IETF Logo Mail Archive

Re: [sidr] Question about draft-ietf-sidr-pfx-validate-03

John Scudder <jgs@juniper.net> Sun, 13 November 2011 08:18 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D34111E8081 for <sidr@ietfa.amsl.com>; Sun, 13 Nov 2011 00:18:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.483
X-Spam-Level:
X-Spam-Status: No, score=-6.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gY5BMn93Rkgs for <sidr@ietfa.amsl.com>; Sun, 13 Nov 2011 00:18:28 -0800 (PST)
Received: from exprod7og125.obsmtp.com (exprod7og125.obsmtp.com [64.18.2.28]) by ietfa.amsl.com (Postfix) with ESMTP id CFF0E21F8B0B for <sidr@ietf.org>; Sun, 13 Nov 2011 00:18:27 -0800 (PST)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob125.postini.com ([64.18.6.12]) with SMTP ID DSNKTr99UYMNqfuB5TuWyN0SAouwe8XaT/vP@postini.com; Sun, 13 Nov 2011 00:18:28 PST
Received: from EMBX02-HQ.jnpr.net ([fe80::18fe:d666:b43e:f97e]) by P-EMHUB02-HQ.jnpr.net ([fe80::88f9:77fd:dfc:4d51%11]) with mapi; Sun, 13 Nov 2011 00:12:23 -0800
From: John Scudder <jgs@juniper.net>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Sun, 13 Nov 2011 00:12:22 -0800
Thread-Topic: [sidr] Question about draft-ietf-sidr-pfx-validate-03
Thread-Index: Acyh2/iXYPGEVq+2S92voo/0gPTNcQ==
Message-ID: <50D11ABB-8AFB-48EB-B0CE-753EEA39D539@juniper.net>
References: <E3CAD10A-758F-435F-B79F-62171DD373CC@tcb.net> <CAH1iCiru4JarSgi7D88faFZgzmnVJoGDm9C0COAmtjqgsCXPzA@mail.gmail.com>
In-Reply-To: <CAH1iCiru4JarSgi7D88faFZgzmnVJoGDm9C0COAmtjqgsCXPzA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Question about draft-ietf-sidr-pfx-validate-03
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2011 08:18:28 -0000

Brian,

Danny is talking about pfx-validate, which is not the same as BGPSEC.

--John

On Nov 13, 2011, at 1:48 AM, Brian Dickson wrote:

> I think the current design of BGPsec as memorialized (love that word) in the
> draft-ietf-sidr-bgpsec-protocol would need to be tweaked to handle this.
> 
> I also believe that the result of the proposed tweak, will be a cleaner design
> which is easier to implement and verify, as well as not incurring significant
> operational cost in terms of signatures.
> 
> Local origination SHOULD occur within an AS on a permanent
> basis, and only the announcements from the actual originating router need
> to have unique signatures, regardless of whether they are iBGP or eBGP.
> 
> (Crypto geeks might suggest adding a random "nonce" to make the signature
> a little harder to crack, since very little on the signature material
> will change
> over time - but that is another discussion.)
> 
> Here is the tweak:
> 
>                      Sequence of Octets to be Signed
>                 +---------------------------------------+
>                 | Expire Time (8 octets)                |
>                 +---------------------------------------+
>                 | Origin AS Number (4 octets)           |
>                 +---------------------------------------+
>                 | Algorithm Suite Identifier  (1 octet) |
>                 +---------------------------------------+
>                 | NLRI Length  (1 octet)                |
>                 +---------------------------------------+
>                 | NLRI Prefix  (variable)               |
>                 +---------------------------------------+
> 
> The "Target AS" and "pCount" need to be added, meaning the minimum
> number of signatures
> changes to "one origin" and "one propagation" signature.
> 
> For iBGP within the originating AS, the signature would be "Target AS
> == origin AS", and "pCount == 0".
> 
> For eBGP, it would be what you expect, "Target AS == neighbor", "pCount > 0".
> 
> I think that's all that is needed, and the rest of the validation
> logic in the -protocol doc remain good,
> the -ops-reqs doc allows validation for local AS, and pfx-validate also works.
> 
> Any detail or logic errors in the above can be attributed to not
> enough caffeine... The gist of the above
> should be solid enough, though.
> 
> Brian
> 
> On Sat, Nov 12, 2011 at 11:54 AM, Danny McPherson <danny@tcb.net> wrote:
>> 
>> My read of the current draft suggests that if there's a route generated by
>> the
>> local AS in BGP it could never have a "Valid" state, and by definition
>> would
>> either posses a "Not found" or "Invalid" state -- even though the local
>> AS may well have a "ROA" and reside in the mapping table as well(!).
>> I do not believe the current text is Section 5 is sufficient to address this
>> case,
>> specifically with either this:
>> "Considering invalid routes for BGP decision process is
>> a pure local policy matter and should be done with utmost care."
>> or this:
>> "In some cases (particularly when the selection algorithm is
>> influenced by the adjustment of a route property that is not
>> propagated into IBGP) it could be necessary for routing
>> correctness to propagate the validation state to the IBGP
>> peer. This can be accomplished on the sending side by setting
>> a community or extended community based on the validation
>> state, and on the receiving side by matching the (extended)
>> community and setting the validation state."
>> I could think of a number of way to address this, but for there to exist
>> the
>> possibility that an internally generated prefix (for which a ROA may well
>> exists)
>> could NEVER have a "Valid" state needs to be corrected.
>> Also, S 4:  s/to rest of the network/to the rest of the network/
>> Thanks,
>> -danny
>> 
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>> 
>> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email