Difference between revisions of "P2pbgpsec"

From Technologia Incognita
Jump to: navigation, search
(After PRISM)
Line 4: Line 4:
 
|ProjectPurpose=Infrastructure
 
|ProjectPurpose=Infrastructure
 
}}
 
}}
'''Peer 2 Peer BGP Security''' <br>
+
=Peer 2 Peer BGP Security=
  
 
<i>wiki page for participants of p2p-sec mailing list: https://lists.puscii.nl/wws/arc/p2p-sec </i>
 
<i>wiki page for participants of p2p-sec mailing list: https://lists.puscii.nl/wws/arc/p2p-sec </i>
Line 15: Line 15:
 
* to co-ordinate the efforts among various groups that work on the above topics
 
* to co-ordinate the efforts among various groups that work on the above topics
  
'''Problem statements'''
+
=Problem statements=
<br>
+
 
* <b>Internet Governance view</b>:
+
==Internet Governance view==
 +
 
 
** excellent summary by Milton Mueller, Brenden Kuerbis. (2010,09).<br>                                                              <i>"Building a new governance hierarchy: RPKI and the future of Internet routing     
 
** excellent summary by Milton Mueller, Brenden Kuerbis. (2010,09).<br>                                                              <i>"Building a new governance hierarchy: RPKI and the future of Internet routing     
 
and addressing.</i>  
 
and addressing.</i>  
Line 27: Line 28:
 
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2021835     
 
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2021835     
  
* <b>Techical view</b>:
+
==Technical view==
  
** How broken is SSL: a talk by Moxie Marlinspike: "SSL And The Future Of Authenticity" at Defcon 2011:
+
* How broken is SSL: a talk by Moxie Marlinspike: "SSL And The Future Of Authenticity" at Defcon 2011:
 
http://www.youtube.com/watch?v=Z7Wl2FW2TcA
 
http://www.youtube.com/watch?v=Z7Wl2FW2TcA
  
** Basic threat scenario: Man in the Middle attack / prefix hijacking,
+
* Basic threat scenario: Man in the Middle attack / prefix hijacking,
 
presented at Defcon, 2008, by Pilosov/Kapela:
 
presented at Defcon, 2008, by Pilosov/Kapela:
 
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf
 
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf
  
** Enisa report on the routing security: :
+
* Enisa report on the routing security: :
 
http://www.enisa.europa.eu/act/res/technologies/tech/routing/state-of-the-art-deployment-and-impact-on-network-resilience
 
http://www.enisa.europa.eu/act/res/technologies/tech/routing/state-of-the-art-deployment-and-impact-on-network-resilience
  
** Jeroen Massar's presentaton on Routing Security
+
* Jeroen Massar's presentaton on Routing Security
  
 
http://www.swinog.ch/meetings/swinog21/p/14_SwiNOG21%20-%20Security,%20DDOS%20Mitigation,%20AntiSpam.ppt
 
http://www.swinog.ch/meetings/swinog21/p/14_SwiNOG21%20-%20Security,%20DDOS%20Mitigation,%20AntiSpam.ppt
  
'''Possble alternative technical approaches'''
+
* Sharon Goldberg:  Should we secure routing with the RPKI (19 September 2013) , Princeton CS
 +
http://www.cs.princeton.edu/ajax/abstract/467
 +
 
 +
* Is the Juice Worth the Squeeze? BGP Security in Partial Deployment
 +
Robert Lychev, Sharon Goldberg, Michael Schapira.
 +
SIGCOMM'13, Hong Kong, China. August 2013.
 +
  http://arxiv.org/pdf/1307.2690v1
 +
  http://arxiv.org/abs/1307.2690
 +
 
 +
* Impacting IP Prefix Reachability via RPKI Manipulations
 +
Kyle Brogle, Danny Cooper, Sharon Goldberg and Leonid Reyzin.
 +
Boston University Technical Report. January 4, 2013.
 +
  http://www.cs.bu.edu/~goldbe/papers/RPKImanip.pdf
 +
  http://www.cs.bu.edu/~goldbe/papers/RPKImanip.html
 +
 
