netsec-sig - Re: [Security-WG] BCP for Origin validation (RFC7115)
Subject: Internet2 Network Security SIG
List archive
- From: Brad Fleming <>
- To:
- Subject: Re: [Security-WG] BCP for Origin validation (RFC7115)
- Date: Fri, 19 Apr 2019 11:05:10 -0500
I’m assuming it means “there’s not way to cryptographically sign the actual
BGP update on the router and it’s easy to pretend to be any ASN; thus a
malicious actor can still defeat RPKI-based OV. meaning OV will generally
only protect against configuration mistakes.”
Which somewhat goes with the spirit of the following paragraph:
Origin validation does not address the problem of AS_PATH validation.
Therefore, paths are open to manipulation, either malicious or
accidental.
So I think maybe Randy was just pointing out the two major, known limitations
of OV; malicious actors can still hijack in at least some cases, and this
doesn’t do anything for path-level validation.
--
Brad Fleming
Assistant Director for Technology
Kansas Research and Education Network
> On Apr 19, 2019, at 10:49 AM, David Farmer <> wrote:
>
> The Security Considerations of RFC7115 has the following statement in it;
>
> As the BGP origin AS of an update is not signed, origin validation is
> open to malicious spoofing. Therefore, RPKI-based origin validation
> is expected to deal only with inadvertent mis-advertisement.
>
> I think what this is saying is that the owner of a prefix could maliciously
> say the prefix is originated by an ASN incorrectly. However, I don't
> believe the converse is true, an ASN cannot maliciously say the prefix is
> originated by it.
>
> Or put another way ROAs say which ASNs originate the prefix, and they are
> signed by the owner of the prefix, but there is no way for an ASN to say
> which prefixes it originates, that is then signed by the owner of the ASN.
>
> Do I have that right?
>
> Thanks.
>
>
>
> --
> ===============================================
> David Farmer Email:
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 612-626-0815
> Minneapolis, MN 55414-3029 Cell: 612-812-9952
> ===============================================
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [Security-WG] BCP for Origin validation (RFC7115), David Farmer, 04/19/2019
- RE: [Security-WG] BCP for Origin validation (RFC7115), Spurling, Shannon, 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), Michael H Lambert, 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), Brad Fleming, 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), Montgomery, Douglas (Fed), 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), David Farmer, 04/19/2019
- RE: [Security-WG] BCP for Origin validation (RFC7115), Spurling, Shannon, 04/19/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), ssw, 04/19/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), Spurling, Shannon, 04/19/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), Steven Wallace, 04/23/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), David Farmer, 04/23/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), Montgomery, Douglas (Fed), 04/23/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), Spurling, Shannon, 04/19/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), ssw, 04/19/2019
- RE: [Security-WG] BCP for Origin validation (RFC7115), Spurling, Shannon, 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), David Farmer, 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), Montgomery, Douglas (Fed), 04/19/2019
- RE: [Security-WG] BCP for Origin validation (RFC7115), Spurling, Shannon, 04/19/2019
- <Possible follow-up(s)>
- Re: [Security-WG] BCP for Origin validation (RFC7115), John Kristoff, 04/20/2019
Archive powered by MHonArc 2.6.19.