On 2015-02-07 18:28, Sriram, Kotikalapudi wrote:
It might be possible for an attacker to take a valid signature of
data from the structure in 4.2,
and present it as a valid signature of the same bytes interpreted
with the structure in 4.1.
If you have worked out a concrete example showing how the attack
works,
it would be good to see that. For this type of attack to be feasible,
is it required that the size
of the signature field equals the combined size of {Alg. ID, NLRI
length, NLRI prefix}?
Yes, that's correct.
If yes, observe that the size of the signature field (ECDSA-P256) =
64 octets + a few variable #octets,
and the combined size of {Alg. ID, NLRI length, NLRI prefix} is
either 6 octets (IPv4) or 18 octets (IPv6).
Good catch. It seems that for a feasible attack, a future algorithm
suite would need to have much shorter signatures (unlikely) or bgpsec
would need to be extended to something with much longer NLRI prefixes
(who's ready for IPv8?!) So this isn't going to bite us for a very long
time, if ever. Should we (1) prevent that remote possibility by adding a
single byte to both to-be-signed structures (which doesn't add any bytes
on the wire), (2) make a note in the security considerations, or (3)
just ignore this as too unlikely to care about? If we choose either 2 or
3, won't it be very difficult to change our minds once bgpsec is
deployed? How hard is it to do (1) now?
--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
