IETF Logo Mail Archive

Re: [RPSEC] comments on draft-ietf-rpsec-bgpsecrec-03

Stephen Kent <kent@bbn.com> Thu, 19 January 2006 14:55 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EzbCK-0000Si-FW; Thu, 19 Jan 2006 09:55:36 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EzbCI-0000SY-UC for rpsec@megatron.ietf.org; Thu, 19 Jan 2006 09:55:34 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA28658 for <rpsec@ietf.org>; Thu, 19 Jan 2006 09:54:08 -0500 (EST)
Received: from aragorn.bbn.com ([128.33.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EzbKq-0001wH-7K for rpsec@ietf.org; Thu, 19 Jan 2006 10:04:25 -0500
Received: from [128.89.89.106] (dhcp89-089-106.bbn.com [128.89.89.106]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id k0JEtEIG009492; Thu, 19 Jan 2006 09:55:17 -0500 (EST)
Mime-Version: 1.0
Message-Id: <p06230902bff55651cc4b@[128.89.89.106]>
In-Reply-To: <43CED4F9.9070409@cisco.com>
References: <Pine.LNX.4.64.0511140906540.27919@netcore.fi> <Pine.LNX.4.64.0601021910360.29213@m106.maoz.com> <p0623090fbfe9e67f625f@[128.89.89.106]> <Pine.LNX.4.64.0601112042220.9020@netcore.fi> <p06230928bfeb32f07e87@[128.89.89.106]> <Pine.LNX.4.64.0601151749330.6674@netcore.fi> <p06230905bff4389dfb65@[128.89.89.106]> <43CED4F9.9070409@cisco.com>
Date: Thu, 19 Jan 2006 09:48:34 -0500
To: Russ White <riw@cisco.com>
From: Stephen Kent <kent@bbn.com>
Subject: Re: [RPSEC] comments on draft-ietf-rpsec-bgpsecrec-03
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on 128.33.1.41
X-Virus-Status: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
Cc: rpsec@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Sender: rpsec-bounces@ietf.org
Errors-To: rpsec-bounces@ietf.org

Russ,

>...
>>  agreed, which is why I think it makes sense to consider these
>>  (necessarily) vague considerations as goals, but not requirements.
>
>Hmmm... I would think that if this is something that's required for any
>system to have a realistic opportunity of actually being deployed, then
>it's still at least a SHOULD. Perfectly undeployable perfect systems are
>not really solutions at all. :-)

yes, but vague comments about performance and manageability are just 
fodder for debate, not objective metrics that should be described as 
"requirements." :-)

>
>>>  UPDATE frequency as such doesn't help much.  You need to consider the
>>>  protential update frequency -- e.g., what would happen if the session
>>>  was reset or flapping and basically all the prefixes would need to be
>>>  processed at once one or more times.
>
>>  When I said UPDATE frequency I was considering this as well. When a
>>  session is reset and one receives a lot of UPDATEs from a peer, it is
>>  not necessary to verify the signatures on all of them, if one uses a
>>  mechanism based on signed UPDATEs. One shoud look at each UPDATE and ask
>>  "if this UPDATE is authentic, does it cause me to change my LocRIB?" If
>>  the answer is no, then there is no need to peform crypto verification on
>>  the UPDATE at that time.
>
>If you lose a peer, you have to clear your RIB for all information
>previously received from that peer, receive all updates, and then
>reinstall all of them into your RIB. It's not always clear when an
>update will change you RIB or not--there's no implementation I know of
>that evaluates whether or not a route would win if installed before
>processing the route, they all choose their best route, and attempt to
>install the route, seeing if it actually is installed when the attempt
>is completed. (I know, just a nit, but the closer we are to reality in
>our understanding of how implementations actually work, the closer we
>can mold requirements so they will be do-able in the real world).

Which RIB?

The AdjRIB for the peer in question can be populated with unverified 
advertisements safely, so long as no unverified routes are selected 
for use in the LocRIB. When a route is selected as the "best" for the 
NLRI in question, then it needs to be verified before it can be used 
safely.

What aspect of this heuristic do you feel is inconsistent with how 
implementations actually work?

Steve

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.41.0 | Report a Bug | By Email | System Status