Re: [sidr] BGPsec draft and extended messages
Wes George <wesgeorge@puck.nether.net> Sat, 18 March 2017 14:00 UTC
Return-Path: <wesgeorge@puck.nether.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7952112708C; Sat, 18 Mar 2017 07:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5iz8yms2nrJc; Sat, 18 Mar 2017 07:00:17 -0700 (PDT)
Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by ietfa.amsl.com (Postfix) with ESMTP id 5F7FC12751F; Sat, 18 Mar 2017 07:00:17 -0700 (PDT)
Received: from [IPv6:2610:178:8::40f6:8f10:4485:ece9] (unknown [IPv6:2610:178:8:0:40f6:8f10:4485:ece9]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id E94FA540DC8; Sat, 18 Mar 2017 10:00:04 -0400 (EDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_F70881C1-A36E-481D-9FCF-4C1BB9D239BD"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Wes George <wesgeorge@puck.nether.net>
In-Reply-To: <DM2PR09MB0446CCB7DE24681F23429D7784270@DM2PR09MB0446.namprd09.prod.outlook.com>
Date: Sat, 18 Mar 2017 09:59:48 -0400
Cc: "Alvaro Retana (aretana)" <aretana@cisco.com>, Randy Bush <randy@psg.com>, Steve KENT <steve.kent@raytheon.com>, sidr wg list <sidr@ietf.org>, Matthias Waehlisch <m.waehlisch@fu-berlin.de>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, Sean Turner <sean@sn3rd.com>, "sidrops@ietf.org" <sidrops@ietf.org>
Message-Id: <C3249249-C8A2-4FC0-ABDD-AAE32CF5A62B@puck.nether.net>
References: <CY1PR09MB0444303CC4FC61239C90E6FE84250@CY1PR09MB0444.namprd09.prod.outlook.com> <m2innbv94e.wl-randy@psg.com> <DM2PR09MB0446AA8F2902D240F99A861C84240@DM2PR09MB0446.namprd09.prod.outlook.com> <BC9717B9-C466-4278-B886-48D9C2EA16DF@cisco.com> <4CF183FB-F22F-4133-BE91-86CA44DBEDBE@puck.nether.net> <DM2PR09MB0446CCB7DE24681F23429D7784270@DM2PR09MB0446.namprd09.prod.outlook.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/0Ha5w03TPhj7KomNTunvYjXCot8>
Subject: Re: [sidr] BGPsec draft and extended messages
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Mar 2017 14:00:19 -0000
> On Mar 15, 2017, at 6:18 PM, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov> wrote: > > >First, I don’t believe that there is any construct within the current BGPSec setup that allows for this sort of mixed mode where most updates are signed but some subset are not. Normally it’s something negotiated on session establish - either BGPSec is supported by both neighbors, or it is not - and the BGP machinery handles updates accordingly. > > > [ks] When BGPsec is negotiated, it simply means that the router can send/receive BGPsec updates. Traditional unsigned updates can still be exchanged on that session as necessary. This was part of the design from the start. That’s because an AS may negotiate BGPsec with a peer but can have a customer that is not upgraded to BGPsec. Once a BGPsec session is established, an update may have BGPsec_Path or (unsigned) AS_PATH attribute, but not both. See section 2.2, p.5: > > > “BGP update messages without the BGPsec_Path attribute (i.e. unsigned updates) MAY be > sent within a session regardless of whether or not the use of BGPsec > is successfully negotiated.” WG] My original email was insufficiently precise when expressing my concern on this, as it was written in relative haste. I’ll try again. I always interpreted this as allowing for updates that were never secured (because the downstream neighbor doesn’t support it) to be sent between BGPSec capable neighbors, as you explain above. This makes perfect sense given BGPSec’s decision to not allow partially-signed updates. My concern is that using this text as justification for updates that otherwise would be secured (because they came through a path of neighbors that all support BGPSec end to end) dropping back to insecure on account of the size of the update violates the principle of least astonishment and again allows for degraded security by failing open. Wes
- Re: [sidr] BGPsec draft and extended messages Randy Bush
- Re: [sidr] BGPsec draft and extended messages Sriram, Kotikalapudi (Fed)
- Re: [sidr] BGPsec draft and extended messages Sriram, Kotikalapudi (Fed)
- Re: [sidr] BGPsec draft and extended messages Alvaro Retana (aretana)
- Re: [sidr] BGPsec draft and extended messages Susan Hares
- Re: [sidr] BGPsec draft and extended messages Wes George
- Re: [sidr] BGPsec draft and extended messages Sriram, Kotikalapudi (Fed)
- Re: [sidr] BGPsec draft and extended messages Wes George
- Re: [sidr] BGPsec draft and extended messages Sriram, Kotikalapudi (Fed)