IETF Logo Mail Archive

Re: [RPSEC] Discontiguous Deployment (Show of Hands)....

Tony Tauber <ttauber@1-4-5.net> Tue, 30 January 2007 16:00 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HBvP7-0002Zg-29; Tue, 30 Jan 2007 11:00:17 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HBvP5-0002Za-Aw for rpsec@ietf.org; Tue, 30 Jan 2007 11:00:15 -0500
Received: from m106.maoz.com ([205.167.76.9]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HBvP3-0005PO-Vg for rpsec@ietf.org; Tue, 30 Jan 2007 11:00:15 -0500
Received: from m106.maoz.com (localhost.localdomain [127.0.0.1]) by m106.maoz.com (8.13.8/8.13.8) with ESMTP id l0UG0AGH003580; Tue, 30 Jan 2007 08:00:10 -0800
Received: from localhost (ttauber@localhost) by m106.maoz.com (8.13.8/8.12.11/Submit) with ESMTP id l0UG02Lt003577; Tue, 30 Jan 2007 08:00:06 -0800
X-Authentication-Warning: m106.maoz.com: ttauber owned process doing -bs
Date: Tue, 30 Jan 2007 08:00:02 -0800 (PST)
From: Tony Tauber <ttauber@1-4-5.net>
X-X-Sender: ttauber@m106.maoz.com
To: Curtis Villamizar <curtis@occnc.com>
Subject: Re: [RPSEC] Discontiguous Deployment (Show of Hands)....
In-Reply-To: <200701292226.l0TMQL4G029593@workhorse.brookfield.occnc.com>
Message-ID: <Pine.LNX.4.64.0701300746260.14084@m106.maoz.com>
References: <200701292226.l0TMQL4G029593@workhorse.brookfield.occnc.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc: rpsec@ietf.org, Russ White <riw@cisco.com>
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

[ Adding the list back on. ]

On Mon, 29 Jan 2007, Curtis Villamizar wrote:
>
> Tony, Russ,
>
> Tony Tauber writes:
>
>>   possible to deploy a such a protocol to all routers in a large AS at
>>                      ^^^^^^^^
>
>
> Looks better with the additions.  Note the minor typo above.

Fixed. Thanks.

> Another practical consideration is deployment rollout.

Makes sense.

> This might be a good replacement for your third bullet.
>
> -   o  In an environment where both secured and non-secured systems are
> -      interoperating a mechanism MUST exist for secured systems to
> -      identify whether an originator intended the information to be
> -      secured.
>
>
>   o  In an environment where secured service is in the process of
>      being deplyed a mechanism MUST exist to support a transition
>      free of service interruption.

I think the original bullet is about something else and still has
merit, but I like your addition.

> For some providers resetting the BGP sessions during a service
> rollout would be at least highly undesireable and might be
> completely unacceptable.  With providers trying to acheive higher
> service availability than their competitors, this becomes very
> important.
>
> Curtis

At first, I was inclined to put this kind of thing in as a SHOULD, but
after thinking for a bit, am leaning toward MUST.
Re-setting an eBGP session here or there is an event any deployment
should be able to deal with fairly gracefully for an upgrade of such
magnitude.  Taking down major parts of one's iBGP infrastructure,
however, is not acceptable, IMO.

I'll add this text unless the list disapproves.

Thanks,


Tony


_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email