Final Agenda IRTF Open Meeting @ IETF-90 Toronto, Canada TUESDAY, July 22, 2014 1420-1620 EDT Tuesday Afternoon Session II State of the IRTF Lars Eggert 10 min Applied Networking Prize (ANRP) Award Talk 45 min *** Robert Lychev *** for studying the security benefits provided by partially-deployed S*BGP: (Misbah Uddin will present at IETF-91 due to visa issues.) Q&A: Sriram (NIST) do you happen to have the chart for security first? It's higher? Yes. Do you have information about operator preferences? RL: The survey didn't talk about RPKI specifically Sriram: What sense of security did they have in mind when you did the survey? RL: It was basically BGPSEC sense of security - path validation or route authentication. Sriram: I wonder if that would change over time as familiarity grows RL: Good point - redoing survey annualy is a good idea Sandy Murphy: Protocol downgrade problem - I find this result totally unsurprising. 2nd question - 53% - base RPKI protection if you're not worrying about BGPSEC protection - people protected because they're closer to the protected route. 53% are closer to the correct than the attacker? How do you get 53%? RL: averaged over non-stub attackers. graph has a certain kind of structure. 60% when stub attackers are included. as internet changes these numbers may change. Leslie Daigle (Thinking Cat Enterprises): A question about methodology. You're moving attacker around the network? RL: Yes. LD: 17% is kind of depressing if one wants to motivate deployment of BGPSEC. Operator doesn't know if they're in 17% of happy networks or not. RL: That's correct. Since you mentioned 'depressing' - you could consider secure islands - then you see much better improvements. Also in secure islands, net ops that are part of the island can choose to always select security first. ? (APNIC): Trying to deploy RPKI in Japan. JPNIC is IP registry in ? (Japan. In Japan we've had several RPKI deployment workshops - ? (common question is how RPKI impacts secure routing, so this ? (presentation is quite interesting. In my opinion, RPKI or other ? (security mechanisms may not create a perfect world, but for people ? (who want to be happy. Making happiness for everyone, but how happy ? (for the people who want to deploy. RL: Multiple levels of happiness? Doug Montgomery (NIST): randomly choosing different levels of BGPSEC deployment - are you using heuristics? RL: Not random - want to have a connected component, and we focus on biggest ASes. We also add stubs because it may be possible in the future that ISPs of stubs will take over their security operations so this would be a very natural deployment scenario - large ISP deploys and carries all of their stubs with them. David ?: So observation is that introducing a single hijack - 53% isn't all that surprising. Mike ?: 17% didn't seem to bad to me. RL: You're an optimist. Mike ?: Single attacker or multiple? RL: Average over all attackers, but we only consider non-stub attackers. Only one at a time. You may get different results if you have multiple attackers. Simulations would be difficult. Jana Iyengar: This is really cool, thankyou for bringing it here. Have you looked at other metrics? RL: Haven't looked at other metrics. You have to consider global impact - if you look at max or min you won't know what it means. JI: If it's positional you could go after those ASes. RL: That's true. NIST person was Doug Mongtomery His comment was that with random position of attacker, he would expect 50% so 53% was odd. Answer was that 1-hop attack should be longer so more likely to be further away from an AS. Towards Quantum-Safe Cryptography Michele Mosca 45 min Kenny Paterson: You could argue that without PFS you need to worry now because recorded conversations could be broken in future when QC tech has improved. MM: Yes Tim Shepherd: You mentioned Quantum key distribution as something that might help us come up with quantum-safe solutions. My understanding of QKD is that it requires a quantum communication path - so we couldn't put them on IP packets - we'd need a quantum Internet. So is my understanding correct, and is there any hope that deploying a quantum computer at the end points when you have a conventional network between them provides a path to quantum-safe solutions? MM: It depends at which layer you're using QKD - clean dark fibre between two nodes is best, but using conventional nets has been studied. Will there be a real business case for QKD? Maybe, maybe not. In principle you need a router that is able to redirect parts of the packet without looking at it - not short term practical, but no reason you couldn't have an out-of-band key establishment with QKS and plug that in. Has been some thought given to what would happen if you had a quantum computer in every household, by which time quantum routers don't seem unreasonable, but this is really next-gen stuff. Phil Hallam-Baker: Interested in how we defend. Defender can create exponentially harder problem for attacker - I'm assuming attackers have quantum computing long before I do. Replacement for RSA that's a drop in is trivial. Public key system but keys can't be made public any longer - asymmetric secret keys. And then finally kerberos. We do have an architecture for symmetric key distribution - could go back to that. David McGrew: This is a great talk, thanks. QKD is an extremely impractical tech - scientifically interesting, but in practice offers essentially no value except in some niche areas - important for people to understand the limitations. QKD has very poor side channel resistance - vulns at the physical layer - this is a new weakness that conventional crypto does not have. MM: Aware of this. But don't think it's fundamentallly different to classical systems - we need to protect against side-channels. Obvious solutions to do that aren't available yet for QKD. It's not a fundamental problem. DM: That's a surprising answer. MM: There are easy fixes but it's going to take a decade of engineering to address them. There's no fundamental difference. DM: Range and data rate limitations are very severe with QKD. For Internet secure wireless communication is important - QKD is not going to address that. MM: We agree that QKD needs to be ubiquitously deployed. Depends how technology goes - agree that we need post-quantum stuff as there's wireless. Tanja Lange: Comment on Kenny Paterson's remark - Forward security doesn't help for recorded comms. PFS is also breakable by quantum computer - so PFS doesn't help you. Joel H. (CDT): Recording ciphertext is known to be done.