Last Modified: 2005-10-14
Securing Inter-Domain Routing (SIDR) BOF
Thursday, November 10, 2005 at 0900-1130
Geoff Huston <gih (a) apnic.net>
Ed Lewis <ed.lewis (a) newstar.biz>
The BOF reviewed the current status of RPSEC, and the current state of design activity in the area of secure inter-domain frameworks. The proposition was advanced that while RPSEC has not concluded as yet, there is sufficient impetus to commence work on infrastructure and protocol support mechanisms intended to address aspects of securing inter-domain routing. The specific area where there has been clear agreement in the requirements specification activity is that of authentication of route origination.
The proposed work would include consideration of the relevant certificate infrastructure to support information validation. It was noted that the outcomes of this activity should be capable of supporting hierarchical rooted PKI models as well as decentralized "web of trust" models if at all possible, as the intended scope of application of this framework encompasses a broad diversity of deployment environments.
There was support from the BOF attendees for the aspects of the work where there is clear agreement on requirements, concerning authentication of route origination information and use of associated certificate frameworks, to be undertaken immediately. The question of charter scope was considered and the rough consensus in the BOF was to support a charter that encompassed a more comprehensive security framework for inter-domain routing, but with a caveat that commencement on any particular component of the work would be conditional on clear agreement on requirements from the RPSEC Working Group.
Mailing list: firstname.lastname@example.org
0. Scribe Victimization and Agenda Bashing [2m]
1. Overview and Current Status
A report on RPSEC status as well as a general introduction to the work being proposed in this BOF.
Alex Zinen (AD) reported that this process started in the IETF some 3 years ago as an examination of BGP security requirements. It was noted that the charter for this work in the RPSEC Working Group waslimited to requirement specification, and did not encompass the specification of standard implementation frameworks. The current status of this work with respect to inter-domain routing is that there is not complete agreement on a requirement specification, but that there is general agreement of a setset of the requirements, particularly as they apply to the authentication of route origination information. The intent from the AD was to sponsor an activity that moved forward on those aspects where there is observed agreement on requirements. It was stressed that this was not a "pick 1 candidate framework from the set of possible approaches", but one of specification of a standards-based approach that encompassed a diversity of use scenarios and a diversity of capabilities and infrastructure levels.
A presentation from Tony Tauber, the co-chair of RPSEC was made to the group by Geoff Huston.
It was noted by the IDR WG co-chair, Sue Hares, that the comment in the presentation that IDR was too busy to take on this activity was not the case, and IDR was processing its work agenda and welcomed new activity. In further discussion it was noted that the combination of the breadth of scope and specialized focus of this particular work item merited the use of a dedicated working group in order to ensure that there was appropriate levels of attention drawn from both the routing and security communities. The importance of working on those areas where there is claer agreement on requirements was stressed in the discussion.
2. Overview of current protocol solutions
A presentation from Russ White on soBGP covered the structure of the certificate infrastructure that had been described in the soBGP work, and noted the soBGP design decisions of using a new message type for passing certification information across the protocol peering sessions, the potential use of first hop AS specification and validation, the issues related to partial deployment of this framework
Discussion arising from this presentation covered the differences in the potential use of trusted third parties as distinct fromt he use of a hierarchy rooted at a single trust point. The presenter advanced the perspective that a hierarchy was a specific case of a web of trust where trust was vested into a single trusted root point and implicitly vested in the associated sub-delegations in the hierarchy that is rooted at that point.
A presentation from Steve Kent on sBGP noted that the essential characteristic in the routing space was the high level of autonomy of the autonomous system domain elements, and that the objective was to provide as much information as possible relating to the level of validation of the information provided in the routing protocol transactions, in order to assist the local autonomous system to make informed decisions as to what information to accept into the local forwarding domain and what information was appropriate to pass on to routing peers. The presentation noted a suggested timlieness of authentication information of the scale of some hours as a suitable trade-off. The association certificate information structure was suggested to be one of a rooted hierarchy positioned as a trust anchor, although it was also noted that a web of trust can be seen as use of a collection of such rooted hierarchies.
Discussion arising from this presentation concerned the relationship between the storage and computational requirements of this approach as compared to the current and likely future dynamics of the Internet's routing system. The average AS path length and the nature of dynamic routing updates are seen as an important metric for this form of approach.
A presentation from Marcus Leech, on behalf of Tao Wan on pretty secure BGP (psBGP), looked at an algorithmic approach to the web of trust model, where levels of trust in provided information is calculated using as inputs information provided by routing peers, and potentially from trust anchors.
3. Description of proposed work
Alex Zinen (AD) spoke to a presentation that reiterated the desire that this work was not intended to pick any one of the existing approaches to the exclusion of others, but to take up the agreed requirements and develop specifications of infrastructure frameworks and protocol elements that could support such requirements. It was also anticipated that further requirements would be expressed in the near term future, specifically relating to considerations of the AS Path information, and that the initial activity should not preclude such subsequent extensions.
It was noted that the infrastructure framework should be able to support both hierarchical anchored information models as well as distributed weob of trust models, to match the diversity of anticipated deployment environments. The work should also look beyond the information structure and protocol elements in order to ensure that all relevant aspects of the framework have been addressed.
Ross Callon voiced the perspective that "big bang" engineering is often ineffectual and the incremental and modular approach being advocated here appeared to present an appropriate mothodology for the space. His comments also covered the topic of whether to charter a working group for this activity, or place this within the scope of an existing working group. The comment was that a chartered working group would offer the appropriate level of focus for an activity that included a diversity of considerations. Also the point was made that this was an activity that would not benefit from waiting until the situation was too late, and that activity in this area was timely and necessary.
Russ White presented some suggestions to the BOF that advocated leaving options open as far as possible and focus on the data models to be used here.
Sandy Murphy presented some perspectives gained from the RPSEC activity, noting that in the context of the public Internet accurate trust data is a critical input component.
Discussion considered the related activity in the Regional Internet Registries of resource certification, and it was noted that a description of this activity would be a useful input to this work.
The co-chair of RPSEC was questioned as to the anticipated time frame of completion of the requirements specification. At this stage it was not possible to give an estimate of this timing.
The group considered the issue of whether to include AS path-related into a WG charter, or to omit this and undertake a re-charter once the requirements was complete. A suggestion was made to include this item in the charter with an explicit condition noted that this activity would not start until relevant requirements specification had been concluded.
The sense of the room was called as to whether they were in favour of chartering this work in a Working Group, with broad support for this proposal noted.
The charter draftikng activity would proceed after this IETF meeting.