 +
=Possible alternative technical approaches=
  
 
* "trust agility", a talk by Moxie Marlinspike: "SSL And The Future Of Authenticity" at Defcon 2011:
 
* "trust agility", a talk by Moxie Marlinspike: "SSL And The Future Of Authenticity" at Defcon 2011:
Line 54: Line 70:
  
  
'''Current solution: RPKI & sBGP'''
+
=Current solution: RPKI & sBGP=
<br>
+
 
 +
* IETF wg: SIDR (secure InterDomain Routing)
 
* Software: http://www.rpki.net/
 
* Software: http://www.rpki.net/
* IETF wg: SIDR (secure InterDomain Routing)
+
* RIPE NCC: https://www.ripe.net/lir-services/resource-management/certification
 +
* Public discussion in European region: (articles, mailing lists, links)
 +
http://www.ripe.net/lir-services/resource-management/certification/community-development
  
  
Public discussion in European region: (articles, mailing lists, links)
+
=In the news & blogs=
http://www.ripe.net/lir-services/resource-management/certification/community-development
 
 
 
'''In the news:'''
 
  
 
* Malcolm Hutty, from London Internet Exchange:
 
* Malcolm Hutty, from London Internet Exchange:
Line 69: Line 85:
  
 
* RIPE Members Vote To Continue RPKI Work, Nov 03, 2011 11:44 AM PDT
 
* RIPE Members Vote To Continue RPKI Work, Nov 03, 2011 11:44 AM PDT
By Michele Neylon
+
By Michele Nylon
 
http://www.circleid.com/post/20111103_ripe_members_vote_to_continue_rpki_wo rk/     
 
http://www.circleid.com/post/20111103_ripe_members_vote_to_continue_rpki_wo rk/     
  
=Meshnets media=
+
* RPKI for PI users in RIPE region:
 
+
http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-March/002212.html                                       
See also: [[Privacy_Software_Workshop_Series#Mesh_networks]]
 
  
&  http://wiki.techinc.nl/index.php/Privacy_Software_Workshop_Series#Mesh_networks
 
  
* Becha's article with many links:
+
* GOVERNMENTS WANT SUSPENDERS FOR SECURE ROUTING (24 September 2013)
http://becha.home.xs4all.nl/hackers-philosophers-utopian-network-dec-2012-becha.pdf
+
http://www.internetgovernance.org/2013/09/24/keep-your-pants-on-governments-want-suspenders-for-secure-routing/
  
=After PRISM=
+
==After PRISM==
  
 
* http://blog.cryptographyengineering.com/2013/09/on-nsa.html
 
* http://blog.cryptographyengineering.com/2013/09/on-nsa.html
Line 90: Line 104:
  
 
(NSA breaking crypto, SSL, etc, by Schneider )
 
(NSA breaking crypto, SSL, etc, by Schneider )
 +
 +
=Meshnets media=
 +
 +
See also: [[Privacy_Software_Workshop_Series#Mesh_networks]]
 +
 +
&  http://wiki.techinc.nl/index.php/Privacy_Software_Workshop_Series#Mesh_networks
 +
 +
* Becha's article with many links:
 +
http://becha.home.xs4all.nl/hackers-philosophers-utopian-network-dec-2012-becha.pdf

Revision as of 09:23, 25 September 2013

Projects
Participants
Skills
Status Dormant
Niche Software
Purpose Infrastructure

Peer 2 Peer BGP Security

wiki page for participants of p2p-sec mailing list: https://lists.puscii.nl/wws/arc/p2p-sec

Objectives

  • to contribute to creation and implementation of the distributed/decentralized (web-of-trust) BGP security.
  • to create connections between people who share simmilar concerns about the upcoming introduction of hierarchical BGP-security structures, based on PKI/X.509 technology
  • to provide space for disscussion & exchange of opinions, news, materials
  • to co-ordinate the efforts among various groups that work on the above topics

