Re: [OPSEC] Comments on draft-jdurand-bgp-security-02
Gert Doering <gert@space.net> Thu, 27 September 2012 12:56 UTC
Return-Path: <gert@space.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04C9521F8504 for <opsec@ietfa.amsl.com>; Thu, 27 Sep 2012 05:56:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.305
X-Spam-Level:
X-Spam-Status: No, score=-2.305 tagged_above=-999 required=5 tests=[AWL=0.294, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cvcy9xNBinEZ for <opsec@ietfa.amsl.com>; Thu, 27 Sep 2012 05:56:13 -0700 (PDT)
Received: from mobil.space.net (mobil.Space.Net [IPv6:2001:608:2:81::2]) by ietfa.amsl.com (Postfix) with ESMTP id 4702B21F84FA for <opsec@ietf.org>; Thu, 27 Sep 2012 05:56:12 -0700 (PDT)
Received: from mobil.space.net (localhost [127.0.0.1]) by mobil.space.net (Postfix) with ESMTP id 2429BF8CB6 for <opsec@ietf.org>; Thu, 27 Sep 2012 14:56:11 +0200 (CEST)
X-SpaceNet-Relay: true
Received: from moebius3.space.net (moebius3.Space.Net [IPv6:2001:608:2:2::250]) by mobil.space.net (Postfix) with ESMTPS id 08750F8C7E for <opsec@ietf.org>; Thu, 27 Sep 2012 14:56:11 +0200 (CEST)
Received: (qmail 82155 invoked by uid 1007); 27 Sep 2012 14:56:10 +0200
Date: Thu, 27 Sep 2012 14:56:10 +0200
From: Gert Doering <gert@space.net>
To: David Freedman <david.freedman@uk.clara.net>
Message-ID: <20120927125610.GC13776@Space.Net>
References: <E2B120470A420C49A1CB4F6D01C013F875A88100@srvgrexmb02.claranet.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E2B120470A420C49A1CB4F6D01C013F875A88100@srvgrexmb02.claranet.local>
X-NCC-RegID: de.space
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] Comments on draft-jdurand-bgp-security-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 12:56:14 -0000
Hi, On Thu, Sep 27, 2012 at 12:29:21PM +0000, David Freedman wrote: > I'm not aware of any implementations which can achieve > this in a scalable way, are the authors? at present I > would have to statically configure a next hop for each peer, > not fun. Both Cisco and Juniper can do route-map foo permit 10 set ip(v6) next-hop peer-address (dunno the exact Juniper syntax, but have been told it can be done) DFN(680) stated on the DECIX list that the have been doing this on Cisco "since ever" and it works. > Also, are you aware that some networks inject the IXP > LAN into their IGP for the purposes of TE? (I.e leaving > the IXP LAN next hop present in their iBGP and then > doing MPLS TE on this LAN as opposed to next-hop-self > on the border where all peering networks are collapsed > into a single loopback) Yeah, I did. At some point. Maybe we need to add a bit more language to the point of "if you need to deviate from these recommendations, understand why you are doing this, and then feel free to do so" (= "SHOULD" normative language). Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
- [OPSEC] Comments on draft-jdurand-bgp-security-02 David Freedman
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Gert Doering
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Ivan Pepelnjak
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Jerome Durand (jerduran)
- [OPSEC] Comments on draft-jdurand-bgp-security-02 Tim Kleefass
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Tim Kleefass