BGP Security and PKI Hierarchies (was: Re: Wifi Security)

Sandra_Murphy · November 22, 2005, 6:50pm

Hierarchical relationships breed "reptiles" because of the inherent
asymmetric business relationship that results.
...
Frankly, I am quite impressed with the address registries.

How would you feel about having the registries serve as the root of
a hierarchical certificate system?

So an institution would have its "certificate" signed
by its upstream (or one of its upstream) providers.

How is this relationship not a hierarchical, asymmetric business
relationship?

What happens in this paradigm in de-peering situations? Are
you are intending to exclude peering relationships from this web
of trust?

The providers could cross-certificate to build a "root free" (as in
"default free" zone) mesh (aka "Web of Trust.").

I believe a web of trust can be operationally feasible only if the web
is more like a forest - if there are several well known examples of
"tops" to the web. Otherwise, you have to be storing a plethora of
different signers' certificates to be able to validate all the
institution's certificates that come in. After all, there are
thousands of different providers out there. If every bgp speaker uses
a different certificate in signing updates to provider A than in
signing updates to provider B, then the validation can be quite
complex.

Any trust relationship model would have to deal with
(a) Provider independent space
(b) Multi-homed organizations, with and without AS's
(c) Organizations that are mobile - they might change their attachment
point frequently or abruptly.

Authorities exist for some number resources - e.g., those registries
hand out addresses - should that be validated by the web of trust?
(The authority says the address is allocated to A but I've got an
update showing the address originating from B validated by my best
peer's three best peers' peers) (Sometimes authorities are needed
- if you were buying a car from Joe Doe, would you prefer a title
signed by the DMV or the testimony of your favorite body shops
that Joe Doe has been their customer for this car for awhile now.)
That authority extends downward through sub-allocations in a tree,
not a mesh. (But the web of trust might be useful for those current
special cases that don't devolve from the existing registries, aka
legacy space, until that situation can be fixed.)

--Sandy

Bandy_Rush1 · November 22, 2005, 8:25pm

I believe a web of trust can be operationally feasible only if the web
is more like a forest - if there are several well known examples of
"tops" to the web. Otherwise, you have to be storing a plethora of
different signers' certificates to be able to validate all the
institution's certificates that come in.

you need those certs to verify the live data anyway

randy

Florian_Weimer · November 24, 2005, 7:23pm

* Sandy Murphy:

How would you feel about having the registries serve as the root of
a hierarchical certificate system?

What about the swamp space?

So an institution would have its "certificate" signed
by its upstream (or one of its upstream) providers.

(Don't know where that quote comes from.)

Why is this significantly better than ISP filters which prevent bogus
announcements from reaching wide propagation?

I've seen bogus annoucements for which big ISPs have created
corresponding RADB entries. Wouldn't they just create certificates in
the new "secure BGP", and nothing is won?

michael.dillon1 · November 25, 2005, 9:51am

> How would you feel about having the registries serve as the root of
> a hierarchical certificate system?

What about the swamp space?

Presumably if the users of class C blocks in the swamp
want to use the certficate services that the registry
provides then the registries would sell that service
for some reasonable fee.

Some people labor under the misunderstanding that
users of swamp space actually "own" IP addresses
and therefore have the right to not pay anybody
for anything at anytime. However, since "ownership"
is a legal concept and since IP address ownership
has never been tested in the courts, it is a moot
point.

Do you suppose that if a Microsoft salesman had
given me a free copy of Windows back in 1990, I would
have a right to use any version of Windows for free
forever?

--Michael Dillon

Florian_Weimer · November 25, 2005, 1:19pm

* Michael Dillon:

> How would you feel about having the registries serve as the root of
> a hierarchical certificate system?

What about the swamp space?

Presumably if the users of class C blocks in the swamp

The class B assignments are even more interesting because some of them
have been split (with or without the consent of the original
assignee).

want to use the certficate services that the registry provides then
the registries would sell that service for some reasonable fee.

Which registry? In many cases, there are two natural choices.

Some people labor under the misunderstanding that users of swamp
space actually "own" IP addresses and therefore have the right to
not pay anybody for anything at anytime. However, since "ownership"
is a legal concept and since IP address ownership has never been
tested in the courts, it is a moot point.

I can't follow your argument. You seem to be saying that we should
not worry *because* we enter uncharted legal terrain. This attitude
is completely alien to me.

Do you suppose that if a Microsoft salesman had given me a free copy
of Windows back in 1990, I would have a right to use any version of
Windows for free forever?

I guess I had the right to use that version of Windows forever.
Software is not a good example because life cycles are so much
shorter. But no one is really comfortable with retroactively revoking
software licenses, and it's often impossible because of first sales
doctrine, special copyright regulations (especially in European
countries), antitrust regulations etc.

Matthew_Kaufman · November 25, 2005, 9:01pm

Michael Dillon:

Do you suppose that if a Microsoft salesman had given me a
free copy of Windows back in 1990, I would have a right to
use any version of Windows for free forever?

Any version? No. That version, particularly its fixed representation as an
unchanged string of binary digits? Probably, but maybe not.. But that's
because Microsoft can copyright long strings of binary digits as software
and sell you a restricted license to use it.

Note that small integers, unlike software, aren't easy to copyright,
trademark, or "own" in any of the other traditional senses.

Back in the early 1990s, I proposed to number my machines that I planned to
attach to the Internet with small integers chosen from a small range.
Conveniently, at the time, there was an organization that helped, at no
charge to the end users, to make sure that no two people chose the same
numbers, and so I allowed them to help make sure there was no conflict.

Since that time, I've arranged to have those numbers listed in one or more
BGP announcements on the global Internet.

And, over that time, nobody else that I've noticed has also tried to use and
announce the same numbers... I suppose if that sort of thing happened a lot,
the Internet would be much less stable and useful (and filled with lawyers,
no doubt, arguing over their proposed "solutions" to the problem), so it is
nice that nobody has chosen to do so.

If there ever comes a time when there's an actual shortage of unique numbers
that are routable, I suspect things will get more Interesting.

Matthew Kaufman
matthew@eeph.com