IETF Logo Mail Archive

Re: [OPSEC] Comments on draft-jdurand-bgp-security-02

Gert Doering <gert@space.net> Thu, 27 September 2012 12:56 UTC

Return-Path: <gert@space.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04C9521F8504 for <opsec@ietfa.amsl.com>; Thu, 27 Sep 2012 05:56:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.305
X-Spam-Level:
X-Spam-Status: No, score=-2.305 tagged_above=-999 required=5 tests=[AWL=0.294, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cvcy9xNBinEZ for <opsec@ietfa.amsl.com>; Thu, 27 Sep 2012 05:56:13 -0700 (PDT)
Received: from mobil.space.net (mobil.Space.Net [IPv6:2001:608:2:81::2]) by ietfa.amsl.com (Postfix) with ESMTP id 4702B21F84FA for <opsec@ietf.org>; Thu, 27 Sep 2012 05:56:12 -0700 (PDT)
Received: from mobil.space.net (localhost [127.0.0.1]) by mobil.space.net (Postfix) with ESMTP id 2429BF8CB6 for <opsec@ietf.org>; Thu, 27 Sep 2012 14:56:11 +0200 (CEST)
X-SpaceNet-Relay: true
Received: from moebius3.space.net (moebius3.Space.Net [IPv6:2001:608:2:2::250]) by mobil.space.net (Postfix) with ESMTPS id 08750F8C7E for <opsec@ietf.org>; Thu, 27 Sep 2012 14:56:11 +0200 (CEST)
Received: (qmail 82155 invoked by uid 1007); 27 Sep 2012 14:56:10 +0200
Date: Thu, 27 Sep 2012 14:56:10 +0200
From: Gert Doering <gert@space.net>
To: David Freedman <david.freedman@uk.clara.net>
Message-ID: <20120927125610.GC13776@Space.Net>
References: <E2B120470A420C49A1CB4F6D01C013F875A88100@srvgrexmb02.claranet.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E2B120470A420C49A1CB4F6D01C013F875A88100@srvgrexmb02.claranet.local>
X-NCC-RegID: de.space
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] Comments on draft-jdurand-bgp-security-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 12:56:14 -0000

Hi,

On Thu, Sep 27, 2012 at 12:29:21PM +0000, David Freedman wrote:
> I'm not aware of any implementations which can achieve
> this in a scalable way, are the authors? at present I
> would have to statically configure a next hop for each peer,
> not fun.

Both Cisco and Juniper can do

route-map foo permit 10
  set ip(v6) next-hop peer-address

(dunno the exact Juniper syntax, but have been told it can be done)

DFN(680) stated on the DECIX list that the have been doing this on
Cisco "since ever" and it works.

> Also, are you aware that some networks inject the IXP
> LAN into their IGP for the purposes of TE? (I.e leaving
> the IXP LAN next hop present in their iBGP and then
> doing MPLS TE on this LAN as opposed to next-hop-self
> on the border where all peering networks are collapsed
> into a single loopback)

Yeah, I did.  At some point.

Maybe we need to add a bit more language to the point of "if you
need to deviate from these recommendations, understand why you are
doing this, and then feel free to do so" (= "SHOULD" normative
language).

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279

v2.23.0 | Report a Bug | By Email