eavesdropping or modification by 
wiretappers on/in the line between points A and B.  MD5 in BGP is used for 
authentication (rudimentary, but authentication nonetheless).

Why cannot one just put the MD5 authenticated connection inside a TLS 
connection?  What is the advantage to be gained by replacing the authentication 
mechanism with weaker certificate authentication method available with TLS?

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.

Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Julien Goodwin]

On 21/10/19 6:30 pm, Bjørn Mork wrote:
> Christopher Morrow  writes:
> 
>> isn't julien's idea more akin to DOT then DOH ?
> 
> Yes, and I really like Julien's proposal.  It even looks pretty
> complete.  There are just a few details missing around how to make the
> MD5 => TLS transition smooth.

At least for those systems that run on Linux (which is most all of the
major's except Juniper) I suspect if we went to the relevant kernel folk
with a clear plan on how handling TCP-MD5 in a way that would make
transitions much easier they'd listen.

The troll response at the top of my post was actually based on a
response from one of the kernel folk, who dislike TCP options even more
than network operators.

> Sorry for any confusion caused by an attempt to make a joke on DoH.  I
> didn't anticipate the sudden turn to serious discussion :-)  Which
> obviously was a good one.  I am all for BGP over TLS, so let's discuss
> https://laptop006.livejournal.com/60532.html

If anyone is at all interested in this I'm happy to discuss and flesh
out anything that's not clear. After I wrote this (over a few bottles of
red on the flight to linux.conf.au this year) I sent it to a bunch of
people that had expressed interest, including a few BGP implementations,
but nobody bit.

BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

[Bjørn Mork]

Christopher Morrow  writes:

> isn't julien's idea more akin to DOT then DOH ?

Yes, and I really like Julien's proposal.  It even looks pretty
complete.  There are just a few details missing around how to make the
MD5 => TLS transition smooth.

Sorry for any confusion caused by an attempt to make a joke on DoH.  I
didn't anticipate the sudden turn to serious discussion :-)  Which
obviously was a good one.  I am all for BGP over TLS, so let's discuss
https://laptop006.livejournal.com/60532.html



Bjørn