Problem statements

Internet Governance view

    • excellent summary by Milton Mueller, Brenden Kuerbis. (2010,09).
      "Building a new governance hierarchy: RPKI and the future of Internet routing

and addressing. Retrieved from Internet Governance Project: http://internetgovernance.org/pdf/RPKI-VilniusIGPfinal.pdf

    • "Negotiating a New Governance Hierarchy: An Analysis of the

Conflicting Incentives to Secure Internet Routing"
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2021835

Technical view

  • How broken is SSL: a talk by Moxie Marlinspike: "SSL And The Future Of Authenticity" at Defcon 2011:

http://www.youtube.com/watch?v=Z7Wl2FW2TcA

  • Basic threat scenario: Man in the Middle attack / prefix hijacking,

presented at Defcon, 2008, by Pilosov/Kapela: http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf

  • Enisa report on the routing security: :

http://www.enisa.europa.eu/act/res/technologies/tech/routing/state-of-the-art-deployment-and-impact-on-network-resilience

  • Jeroen Massar's presentaton on Routing Security

http://www.swinog.ch/meetings/swinog21/p/14_SwiNOG21%20-%20Security,%20DDOS%20Mitigation,%20AntiSpam.ppt

  • Sharon Goldberg: Should we secure routing with the RPKI (19 September 2013) , Princeton CS

http://www.cs.princeton.edu/ajax/abstract/467

  • Is the Juice Worth the Squeeze? BGP Security in Partial Deployment

Robert Lychev, Sharon Goldberg, Michael Schapira. SIGCOMM'13, Hong Kong, China. August 2013.

  http://arxiv.org/pdf/1307.2690v1
  http://arxiv.org/abs/1307.2690
  • Impacting IP Prefix Reachability via RPKI Manipulations

Kyle Brogle, Danny Cooper, Sharon Goldberg and Leonid Reyzin. Boston University Technical Report. January 4, 2013.

  http://www.cs.bu.edu/~goldbe/papers/RPKImanip.pdf
  http://www.cs.bu.edu/~goldbe/papers/RPKImanip.html

Possible alternative technical approaches

  • "trust agility", a talk by Moxie Marlinspike: "SSL And The Future Of Authenticity" at Defcon 2011:

http://www.youtube.com/watch?v=Z7Wl2FW2TcA

https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure


Current solution: RPKI & sBGP

http://www.ripe.net/lir-services/resource-management/certification/community-development


In the news & blogs

  • Malcolm Hutty, from London Internet Exchange:

https://publicaffairs.linx.net/news/?p=6118

  • RIPE Members Vote To Continue RPKI Work, Nov 03, 2011 11:44 AM PDT

By Michele Nylon http://www.circleid.com/post/20111103_ripe_members_vote_to_continue_rpki_wo rk/

  • RPKI for PI users in RIPE region:

http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-March/002212.html


  • GOVERNMENTS WANT SUSPENDERS FOR SECURE ROUTING (24 September 2013)

http://www.internetgovernance.org/2013/09/24/keep-your-pants-on-governments-want-suspenders-for-secure-routing/

After PRISM

"there's a circumstantial case that the NSA and GCHQ are either directly accessing Certificate Authority keys** or else actively stealing keys from US providers, possibly (or probably) without executives' knowledge. This only requires a small number of people with physical or electronic access to servers, so it's quite feasible.*** The one reason I would have ruled it out a few days ago is because it seems so obviously immoral if not illegal, and moreover a huge threat to the checks and balances that the NSA allegedly has to satisfy in order to access specific users' data via programs such as PRISM."

(NSA breaking crypto, SSL, etc, by Schneider )

Meshnets media

See also: Privacy_Software_Workshop_Series#Mesh_networks

& http://wiki.techinc.nl/index.php/Privacy_Software_Workshop_Series#Mesh_networks

  • Becha's article with many links:

http://becha.home.xs4all.nl/hackers-philosophers-utopian-network-dec-2012-becha.pdf