IETF Logo Mail Archive

Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-ops-12: (with COMMENT)

Chris Morrow <morrowc@ops-netman.net> Tue, 03 January 2017 00:35 UTC

Return-Path: <morrowc@ops-netman.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B23BC12951D; Mon, 2 Jan 2017 16:35:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.001
X-Spam-Level:
X-Spam-Status: No, score=-5.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lu4DHR3yCldQ; Mon, 2 Jan 2017 16:35:28 -0800 (PST)
Received: from relay.kvm02.ops-netman.net (relay.kvm02.ops-netman.net [IPv6:2606:700:e:550:5c82:28ff:fe25:4960]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73F69129513; Mon, 2 Jan 2017 16:35:28 -0800 (PST)
Received: from mail.ops-netman.net (mailserver.ops-netman.net [199.168.90.119]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by relay.kvm02.ops-netman.net (Postfix) with ESMTPS id F3CF43FF82; Tue, 3 Jan 2017 00:35:26 +0000 (UTC)
Received: from morrowc-glaptop4.roam.corp.google.com.ops-netman.net (static-96-241-182-39.washdc.fios.verizon.net [96.241.182.39]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.ops-netman.net (Postfix) with ESMTPSA id 34530BA989F6; Tue, 3 Jan 2017 00:35:26 +0000 (UTC)
Date: Mon, 02 Jan 2017 19:35:25 -0500
Message-ID: <yj9o60lx6kvm.wl%morrowc@ops-netman.net>
From: Chris Morrow <morrowc@ops-netman.net>
To: Randy Bush <randy@psg.com>
In-Reply-To: <m2tw9hmq76.wl-randy@psg.com>
References: <148336377615.21819.15119186800162780376.idtracker@ietfa.amsl.com> <m2vatxmv83.wl-randy@psg.com> <563AAA29-82F7-4202-8A54-855CD7702595@kuehlewind.net> <m2tw9hmq76.wl-randy@psg.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.3 Mule/6.0 (HANACHIRUSATO)
Organization: Operations Network Management, Ltd.
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/1qMcG7eaQwLg8gM0ROI6p9rqzX8>
Cc: draft-ietf-sidr-bgpsec-ops@ietf.org, Chris Morrow <morrowc@ops-netman.net>, sidr-chairs@ietf.org, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>, sidr@ietf.org
Subject: Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-ops-12: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2017 00:35:29 -0000

At Tue, 03 Jan 2017 00:33:49 +0900,
Randy Bush <randy@psg.com> wrote:
> 
> hi mirja,
> 
> > could there be a similar case here, where a router is known to support
> > BGPsec and others would ignore/drop non-signed announcements?
> 
> hmmmm.  as far as i can remember, this has not actually been discussed.

i think this is correct.
(I don't remember discussing something like this in the past)

I can imagine a future where the operations staff decides: "We only do
bgpsec (with peers x, y, z) turn on the knob that requires bgpsec at
peer establishment!"

In that case, if it were to be true, the operator would have chosen to
only do bgpsec and not fallback to normal bgp... The router(s) aren't
really remembering that their peer did bgpsec in the past as much as
requiring the bgpsec capability at peer 'connect'.

> how would a router be known to support bgpsec?  well, if i saw it on a
> signed path.  (for the moment, let's ignore changes over time).  but it
> might have an out-degree of O(100) and some portion are signed and the
> rest not.  the ones that are not signed are due to the peer not
> negotiating bgpsec, or that one or the other is configured to not have
> the peering be bgpsec.

I bet with a distant view of one ASN (or all ASN) you could tell, over
time, whom the ASN peers with via 'bgpsec' vs 'bgp'. You MAY choose to
do some policy stuff that says: "ASN X, Y, Z seem to always do bgpsec
with +XX% of their peers in my view of them... so only accept routes
originated by these ASN if the routes arrive on bgpsec-enabled
peerings."

This seems dangerous, today anyway, but maybe tomorrow it'd be more
feasible? I also don't know that you could easily tell: "the router"
vs "the asn", because as you get further away on the network your
entrypoint (and whom in that ASN you hear routes FROM) to the remote
ASN is less guaranteed.
 
> and it's way too late here for me to do the necessary deep dive into
> draft-ietf-sidr-bgpsec-pki-profiles-18.txt to know if i can definitively
> identify a router, especially as one router can have multiple ASs and
> therefore multiple certs and therefore multiple skis.
> 
> maybe someone on the us beast coast has had enough coffee to hit me with
> a clue by four when i wake.
> 
> randy

v2.30.2 | Report a Bug | By Email | System Status