IETF Logo Mail Archive

Re: [Idr] [sidr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Sun, 03 May 2015 02:51 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A4CA1A004D; Sat, 2 May 2015 19:51:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7DONufRfeYVt; Sat, 2 May 2015 19:51:56 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0753.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:753]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A35BD1A004C; Sat, 2 May 2015 19:51:55 -0700 (PDT)
Received: from CY1PR09MB0793.namprd09.prod.outlook.com (10.163.43.143) by CY1PR09MB0793.namprd09.prod.outlook.com (10.163.43.143) with Microsoft SMTP Server (TLS) id 15.1.154.19; Sun, 3 May 2015 02:51:37 +0000
Received: from CY1PR09MB0793.namprd09.prod.outlook.com ([10.163.43.143]) by CY1PR09MB0793.namprd09.prod.outlook.com ([10.163.43.143]) with mapi id 15.01.0154.018; Sun, 3 May 2015 02:51:37 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Iljitsch van Beijnum <iljitsch@muada.com>, Matthew Lepinski <mlepinski.ietf@gmail.com>
Thread-Topic: [sidr] Levels of BGPsec/RPKI validation, was: Re: [Idr] wglc for draft-ietf-sidr-bgpsec-protocol-11
Thread-Index: AQHQg23hvPefCdVsC0+PANQ5UDQxHp1mBKmAgAF9bICAAAl4AIABfEbj
Date: Sun, 03 May 2015 02:51:36 +0000
Message-ID: <1430621496060.84229@nist.gov>
References: <4C184296-F426-40EF-9DB6-3AE87C42B516@tislabs.com> <91148102-DADB-42E8-96A0-E89120642894@tislabs.com> <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com> <CANTg3aC4EurFpEP9S+5v4L5mz4zO2TLf9jOn+biCv0knms=8=Q@mail.gmail.com> <3637DF28-CFC8-46FF-8929-DF88BB91D3AB@muada.com> <CANTg3aDwkSEEGN_7TotJUu-d8eZS8eBaE-J4XbT+QpGxjPR60Q@mail.gmail.com>, <CA587941-7279-44A0-B447-0E307C3D52D3@muada.com>
In-Reply-To: <CA587941-7279-44A0-B447-0E307C3D52D3@muada.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-originating-ip: [129.6.220.209]
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR09MB0793;
x-microsoft-antispam-prvs: <CY1PR09MB07935DC006067089D79D9B3684D30@CY1PR09MB0793.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:CY1PR09MB0793; BCL:0; PCL:0; RULEID:; SRVR:CY1PR09MB0793;
x-forefront-prvs: 056544FBEE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(2950100001)(2900100001)(54356999)(76176999)(50986999)(86362001)(36756003)(87936001)(2656002)(46102003)(92566002)(93886004)(40100003)(62966003)(77156002)(122556002)(5001960100002)(5001920100001)(102836002)(15975445007)(77096005)(66066001)(19580395003)(99286002)(5001770100001)(230783001)(117636001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR09MB0793; H:CY1PR09MB0793.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2015 02:51:36.7001 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR09MB0793
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/ITUwYf6ffqG8wj88d78GR1l0cO4>
Cc: "idr@ietf.org wg" <idr@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [Idr] [sidr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 02:51:58 -0000

>It would have been better if BGPsec would have had provisions for partial deployment, 
>so that you can have a path that is partially BGPsec protected even if it can't be fully be BGPsec-protected. 
>That way, the filtering issue shrinks in scope as the BGPsec-enabled core grows 
>and non-BGPsec branches turn into leaves and finally go away.

“path that is partially BGPsec protected” – I wouldn’t call that “partial deployment”.  
That is just partial path signing.
Partial deployment, on the other hand, connotes that there are islands within which 
BGPsec is deployed, and the rest of Internet is non-BGPsec. 
In this sense, partial deployment is synonymous with incremental deployment.   
Let us discuss incremental deployment and “path that is partially BGPsec protected” separately.

(1) Incremental Deployment:

BGPsec is amenable to incremental deployment, and does provide benefit to early adopters within BGPsec islands. 
For examples, you can have a BGPsec island in Asia in which, say, 30K prefixes are originated. 
And another BGPsec island in Europe in which, say, 50K prefixes are originated. 
All prefix-routes for those 30K (or 50K) prefixes within an island have the full protection of 
BGPsec while they originate from an AS within the island and propagate fully signed to other 
ASes within the same island. When those prefix-routes cross from a BGPsec island 
into non-BGPsec Internet, then they lose the signatures entirely and lose the protection.

Down the road, when ASes from the two islands in this example interconnect using 
BGPsec peering, then the combined BGPsec island will be much bigger, providing protection 
for prefix-routes for all 80K prefixes while they originate from an AS within the combined island 
and propagate fully signed to other ASes within the combined island. 
So incremental deployment can start within islands, 
and grow as islands expand and/or interconnect with each other.

Some additional thoughts on incremental deployment can be found in Section 6.3 of 
the BGPSEC design discussion document:

https://tools.ietf.org/html/draft-sriram-bgpsec-design-choices-07#page-21 
 
(2) “path that is partially BGPsec protected” or Partial Path Signing
If an update with partially signed path is given some sort of preference over an unsigned update 
that would encourage cut-and-paste attacks.  Additional thoughts on why partial path signing 
is disallowed can be found in Section 6.4 of the BGPSEC design discussion document:

https://tools.ietf.org/html/draft-sriram-bgpsec-design-choices-07#page-21 
 
Sriram

v2.23.0 | Report a Bug | By Email