Re: [sidr] Follow-up on June 6 Interim : Confederations
"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Mon, 18 June 2012 16:54 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5575121F86EF for <sidr@ietfa.amsl.com>; Mon, 18 Jun 2012 09:54:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5D0ZMAe9tfN for <sidr@ietfa.amsl.com>; Mon, 18 Jun 2012 09:54:44 -0700 (PDT)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 4F0CE21F85E1 for <sidr@ietf.org>; Mon, 18 Jun 2012 09:54:43 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.1.355.2; Mon, 18 Jun 2012 12:54:42 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Mon, 18 Jun 2012 12:54:39 -0400
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Randy Bush <randy@psg.com>
Date: Mon, 18 Jun 2012 12:54:37 -0400
Thread-Topic: [sidr] Follow-up on June 6 Interim : Confederations
Thread-Index: Ac1LP4NeY5j66eGZQ0GV3Ugw83k43gCLH+iw
Message-ID: <D7A0423E5E193F40BE6E94126930C4930B9CC210DE@MBCLUSTER.xchange.nist.gov>
References: <4FDB8840.2030903@bbn.com> <D7A0423E5E193F40BE6E94126930C4930B9BA8404E@MBCLUSTER.xchange.nist.gov> <m28vfoqmj8.wl%randy@psg.com>
In-Reply-To: <m28vfoqmj8.wl%randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Follow-up on June 6 Interim : Confederations
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2012 16:54:45 -0000
Comments below. Sriram > >> This solution for confeds *requires* each AS within a confed to sign >> internally (i.e., from AS to AS within the confed). It does not allow >> the choice to a confed operator to sign or not sign the updates internally. >> For instance, the operator may be satisfied with the level of mutual >> trust within the confed, and therefore may choose to not sign updates >internally. >> >> Do we want to provision this choice into the protocol? > >sure, if they strip bgpsec and reconstruct the as-path. > >in bgpsec, all ass sign. end. Quoting from the sidr-bgpsec-ops-05 document: "To prevent exposure of the internals of BGP Confederations [RFC5065], a BGPsec speaker which is a Member-AS of a Confederation MUST NOT sign updates sent to another Member-AS of the same Confederation." You might like to reword the above but ... Our position all along (for at least two years, except for the recent shift) had been that we did not require confed AS members to sign internally within the confed. http://tools.ietf.org/html/draft-sriram-bgpsec-design-choices-01#section-7.3 Concern for the confed operator: If updates enter a confed with 3 sigs in them, and if the confed adds another 3 sigs internally, then the updates are getting pretty bulky and the processing/memory costs are going much higher for the confed operator. May not like that when they know their confed ASs are within a trust boundary. (Also see Jakob's comment.) Sriram
- [sidr] Follow-up on June 6 Interim : Confederatio… Matt Lepinski
- Re: [sidr] Follow-up on June 6 Interim : Confeder… Sriram, Kotikalapudi
- Re: [sidr] Follow-up on June 6 Interim : Confeder… Matt Lepinski
- Re: [sidr] Follow-up on June 6 Interim : Confeder… Randy Bush
- Re: [sidr] Follow-up on June 6 Interim : Confeder… Sriram, Kotikalapudi
- Re: [sidr] Follow-up on June 6 Interim : Confeder… Randy Bush