Re: [sidr] Question about draft-ietf-sidr-pfx-validate-03
John Scudder <jgs@juniper.net> Sun, 13 November 2011 08:18 UTC
Return-Path: <jgs@juniper.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D34111E8081 for <sidr@ietfa.amsl.com>; Sun, 13 Nov 2011 00:18:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.483
X-Spam-Level:
X-Spam-Status: No, score=-6.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gY5BMn93Rkgs for <sidr@ietfa.amsl.com>; Sun, 13 Nov 2011 00:18:28 -0800 (PST)
Received: from exprod7og125.obsmtp.com (exprod7og125.obsmtp.com [64.18.2.28]) by ietfa.amsl.com (Postfix) with ESMTP id CFF0E21F8B0B for <sidr@ietf.org>; Sun, 13 Nov 2011 00:18:27 -0800 (PST)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob125.postini.com ([64.18.6.12]) with SMTP ID DSNKTr99UYMNqfuB5TuWyN0SAouwe8XaT/vP@postini.com; Sun, 13 Nov 2011 00:18:28 PST
Received: from EMBX02-HQ.jnpr.net ([fe80::18fe:d666:b43e:f97e]) by P-EMHUB02-HQ.jnpr.net ([fe80::88f9:77fd:dfc:4d51%11]) with mapi; Sun, 13 Nov 2011 00:12:23 -0800
From: John Scudder <jgs@juniper.net>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Sun, 13 Nov 2011 00:12:22 -0800
Thread-Topic: [sidr] Question about draft-ietf-sidr-pfx-validate-03
Thread-Index: Acyh2/iXYPGEVq+2S92voo/0gPTNcQ==
Message-ID: <50D11ABB-8AFB-48EB-B0CE-753EEA39D539@juniper.net>
References: <E3CAD10A-758F-435F-B79F-62171DD373CC@tcb.net> <CAH1iCiru4JarSgi7D88faFZgzmnVJoGDm9C0COAmtjqgsCXPzA@mail.gmail.com>
In-Reply-To: <CAH1iCiru4JarSgi7D88faFZgzmnVJoGDm9C0COAmtjqgsCXPzA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Question about draft-ietf-sidr-pfx-validate-03
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2011 08:18:28 -0000
Brian, Danny is talking about pfx-validate, which is not the same as BGPSEC. --John On Nov 13, 2011, at 1:48 AM, Brian Dickson wrote: > I think the current design of BGPsec as memorialized (love that word) in the > draft-ietf-sidr-bgpsec-protocol would need to be tweaked to handle this. > > I also believe that the result of the proposed tweak, will be a cleaner design > which is easier to implement and verify, as well as not incurring significant > operational cost in terms of signatures. > > Local origination SHOULD occur within an AS on a permanent > basis, and only the announcements from the actual originating router need > to have unique signatures, regardless of whether they are iBGP or eBGP. > > (Crypto geeks might suggest adding a random "nonce" to make the signature > a little harder to crack, since very little on the signature material > will change > over time - but that is another discussion.) > > Here is the tweak: > > Sequence of Octets to be Signed > +---------------------------------------+ > | Expire Time (8 octets) | > +---------------------------------------+ > | Origin AS Number (4 octets) | > +---------------------------------------+ > | Algorithm Suite Identifier (1 octet) | > +---------------------------------------+ > | NLRI Length (1 octet) | > +---------------------------------------+ > | NLRI Prefix (variable) | > +---------------------------------------+ > > The "Target AS" and "pCount" need to be added, meaning the minimum > number of signatures > changes to "one origin" and "one propagation" signature. > > For iBGP within the originating AS, the signature would be "Target AS > == origin AS", and "pCount == 0". > > For eBGP, it would be what you expect, "Target AS == neighbor", "pCount > 0". > > I think that's all that is needed, and the rest of the validation > logic in the -protocol doc remain good, > the -ops-reqs doc allows validation for local AS, and pfx-validate also works. > > Any detail or logic errors in the above can be attributed to not > enough caffeine... The gist of the above > should be solid enough, though. > > Brian > > On Sat, Nov 12, 2011 at 11:54 AM, Danny McPherson <danny@tcb.net> wrote: >> >> My read of the current draft suggests that if there's a route generated by >> the >> local AS in BGP it could never have a "Valid" state, and by definition >> would >> either posses a "Not found" or "Invalid" state -- even though the local >> AS may well have a "ROA" and reside in the mapping table as well(!). >> I do not believe the current text is Section 5 is sufficient to address this >> case, >> specifically with either this: >> "Considering invalid routes for BGP decision process is >> a pure local policy matter and should be done with utmost care." >> or this: >> "In some cases (particularly when the selection algorithm is >> influenced by the adjustment of a route property that is not >> propagated into IBGP) it could be necessary for routing >> correctness to propagate the validation state to the IBGP >> peer. This can be accomplished on the sending side by setting >> a community or extended community based on the validation >> state, and on the receiving side by matching the (extended) >> community and setting the validation state." >> I could think of a number of way to address this, but for there to exist >> the >> possibility that an internally generated prefix (for which a ROA may well >> exists) >> could NEVER have a "Valid" state needs to be corrected. >> Also, S 4: s/to rest of the network/to the rest of the network/ >> Thanks, >> -danny >> >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >> >> > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr
- Re: [sidr] Question about draft-ietf-sidr-pfx-val… Randy Bush
- [sidr] Question about draft-ietf-sidr-pfx-validat… Danny McPherson
- Re: [sidr] Question about draft-ietf-sidr-pfx-val… Brian Dickson
- Re: [sidr] Question about draft-ietf-sidr-pfx-val… Pradosh Mohapatra
- Re: [sidr] Question about draft-ietf-sidr-pfx-val… Danny McPherson
- Re: [sidr] Question about draft-ietf-sidr-pfx-val… John Scudder
- Re: [sidr] Question about draft-ietf-sidr-pfx-val… John Scudder
- Re: [sidr] Question about draft-ietf-sidr-pfx-val… Danny McPherson
- Re: [sidr] Question about draft-ietf-sidr-pfx-val… Pradosh Mohapatra
- Re: [sidr] Question about draft-ietf-sidr-pfx-val… Brian Dickson