From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
Behalf Of Steven M. Bellovin
Sent: Tuesday, November 22, 2005 12:54 PM
To: Randy Bush
Cc: nanog@nanog.org
Subject: Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
<..>
Furthermore, given that a trust algebra may yield a trust
value, rather than a simple 0/1, is it reasonable to use that
assessment as a BGP preference selector? That would tie the
security very deeply -- too deeply? -- into BGP's guts.
If you take the web of trust model,
I think a security value can be assigned to announced information based
on
a couple variables:
1) Distance from an absolute trusted authority.
2) The feedback rating of the announcer (like Ebay 
3) A statically configured metric based on a field match with a set of
extracted
fields from the ID presented by the announcer.
Or a combination of both.
I think this was discussed in detail in the pre-formation stages of the
BGP Sec. Req.
document.
I also remember reading about a paper on a PGP like trust mesh with
variable trust values assigned
based on distance etc, but I can't recall the authors.
All in all, this is not totally different from Viterbi decoding of
digital signals in the presence of noise in the way the trust values
would be constructed.
Furthermore, given that a trust algebra may yield a trust
value, rather than a simple 0/1, is it reasonable to use that
assessment as a BGP preference selector? That would tie the
security very deeply -- too deeply? -- into BGP's guts.
If you take the web of trust model,
I think a security value can be assigned to announced information based
on a couple variables:
1) Distance from an absolute trusted authority.
Who is your absolute trusted authority? May this role possibly be
filled by whoever allocates ip addresses to everyone?
2) The feedback rating of the announcer (like Ebay
Why am I suddenly feeling like some parts of the internet are "better" then others (and that I'll even be able to tell which ones to some absolute value)? I wonder how quickly this would lead to fragmentation
of the net....
3) A statically configured metric based on a field match with a set of
extracted fields from the ID presented by the announcer.
Did you mean to say a filter based announcer BGP communities?
Or a combination of both.
I think this was discussed in detail in the pre-formation stages of the
BGP Sec. Req. document.
And its not in the produced requirements document as far as I can see.
I also remember reading about a paper on a PGP like trust mesh with
variable trust values assigned based on distance etc, but I can't recall the authors.
Web of trust metrics for PGP have been discussed in several papers (don't think it was ever for BGP). One of the problems is that it requires some central server that has access to list to all relationships and is able to quickly calculate trust metric from you to somebody else. Reliance on such central service can be a bit of a problem i.e. a single central point for attack, etc. (This is not say that RIR signed do not present some similar issues as they would have to distribute revocation data, but those can go as CRLs and at not necessarily queried for every path calculation like it would be with central server).
You can also just distribute all the relationship certs but then amount
of data you have to distribute is going to be huge and each end-node
would have to calculate the metrics (which calculation is going to be on
the order of trying to use Dijkstra SPF with 50,000+ nodes in single OSPF area - never tried anything close but I don't think such network would converge quickly) where as single server can at least cache the previous results although I think the problem would still be there (it can work at least it appears to be possible with PGP).