There was a long thread on NANOG just a couple of days ago about BGP security –see this message and this message, discussing this article in Slashdot about using DNS to solve the problem of BGP security on the ‘net. Can DNS solve this problem? Well, that’s a pickle of a question. Why? Because it all depends on what you think the question actually means.
To begin, we can break the problem down into two pieces: who should be advertising this destination, and do I have a valid path to reach it? For the moment, we’ll only look at the first problem, because that’s the only one that relates to using DNS within the BGP security context. To put this in BGP parlance, what we want to know is whether or not the origin autonomous system (AS) in the BGP advertisement represents someone who actually owns (or is authorized to use) the address being advertised.
Who authorizes an AS to advertise a particular address, and why should we trust them? Well, we all know the RIRs authorize the use of address space, so we should all just be able to look at the naming authority’s databases and know, for certain, that certain organizations own certain IP addresses. In security terms, we have a natural single root for all the information, so we can have a single signed root, as well. In fact, the current RPKI work in the SIDR working group presupposes a single root that assigns and signs all IP address allocations.
Great! This should be so simple… Or is it?
How do we know which organization owns which AS number?Are the RIRs really in the business of ensuring people are who they say they are? If I walk into a bank and sign a check for a million dollars, the teller certainly knows it was me who signed the check –but how do they know who I am?
What if one company allows another company to “borrow” address space? What if there is a contract dispute between the RIR and the company –should the company’s routing be shut down while the dispute is settled? If a bank or a service provider loses the right to use their address space for a month while contract details are being sorted out, there’s no point in even opening the doors again after the month is over.
Okay, so this is more complex than we thought.
What DNS offers is a solid, well designed, and well understood system, including signing capabilities, managed by multiple roots on a global scale. With DNS you’ll need to have enough routing working to reach a DNS server in order to get the security information you need to validate the origins in the BGP table.
What the RPKI proposed by SIDR offers is a new system with a single security and authority root, and theoretical peer to peer data replication (through RSYNC). Using an RPKI, you’ll need to have enough routing working to get to a peering server to replicate the data.
And here we return to the original problem: what does the question mean? Is a single authoritative root an asset, or a liability? Is a group of interlocking communities better, or worse? Is it worse to need routing to reach a DNS server, or an RPKI replication server? Are these even technical questions, or do they fall into the domain of business operations and the philosophy of the ‘net?
What do you think?