Re: [RPSEC] BGP Security Requirements v08
Stephen Kent <kent@bbn.com> Wed, 18 July 2007 18:30 UTC
Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1IBEHs-00061p-AN; Wed, 18 Jul 2007 14:30:12 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43)
id 1IBEHp-0005p0-BT
for rpsec-confirm+ok@megatron.ietf.org; Wed, 18 Jul 2007 14:30:09 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1IBEHo-0005lt-TQ
for rpsec@ietf.org; Wed, 18 Jul 2007 14:30:08 -0400
Received: from mx11.bbn.com ([128.33.0.80])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IBEHn-00018k-OT
for rpsec@ietf.org; Wed, 18 Jul 2007 14:30:08 -0400
Received: from dhcp89-089-071.bbn.com ([128.89.89.71])
by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>)
id 1IBEHn-0005PI-4F; Wed, 18 Jul 2007 14:30:07 -0400
Mime-Version: 1.0
Message-Id: <p06240516c2c40824d745@[128.89.89.71]>
In-Reply-To: <200707181634.l6IGY7h1026467@harbor.brookfield.occnc.com>
References: <200707181634.l6IGY7h1026467@harbor.brookfield.occnc.com>
Date: Wed, 18 Jul 2007 14:30:07 -0400
To: curtis@occnc.com
From: Stephen Kent <kent@bbn.com>
Subject: Re: [RPSEC] BGP Security Requirements v08
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 97adf591118a232206bdb5a27b217034
Cc: rpsec@ietf.org, Sandy Murphy <sandy@tislabs.com>
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,
<mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,
<mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org
>... > > >> I do not think that you are saying that solutions COULD NOT provide >> benefit when island hopping. The work being done in the sidr wg >> (to provide an infrastructure that would provide authorization for >> prefix origination) would be an example of protections that would >> still provide benefit when island hopping, as the origin authorization > > check is of value no matter how many clueless ASs touch the UPDATE. The ROA defined by the SIDR work is a good example of a first step that acknowledges that some verified info is better than none, a point you have been making. It also is an example of a mechanism that addresses what some folks say is the most common form of accidental "attack" by ISPs, i.e., erroneous origin announcements due to config errors. That makes is an appropriate partial solution, since it addresses, in a comprehensive fashion, one specific form of problem. Also, the ROA model is especially simple, as there is no notion of a serial mix of verified and unverified path data, since a ROA attests only to origin AS data. Finally, based on the current SIDR architecture model, ROAs are distributed via a repository system, essentially out-of-band, and so the argument re transitive propagation does not apply here. > > I believe that you are arguing whether solutions should be REQUIRED > > to provide benefit when island hopping. And Curtis is arguing that >> they should, because otherwise incremental deployment will be very > > very unattractive. >> > > The choices seem to boil down to MUST or SHOULD. Sandy changed her position to MAY yesterday, based on further discussion and on Tony's suggestion. Steve _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- RE: [RPSEC] BGP Security Requirements v08 Barry Greene (bgreene)
- Re: [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- RE: [RPSEC] BGP Security Requirements v08 Barry Greene (bgreene)
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Joe Touch
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Michael H. Behringer
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Robert Loomans
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- RE: [RPSEC] BGP Security Requirements v08 James Ko
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Tony Tauber
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Sandy Murphy
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Russ White
- Re: [RPSEC] BGP Security Requirements v08 tom.petch
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Curtis Villamizar
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent
- Re: [RPSEC] BGP Security Requirements v08 Stephen Kent