Threat Model for BGP Path Security
RFC 7132
Document Type RFC - Informational (February 2014; Errata)
Last updated 2018-12-20
Replaces draft-kent-bgpsec-threats
Stream IETF
Formats plain text html pdf htmlized bibtex
Reviews
GENART Telechat Review (of -07): Ready
GENART Last Call Review (of -06): On the Right Track
SECDIR Last Call Review (of -06): Has Issues
Stream WG state Submitted to IESG for Publication
Document shepherd Alexey Melnikov
Shepherd write-up Show (last changed 2013-07-30)
IESG IESG state RFC 7132 (Informational)
Consensus Boilerplate Yes
Telechat date
Responsible AD Stewart Bryant
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
Email authors Email WG IPR References Referenced by Nits 
Internet Engineering Task Force (IETF)                           S. Kent
Request for Comments: 7132                                           BBN
Category: Informational                                           A. Chi
ISSN: 2070-1721                                                   UNC-CH
                                                           February 2014

                   Threat Model for BGP Path Security

Abstract

   This document describes a threat model for the context in which
   External Border Gateway Protocol (EBGP) path security mechanisms will
   be developed.  The threat model includes an analysis of the Resource
   Public Key Infrastructure (RPKI) and focuses on the ability of an
   Autonomous System (AS) to verify the authenticity of the AS path info
   received in a BGP update.  We use the term "PATHSEC" to refer to any
   BGP path security technology that makes use of the RPKI.  PATHSEC
   will secure BGP, consistent with the inter-AS security focus of the
   RPKI.

   The document characterizes classes of potential adversaries that are
   considered to be threats and examines classes of attacks that might
   be launched against PATHSEC.  It does not revisit attacks against
   unprotected BGP, as that topic has already been addressed in the
   BGP-4 standard.  It concludes with a brief discussion of residual
   vulnerabilities.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7132.

Kent & Chi                    Informational                     [Page 1]
RFC 7132           Threat Model for BGP Path Security      February 2014

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Threat Characterization . . . . . . . . . . . . . . . . . . .   6
   4.  Attack Characterization . . . . . . . . . . . . . . . . . . .   8
     4.1.  Active Wiretapping of Sessions between Routers  . . . . .   8
     4.2.  Attacks on a BGP Router . . . . . . . . . . . . . . . . .   9
     4.3.  Attacks on Network Operator Management Computers (Non-CA
           Computers)  . . . . . . . . . . . . . . . . . . . . . . .  11
     4.4.  Attacks on a Repository Publication Point . . . . . . . .  12
     4.5.  Attacks on an RPKI CA . . . . . . . . . . . . . . . . . .  14
   5.  Residual Vulnerabilities  . . . . . . . . . . . . . . . . . .  16
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  18
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  18
   8.  Informative References  . . . . . . . . . . . . . . . . . . .  18

1.  Introduction

   This document describes the security context in which PATHSEC is
   intended to operate.  The term "PATHSEC" (for path security) refers
   to any design used to preserve the integrity and authenticity of the
   AS_PATH attribute carried in a BGP update message [RFC4271].  The
   security context used throughout this document is established by the
   Secure Inter-Domain Routing (SIDR) working group charter [SIDR-CH].
   The charter requires that solutions that afford PATHSEC make use of
   the Resource Public Key Infrastructure (RPKI) [RFC6480].  It also
   calls for protecting only the information required to verify that a
   received route traversed the Autonomous Systems (ASes) in question,
   and that the Network Layer Reachability Information (NLRI) in the
   route is what was advertised.

Kent & Chi                    Informational                     [Page 2]
RFC 7132           Threat Model for BGP Path Security      February 2014

   Thus, the goal of PATHSEC is to enable a BGP speaker to verify that
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools