*WG Chair Hat OFF*
On 09/01/2009, at 6:59 AM, Sam Weiler wrote:
I've been digging through the boa and validation drafts, trying to
understand the proposed validation algorithm. That's inspired a
number of questions, which I hope the WG will indulge me by answering.
The first, which is based on the validation algorithm as described
in the current docs: is it easy to bypass BOA-based bogon filtering?
If you have two adjacent net blocks, one of which is in use and
covered by a ROA, the other of which is not in use and is covered by
a BOA, can an attacker just publish a route to the aggregate
netblock (a shorter prefix) and gain the use of the BOA-covered
addresses?
Example:
there exists a valid ROA for 229.0.2.0/24 (it's in use)
there exists a valid BOA for 229.0.3.0/24 (not in use)
Spammer publishes a route for 229.0.2.0/23.
The validation algorithm, not seeing a BOA for the /23 or shorter,
ignores the /24 BOA and treats the /23 route as having "no roa" (#3
in section 3 of the validation draft).
That doesn't affect the block that is in use, but it allows the
attacker to subvert the BOA-based bogon filtering on the out-of-use /
24.
Right? Or where did I go astray?
You are right Sam.
The original version of the BOA draft proposed a more encompassing
algorithm for BOA interpretation where the presence of a BOA could be
used to infer the invalidity of a route advertisement in those cases
where the route advertisement is an aggregate of the prefix described
in the BOA. An observed case of bogus routing, the /8 advertisements
that were originated out of AS4678 as part of a spam operation, was
one that motivated the original proposed model of interpreting a BOA
to refer to aggregates that were not covered by a ROA, as well as
referring to more specifics.
The initial discussion of this algorithm pointed out that this had the
unfortunate side effect where the recipient of an allocation of an
address prefix could 'force' other parties to issue a ROA simply by
publishing a ROA for all or part of the address prefix. The outcome of
the discussion was a preference to limit the scope of a BOA to the
prefix nominated by the BOA or a more specific thereof. i.e. if A is
an LIR and A has been allocated 10.0.0.0/16 and A advertises the
aggregate, but chooses not to issue a ROA, then this would be
harmless, in so far as the absence of a ROA should not be inferred as
being bogus, particularly in an environment of piecemeal adoption of
the use of these authorities and attestations. However, if A then
allocates to B the prefix 10.1.0.0/24, and certifies the allocation,
then if B publishes a BOA for the allocated address block, then with
the original BOA proposed scope this action would cause A's
advertisement of 10.0.0.0/16 to be considered bogus, and, in turn,
force A to generate a ROA to 'defend' it's advertisement as being
valid. The revision of the proposed algorithm of interpretation of the
BOA was proposed in order to eliminate this form of forced ROA use
side-effect which, at the time, was considered in the discussion of
the BOA model, to be an undesirable side-effect.
In my mind I don't see either algorithm is being right or wrong here -
its a case of a tradeoff between a desire to apply a BOA model to as
broad a case as possible of forms of bogus route advertisement in
order to detect as many cases as possible of bogus route
advertisement, and a desire to limit the level of side effects of BOA
use, particularly when considering this in a scenario of piecemeal use
of ROAs and BOAs.
regards,
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
