North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: BGP Security and PKI Hierarchies (was: Re: Wifi Security)

  • From: william(at)elan.net
  • Date: Wed Nov 23 00:22:38 2005

On Tue, 22 Nov 2005, Bora Akyol wrote:

Furthermore, given that a trust algebra may yield a trust
value, rather than a simple 0/1, is it reasonable to use that
assessment as a BGP preference selector?  That would tie the
security very deeply -- too deeply? -- into BGP's guts.
If you take the web of trust model,
I think a security value can be assigned to announced information based
on a couple variables:

1) Distance from an absolute trusted authority.
Who is your absolute trusted authority? May this role possibly be
filled by whoever allocates ip addresses to everyone?

2) The feedback rating of the announcer (like Ebay ;-)
Why am I suddenly feeling like some parts of the internet are "better" then others (and that I'll even be able to tell which ones to some absolute value)? I wonder how quickly this would lead to fragmentation
of the net....

3) A statically configured metric based on a field match with a set of
extracted fields from the ID presented by the announcer.
Did you mean to say a filter based announcer BGP communities?

Or a combination of both.

I think this was discussed in detail in the pre-formation stages of the
BGP Sec. Req. document.
And its not in the produced requirements document as far as I can see.

I also remember reading about a paper on a PGP like trust mesh with
variable trust values assigned based on distance etc, but I can't recall the authors.
Web of trust metrics for PGP have been discussed in several papers (don't think it was ever for BGP). One of the problems is that it requires some central server that has access to list to all relationships and is able to quickly calculate trust metric from you to somebody else. Reliance on such central service can be a bit of a problem i.e. a single central point for attack, etc. (This is not say that RIR signed do not present some similar issues as they would have to distribute revocation data, but those can go as CRLs and at not necessarily queried for every path calculation like it would be with central server).

You can also just distribute all the relationship certs but then amount
of data you have to distribute is going to be huge and each end-node
would have to calculate the metrics (which calculation is going to be on
the order of trying to use Dijkstra SPF with 50,000+ nodes in single OSPF area - never tried anything close but I don't think such network would converge quickly) where as single server can at least cache the previous results although I think the problem would still be there (it can work at least it appears to be possible with PGP).

--
William Leibzon
Elan Networks
[email protected]