Re: [RPSEC] BGP Security Requirements v08
sandy@tislabs.com (Sandy Murphy) Tue, 17 July 2007 16:00 UTC
Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1IApTQ-0001di-AD; Tue, 17 Jul 2007 12:00:28 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43)
id 1IApT8-0001Bn-Pp
for rpsec-confirm+ok@megatron.ietf.org; Tue, 17 Jul 2007 12:00:10 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1IApT8-0001Bd-6n
for rpsec@ietf.org; Tue, 17 Jul 2007 12:00:10 -0400
Received: from ns1.tislabs.com ([192.94.214.100] helo=nutshell.tislabs.com)
by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IApT6-0005Rz-Gm
for rpsec@ietf.org; Tue, 17 Jul 2007 12:00:10 -0400
Received: (from uucp@localhost)
by nutshell.tislabs.com (8.12.9/8.12.9) id l6HFvwBP000958
for <rpsec@ietf.org>; Tue, 17 Jul 2007 11:57:58 -0400 (EDT)
Received: from pecan.tislabs.com(10.66.1.30) by nutshell.tislabs.com via csmap
(V6.0) id srcAAAVdaaOb; Tue, 17 Jul 07 11:57:21 -0400
Received: by pecan.tislabs.com (Postfix, from userid 2005)
id EBC053F47D; Tue, 17 Jul 2007 11:55:19 -0400 (EDT)
To: rpsec@ietf.org
Subject: Re: [RPSEC] BGP Security Requirements v08
In-Reply-To: <200707171426.l6HEQJiK090507@harbor.brookfield.occnc.com>
Message-Id: <20070717155519.EBC053F47D@pecan.tislabs.com>
Date: Tue, 17 Jul 2007 11:55:19 -0400 (EDT)
From: sandy@tislabs.com (Sandy Murphy)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: sandy@tislabs.com
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,
<mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,
<mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org
Curtis writes: >In message <p06240507c2c167b442a1@[128.89.89.71]> >Stephen Kent writes: >> >> I think the question is why, if the path info received by an "island >> AS" has a number of unverified hops, is this path info useful, in a >> security sense, to the AS that receives? How does the requirement to >> send such info promote adoption of the protocol? >> >> Steve > > >Because it is likely to be more reliable than information with no >authentication at all. > >The major ISPs are fairly reliable at getting their internal routing >right so if the non-authenticating routers in the middle are entirely >in a set of ISPs that are known to generally not have breakins into >their own infrastructure. Curtis, I'm not sure exactly what you mean here, but Steve was talking about AS hops, not router hops. I *think* that's what you mean, also, but I'm not sure. Steve, I strongly believe that incremental deployment scenarios WILL include cases where non-upgradable ASs will be provided with other, operational or algorithmic, protections, so that ISPs in the know will trust paths that come to them from those ASs. I am less strongly convinced that incremental deployment scenarios MUST include such cases. But I see no way to provide benefit in incremental deployment otherwise. I do not think that you are saying that solutions COULD NOT provide benefit when island hopping. The work being done in the sidr wg (to provide an infrastructure that would provide authorization for prefix origination) would be an example of protections that would still provide benefit when island hopping, as the origin authorization check is of value no matter how many clueless ASs touch the UPDATE. I believe that you are arguing whether solutions should be REQUIRED to provide benefit when island hopping. And Curtis is arguing that they should, because otherwise incremental deployment will be very very unattractive. The choices seem to boil down to MUST or SHOULD. --Sandy _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- RE: [RPSEC] BGP Security Requirements v08 Barry Greene (bgreene)
- Re: [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- RE: [RPSEC] BGP Security Requirements v08 Barry Greene (bgreene)
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Michael H. Behringer
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Robert Loomans
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- RE: [RPSEC] BGP Security Requirements v08 James Ko
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 tom.petch
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent