On Wed, 23 Feb 2011, Shane Amante wrote:
Randy,
On Feb 22, 2011, at 20:11 MST, Randy Bush wrote:
If we have already authenticated the route origin, with either offline
or online enforcement depending on your preference, we have
cryptographically bound a route object to an aut num.
btw, the sidr work to date has not formally bound the route origin. it
is informal, and easily spoofed. the sidr work to date only deals with
the simple fat finger problem.
Can you clarify what you mean by "the sidr work to date has not formally bound the
route origin ... and [is] easily spoofed"?
This is something that has been mentioned in the wg many times, so I'll
answer.
It is quite easy for an AS to construct an AS_PATH with the legitimate
authorized origin on the origin end, without every having received such an
announcement from the origin. Without the legitimate origin ever having
actually made the announcement to anyone, even.
That's why path validation is important. You really would like some
assurance that the origin actually announced the prefix *and* announced it
to the party that appears tp have propagated it onward.
I thought the entire goal of the RPKI and, more importantly, the objects that
it holds attest to the 'authorization' to originate a route? In particular, I
refer to the following in Section 3.1 of
http://tools.ietf.org/html/draft-ietf-sidr-arch-12:
Authorization yes but not authentication.
You know the origin AS is authorized to announce the prefix but you don't
know that the announcement is authentic. Any other AS could produce a
route that looks like the legitimate origin made the announcement when
they did not.
When this is pointed out, I always remind people:
Even though origin authorization is not the end game, it is a vital
necesary crucial important first step without which nothing else could
succeed.
I.e., we are not wasteing our time here.
--Sandy
---snip---
A ROA is an attestation that the holder of a set of prefixes has
authorized an autonomous system to originate routes for those
prefixes. A ROA is structured according to the format described in
[ROA-FORM]. The validity of this authorization depends on the signer
of the ROA being the holder of the prefix(es) in the ROA; this fact
is asserted by an end-entity certificate from the PKI, whose
corresponding private key is used to sign the ROA.
---snip---
Perhaps there's a subtle _security_ nuance that I'm missing in your statement?
Thanks,
-shane
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
