IETF Logo Mail Archive

Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 20 December 2016 22:56 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D607C129573; Tue, 20 Dec 2016 14:56:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GpQNwT_wfDZr; Tue, 20 Dec 2016 14:56:11 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0095.outbound.protection.outlook.com [23.103.200.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ED4C1294B0; Tue, 20 Dec 2016 14:56:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6lUr8UYcMCfWXBQP8qVdUvMiBdfy3BfYWcCb4epAVwM=; b=oUTmoIYOIW04/ZvjVMSLjNLhvjl461iWKveBpn/VJlDqmD1OmoamyO4nCFW9c8XiHHZL5iUoK8qezMchkrhclyE51KTE71qulexvXRC0P72FmUecRR6UlnB+e0G5ajr4C+cLZuebe38y2owoke4vpZllxAxeDVMdfEUaX+WXo/s=
Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0445.namprd09.prod.outlook.com (10.161.252.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.789.14; Tue, 20 Dec 2016 22:56:09 +0000
Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) by DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) with mapi id 15.01.0789.018; Tue, 20 Dec 2016 22:56:09 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "Alvaro Retana (aretana)" <aretana@cisco.com>, "draft-ietf-sidr-bgpsec-protocol@ietf.org" <draft-ietf-sidr-bgpsec-protocol@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "keyur@arrcus.com" <keyur@arrcus.com>
Thread-Topic: Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
Thread-Index: AQHSUmenE2EHhTbiU0q7IXrD4ZYx2aEF0Iz4gAN2lwCACDChKA==
Date: Tue, 20 Dec 2016 22:56:09 +0000
Message-ID: <DM2PR09MB044634DCE6C5D55112DDEF6384900@DM2PR09MB0446.namprd09.prod.outlook.com>
References: <7055D209-5BF7-4B5D-A675-356CD2CBFF4D@cisco.com> <DM2PR09MB04460DC9A23E1F58AEE629BF849B0@DM2PR09MB0446.namprd09.prod.outlook.com>, <98186E08-8CAC-4EB0-9E84-BBABACC43678@cisco.com>
In-Reply-To: <98186E08-8CAC-4EB0-9E84-BBABACC43678@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.223.52]
x-ms-office365-filtering-correlation-id: d6b86271-9178-4564-093b-08d4292b6376
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM2PR09MB0445;
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0445; 7:WvSRLorkwKS22tfSq3oAUsKq8M4fF5kW50woiKYv+WaIYO60KIfcC8GmkeJ8hsr0G1GOyFkPmnT13pfyQZMa9LtZeDQPdVjK02Z0ZpBZJdOzrDwxGMaOyJPKkPiwwExCqZwR8XC8zfROUnsKS/DiWkI+kurHCPBwfPuHyFgH5PfjGSvTYzgIjCFzuxNnYGZyarZcLMyeOBV7gOUZHH6KliIjWNaO6im+8ytKEUlIKXoHocupKMNfDPCAhS/NHZxhAuZWoH/jfL80QhFP9WvRkt5C170SR3Byvp6K4nPzQol0CB/ypyNQNSnT2mi+bIUgH9B+dq2LcEt+vIGHI/pDDFqi+kvsh9JXr9yNVqG3zgjSVaDeLINvRMNJh3G4WA6AjdBC5YamBcgE5Mu+soE8268N8OSUQIKgxKweykFgA9yPDduuQS4B81sbNl2zv6mrmUyaAt1GHXoY86Q3JTw2XA==
x-microsoft-antispam-prvs: <DM2PR09MB04455D1AF260DC4503F560AD84900@DM2PR09MB0445.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123555025)(20161123562025)(20161123564025)(20161123560025)(6072148); SRVR:DM2PR09MB0445; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0445;
x-forefront-prvs: 0162ACCC24
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39850400002)(39860400002)(39410400002)(39840400002)(39450400003)(189002)(199003)(9686002)(8676002)(6606003)(5660300001)(189998001)(122556002)(2501003)(2950100002)(97736004)(86362001)(25786008)(7736002)(6436002)(5001770100001)(230783001)(2201001)(74316002)(2906002)(3280700002)(66066001)(81156014)(3660700001)(54356999)(50986999)(229853002)(81166006)(76176999)(101416001)(38730400001)(2900100001)(77096006)(106356001)(7696004)(6116002)(19627405001)(33656002)(3846002)(105586002)(106116001)(92566002)(68736007)(99286002)(4326007)(102836003)(8936002)(6506006)(76576001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0445; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR09MB044634DCE6C5D55112DDEF6384900DM2PR09MB0446namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2016 22:56:09.2463 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0445
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/3j6h7PT14WJGKK3cIqTttVmy3rU>
Cc: Matthias Waehlisch <m.waehlisch@fu-berlin.de>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2016 22:56:14 -0000

Thinking about it some more, I now find that your proposed solution of adding a signature with pCount = 0 at the border of the confederation works well and fully addresses these two concerns (the second concern is new).

(1) Your proposed solution addresses the concern you brought up in an earlier message -

https://www.ietf.org/mail-archive/web/sidr/current/msg08081.html

(2) It also keeps confed ASes from failing to validate properly the signature injected at the boundary.  This is explained below.

First let us take note of the following two instructions that are in the spec:

(a)  From page Section 4.3 (page 16):

"When a confederation

   member sends a BGPsec update message to a peer that is a member of

   the same confederation but is a different Member-AS, the

   confederation member puts its (private) Member-AS Number (as opposed

   to the public AS Confederation Identifier) in the AS Number field of

   the Secure_Path Segment that it adds to the BGPsec update message."

(b)  From Section 5.2 (page 25):  (note: this one is part of the method of identifying the Target AS while assembling the data to be hashed for signature validation)

"For each other Signature Segment (N smaller than K), the 'Target

      AS Number' is AS(N+1), the AS number in the Secure_Path segment

      that corresponds to the Signature Segment added immediately after

      the one being processed."

Now I will explain what I mean by (2) above using the same example that you presented earlier:

AS1 -> AS2/AS65001 -> AS65002/AS2 -> AS3 (AS2 is the Confederation ID and AS65001 and AS65002 are Members)

In this example, by "signature injected at the boundary", we mean the signature of AS1 to AS2 (in the update received by AS65001). Let us think about the step where AS65002 is processing the update from AS65001 and validating the "signature injected at the boundary". Following step (a) above, AS65001 put in its own private AS number (i.e. AS65001) in the Secure_Path Segment that it added to the BGPsec update message forwarded to AS65002. Therefore, following step (b), AS65002 identifies AS65001 to be the 'Target AS Number' for the data to be hashed for validating the signature. However, this would falsely result in 'Invalid' outcome for the signature being validated by AS65002. Because AS1 actually signed to AS2 (the public AS number), and hence the 'Target AS Number' is actually AS2.

Now the solution: Your suggested solution says that AS65001 should add a signature where it uses the private key of the public AS (i.e. AS2) to sign and forward the update to itself (AS65001) with pCount = 0. Correspondingly, AS65001 also puts in the public AS number (i.e. AS2) in the Secure_Path Segment that it adds to the BGPsec update message sent to itself. (Please correct me if I misunderstood.) This helps to fully address the problem identified above. (Note that AS65001 follows instruction (a) when it subsequently forwards the update to AS65002, and AS65002 follows instruction (b) while validating. The validation now works without the error identified above.)

If we agree and others on the WG list express no objection or find no fault in this solution, I will be happy to go ahead and add this solution for the confederation case (it requires just a couple of sentences to be added the spec).

Thank you.

Sriram

v2.23.0 | Report a Bug | By Email