RE: Validating rights to announce a prefix (was: Public shaming...)

[Skywing <Skywing () valhallalegends com>]

I respectfully disagree that it's nonsense.  You can shut off your Gopher server, because, for some set of "nobody" 
that you care about, nobody uses Gopher anymore.

There are several basic ways for an old protocol to get replaced:

- Nobody has a use for it any more, for a sufficient level of "nobody" (e.g. Gopher).  In the case of Gopher, it could 
be argued that it never really caught on to the degree that things like, say, HTTP did.
- Everyone moves on to a newer version, typically because somebody forces it on them (vendor ceasing support of old 
protocol, centralized that can enforce such things mandates it, etc).

The problem here, that I see with deploying a new protocol version, is that operators will be loathe to create a policy 
saying that "I don't accept delegation notifications of version less than x+1" until doing so does not mean that they 
will be cutting off things that their customers care about reaching.  In this situation, flipping the big red switch to 
turn off protocol version x is externalized and dependent upon everyone that a particular operator's customers care 
about having started using version x+1.  There isn't a particularly great way right now for said operator to force 
other networks to deploy version x+1, at least not without trying to do something along the lines of playing chicken 
between their customers walking and said other networks getting their act together by cutting off version x.  (If this 
perception is not entirely accurate, according to your beliefs, please feel free to explain.)

If you leave version x+1 as optional, then you're going to be waiting a very, very long time for it to naturally "die 
out" as long as there is still a sizable user base that you care about.

Again, there may not be an exact, down-to-the-line analogue to this particular problem, but there are a whole lot of 
things on the 'net out there which have some degree of similarity and tend to demonstrate that on average, without some 
authoritative centralized body somehow forcing action to be taken, old protocols that are "good enough" tend to stick 
around forever (even when "good enough" often really means "not really, truly secure").  I think that it would be wise 
to avoid getting ourselves mired into that mess going forward.

Cutting remarks aside, it seems like you tend to find this preferable as well after all ("Even more straighforward if 
we walk into this with clear requirements and a clear documented architecture so that everyone knows what the 
boundaries are and fewer people bake things into hard-to-upgrade places."), unless I am misunderstanding you :)

[ Not commenting on the matter of expiring IRR database entries, as my posting was, again only discussing the matter of 
the pitfalls of assuming that protocol upgrades will be particularly workable to provide "add-on" security later in the 
game. ]

- S

-----Original Message-----
From: michael.dillon () bt com [mailto:michael.dillon () bt com]
Sent: Friday, August 15, 2008 11:39 AM
To: nanog () nanog org
Subject: RE: Validating rights to announce a prefix (was: Public shaming...)


> "Easy upgrade" to PKI after the fact might as well be a
> misnomer.  In particular, there will likely be no way to
> ensure that nobody uses the old system instead of the new,
> spiffy and "secure"-ified system.  This means that support
> for the old, "insecure" system must be kept around
> indefinitely, for all practical considerations

This is nonsense. If I can shut down my gopher server, then
why can't someone stop accepting delegation notifications that
don't meet the requirements of version x+1 for some value of x?

For that matter, since cleanliness of data is a major problem
in this type of database, why can't all records expire 6 months
after they are entered? That would avoid the garbage that collects
in IRR or whois databases. If an entity is not active and does not
refresh their delegation of prefix announcement rights, then
after 6 months, their connectivity will begin to crumble as the
various providers refresh their route filters from their OSS
systems.

> Now, it may well be that we don't need a full blown PKI here,
> but I think that we should be extremely wary of any scheme
> that proposes to be future upgradeable to be "more secure",
> especially when we are talking about a mostly decentralized
> system where there isn't going to be much of a practical push
> to force people to upgrade.

You mean version incompatibility leading to an inability to
refresh your expired data, is not enough of a push? If that
is so, then why are you routing their traffic?

> At the risk of opening the door to much flame-age, consider
> that with dnssec, my understanding here is that we will
> *still* have to keep around support for non-secured queries
> for a very, very long time until everyone

That is a different situation even though there are similarities.

> To give a quick example off the top of my head of why this
> can be dangerous, consider the following back-of-the-napkin scenario:
>
> Even with signature expiration times in place in dnssec to
> try and prevent replaying of old signed zones that would
> allow downgrade attacks for any domains not listed as
> supporting dnssec, an adversary in your packet path can still
> (probably) have a reasonable shot at successfully forcing a
> downgrade attack and subsequently spoofing data using "plain"
> DNS fallback.  For example, to validate validity timestamps
> on signatures, you need to have valid local system time, and
> how do you update your local system time?  Do you use NTP
> over the public Internet?  If so, an attacker in your packet
> path can change your system time and replay old dnssec
> signatures, thus allowing downgrade attacks for domains that
> were previously not using dnssec by taking advantage of
> "plain" DNS fallback code.

This is why these fully automated crypto PKI solutions make me
uneasy. There is too darn much complexity and too little experience
with them in the real world. If you move the problem to a different
space where OSS systems check route delegations, and only update
router configs after some human intervention then there is less
chance of wierd attack vectors succeeding.

>  I'm also not trying to bash your proposal
> specifically (or the level of security it provides), but
> rather just call attention to the uncomfortableness to
> anything that provides "soft" security from the get-go with a
> later option for upgrade to "hard" security.

If I agreed with you, I never would have set up an ISP back
in 1994 because of the fundamental insecurity of an IPv4
Internet without IPSEC support baked into the fundamental
protocol.

> There are just *so* many things that make handling a "secure"
> upgrade to a well-entrenched protocol that provides "hard"
> security, while keeping reasonable functionality an extremely
> difficult task (to say the least), that you would likely
> almost be better scrapping the existing (well, new) protocol
> entirely and coming up with a new one from scratch should
> such prove necessary.

See, there is a straightforward upgrade route after all.
Even more straighforward if we walk into this with clear
requirements and a clear documented architecture so that
everyone knows what the boundaries are and fewer people
bake things into hard-to-upgrade places.

--Michael Dillon