Aggregation in S-BGP was RE: [RPSEC] Re: draft-convery-bgpattack-00
Charles Lynn <clynn@bbn.com> Thu, 07 November 2002 16:03 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA29783 for <rpsec-archive@odin.ietf.org>; Thu, 7 Nov 2002 11:03:19 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id gA7G5KD27583 for rpsec-archive@odin.ietf.org; Thu, 7 Nov 2002 11:05:20 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA7G5Kv27580 for <rpsec-web-archive@optimus.ietf.org>; Thu, 7 Nov 2002 11:05:20 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA29709 for <rpsec-web-archive@ietf.org>; Thu, 7 Nov 2002 11:02:48 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA7G4ov27502; Thu, 7 Nov 2002 11:04:50 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gA7FwJv27210 for <rpsec@optimus.ietf.org>; Thu, 7 Nov 2002 10:58:19 -0500
Received: from wolfe.bbn.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA29262 for <rpsec@ietf.org>; Thu, 7 Nov 2002 10:55:46 -0500 (EST)
Received: by wolfe.bbn.com (Postfix, from userid 13538) id C5A6416484; Thu, 7 Nov 2002 10:58:14 -0500 (EST)
From: Charles Lynn <clynn@bbn.com>
To: rpsec@ietf.org
Cc: shares@nexthop.com, iljitsch@muada.com, clynn@bbn.com
Subject: Aggregation in S-BGP was RE: [RPSEC] Re: draft-convery-bgpattack-00
In-Reply-To: <BE36D687C8CBFA4AB76F5CD3E3C0FB4E964E8E@aa-exchange1.corp.nexthop.com>
Message-Id: <20021107155814.C5A6416484@wolfe.bbn.com>
Date: Thu, 07 Nov 2002 10:58:14 -0500
Sender: rpsec-admin@ietf.org
Errors-To: rpsec-admin@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Hi Sue, > How does SBGP handle Aggregation or proxy aggregation? The basic model is that the BGP implementation combines some set of routes into an aggregate. The S-BGP mechanisms then insert into the attestation path attribute (used to carry the signatures, etc.) enough information to be able to verify all the pieces that were aggregated. The number of Adj-RIB-In entries (and the FIB entries derived from it) in speakers that receive the aggregate is thus unchanged by the S-BGP mechanisms (provided that the content of the aggregate passes the security checks). However the size of the Adj-RIB-In entry for the S-BGP protected aggregate is obviously larger than it would be for the non-S-BGP case. In cases where the aggregator claims to be the originator for the aggregate, the organizations with the right to use the prefixes being aggregated (which might happen to be/include the aggregator) need to authorize the aggregating AS to do so, using the usual "address attestation". Iljitsch commented... > Isn't aggregation anywhere else than at the source of the announcement > a relic from the BGP3 transition? Ie do people still use it? Last time I looked (viewpoints of routing UPDATEs vary), about 0.2 % of advertised routes contained AS Sets (one form of aggregation). To be clear, "aggregation ... at the source of the announcement" could be interpreted as, e.g., by an ISP that aggregates routes from customers that are using portions of the ISP's address space, or alternatively as an ISP that aggregates routes from several sources and claims to be the originator (removing information about the aggregated routes to the NLRI in the process). S-BGP handles either form, but the latter produces a larger UPDATE message. (In the cases we looked at, the aggregated UPDATE received by the AS that peered with an aggregating AS was larger than would have been the case if the aggregation had not been performed, but the aggregated UPDATE message was smaller than the sum of the non-aggregated UPDATEs for ASes two or more AS-hops away from the aggregator. Additional live data from ASes doing aggregation -- the UPDATEs being aggregated and the aggregated UPDATE -- would be helpful for additional analysis.) Charlie _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Joachim Jensen
- RE: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- [RPSEC] draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] draft-convery-bgpattack-00 Damir Rajnovic
- [RPSEC] Re: draft-convery-bgpattack-00 David G. Boney
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] draft-convery-bgpattack-00 Christopher Lonvick
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Birger Toedtmann
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Randy Bush
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Birger Toedtmann
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- [RPSEC] prefix origin authentication (was Re: dra… Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Tony Tauber
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Danny McPherson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Larry J. Blunk
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Barry Raveendran Greene
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Barry Raveendran Greene
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- RE: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Randy Bush
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Charles Lynn
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Susan Hares
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Aggregation in S-BGP was RE: [RPSEC] Re: draft-co… Charles Lynn
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Joel M. Halpern
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Randy Bush
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- [RPSEC] Potential requirements Charles Lynn
- Re: [RPSEC] Potential requirements Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Potential requirements Tony Tauber
- Re: [RPSEC] Potential requirements Steve Suehring
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson