Re: [RPSEC] BGP Security Requirements v08
Stephen Kent <kent@bbn.com> Wed, 11 July 2007 15:05 UTC
Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1I8dkg-000561-9Q; Wed, 11 Jul 2007 11:05:14 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43)
id 1I8dkf-00050I-19
for rpsec-confirm+ok@megatron.ietf.org; Wed, 11 Jul 2007 11:05:13 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1I8dke-0004wV-Io
for rpsec@ietf.org; Wed, 11 Jul 2007 11:05:12 -0400
Received: from mx11.bbn.com ([128.33.0.80])
by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1I8dkT-0002eK-BE
for rpsec@ietf.org; Wed, 11 Jul 2007 11:05:12 -0400
Received: from dhcp89-089-071.bbn.com ([128.89.89.71])
by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>)
id 1I8djw-0007PL-4x; Wed, 11 Jul 2007 11:04:28 -0400
Mime-Version: 1.0
Message-Id: <p06240528c2baa0b1241a@[128.89.89.71]>
In-Reply-To: <4694DC3E.5010007@cisco.com>
References: <20070709142132.GF7635@1-4-5.net>
<p06240505c2b95577827e@[128.89.89.71]> <20070710213538.GB27477@1-4-5.net>
<p06240519c2b9b020c206@[128.89.89.71]> <4694DC3E.5010007@cisco.com>
Date: Wed, 11 Jul 2007 11:04:17 -0400
To: Russ White <riw@cisco.com>
From: Stephen Kent <kent@bbn.com>
Subject: Re: [RPSEC] BGP Security Requirements v08
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
Cc: rpsec@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,
<mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,
<mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org
At 9:33 AM -0400 7/11/07, Russ White wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >>> I see this requirement as a (possibly unnecessary) corollary to the >>> requirement for supporting non-contiguous deployments. The fact that >>> the interpretation is ambiguous about how specifically one achieves this >>> goal (perhaps properly) reflects the fact that solutions can get >>> creative. >> >> "A BGP security mechanism MUST provide backward compatibility in >> the message formatting, transmission, and processing of routing >> information carried through a mixed security environment. Message >> formatting in a fully secured environment MAY be handled in a >> non-backward compatible fashion. Care must be taken to ensure either that >> UPDATES can traverse intermediate routers which don't support the new >> format, or that UPDATEs using a new format are not sent to ASes that cannot >> support such messages." > >This is a pretty traditional and standard argument in routing protocol >circles whenever extensions to a routing protocol are proposed--do we >make it so older routers can at least forward the new information, or do >we make it so it won't work in the presence of older routers? IMHO, it >generally comes down to--is the information useful to routers on the >other side of the nonsupporting router? I agree that it is generally useful to have a router forward data that it can't use itself, but that a later router might be able to use. However, I am not comfortable with a suggestion that if a solution cannot always guarantee this capability, that it is an unacceptable solution. >Maybe it's useful to break this into two questions? > >1. Is information about the authorization of an originator to advertise >reachability useful to AS' on the "other side" of a non-supporting AS? it could be useful. >2. Is information about the validity of an AS path useful to AS' on the >"other side" of a non-supporting AS? because there may be no way to verify the number, much less the identify of ASes listed in an UPDATE between the end of the secured path and the current AS, the utility of the passing that data beyond the end of the secured part of the path is questionable. Steve _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- RE: [RPSEC] BGP Security Requirements v08 Barry Greene (bgreene)
- Re: [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- RE: [RPSEC] BGP Security Requirements v08 Barry Greene (bgreene)
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Michael H. Behringer
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Robert Loomans
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- RE: [RPSEC] BGP Security Requirements v08 James Ko
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 tom.petch
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent