Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-ops-12: (with COMMENT)
Christopher Morrow <morrowc.lists@gmail.com> Wed, 04 January 2017 16:40 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD85C1299A8; Wed, 4 Jan 2017 08:40:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LyBsG_uGZsrm; Wed, 4 Jan 2017 08:40:36 -0800 (PST)
Received: from mail-qk0-x244.google.com (mail-qk0-x244.google.com [IPv6:2607:f8b0:400d:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E455712999E; Wed, 4 Jan 2017 08:40:35 -0800 (PST)
Received: by mail-qk0-x244.google.com with SMTP id u25so54607990qki.2; Wed, 04 Jan 2017 08:40:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=u1Z+PWLVOMcxZf9xKLbmGMeQHjuoNviN+XyUjpmiOGQ=; b=AV5qL92vdSwtd6n59s/r2zvHIB98yEM5BzPMBWV8T+II7tJ2lpzCE2SO7JY+SBBs6h Yvz/B64H/hUixT9RNv6tj10SoaUBsmToMNGTIlg+1bwusz3FpVCfbXfAp5j2zarCdUhv 1P/tG2aCN/7NfKz/Nwzf3Ly35031mnnRmSWYUOj2yqPImWtX7L1wKb0L8VBLtwn8Et8B OGYWGiLGFb7UHxAvLv7bxvCemPGL1/IddSnwLVr8ZelY5uaotVPiwAwfrz6lFTrylYwb 3g/3OR4Lbjr9OPyHwSTneNVRQGcuge7hlLIZNQ+k0JXMcTDwKwv/emyxAUl0HuE7uGdj vl8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=u1Z+PWLVOMcxZf9xKLbmGMeQHjuoNviN+XyUjpmiOGQ=; b=naXYmH2YTk0CJ5WhwGeDN9ShFhCmEMh9nxCDsMYUFqP1l+dSrtVcWHytH9wlm0zsQ/ thAM8iO835Mp2la2lTFIOMcNMQH+6vl7AAEcaVeI7Bqq4JfjkD3oqjyyPARuI2exoUO9 76Ztl95jslulaqCo+js+LhO+xYi9RMldZRqPoqqKAnJIQJmVwU/4dFVOqJHadT1KEvZS 9JJDKHyDd9F0PPVn96hdMMBbdhHfWzWnt/l0gMo8imNwZFw/OZJ2FTh1vMyBK557Zviv jI/2MpBY9GmR2hMPCJv14l6HX3Mx/JgsZy9dJFknmxNYOPeE2qWjJbSkHywCwFhIY3xJ MZcQ==
X-Gm-Message-State: AIkVDXLbqeO/VzJXSKUJO7mTCezldG228UYAAwPGNymevjTpFuFadn21dj0zGEf+X0cC+3nzsTdsz70qLSzgDA==
X-Received: by 10.55.214.152 with SMTP id p24mr56575298qkl.223.1483548035072; Wed, 04 Jan 2017 08:40:35 -0800 (PST)
MIME-Version: 1.0
Sender: christopher.morrow@gmail.com
Received: by 10.140.27.179 with HTTP; Wed, 4 Jan 2017 08:40:34 -0800 (PST)
In-Reply-To: <m2lgurn2jw.wl-randy@psg.com>
References: <148336377615.21819.15119186800162780376.idtracker@ietfa.amsl.com> <m2vatxmv83.wl-randy@psg.com> <563AAA29-82F7-4202-8A54-855CD7702595@kuehlewind.net> <m2tw9hmq76.wl-randy@psg.com> <yj9o60lx6kvm.wl%morrowc@ops-netman.net> <m2shp0nct9.wl-randy@psg.com> <20170103083907.GE5069@gir.theapt.org> <m2lgurn2jw.wl-randy@psg.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Wed, 04 Jan 2017 11:40:34 -0500
X-Google-Sender-Auth: uosXvTDI1wdjsM9RQtQG1MlQEjA
Message-ID: <CAL9jLab2mPfK0ygStQKkhuqJHyqn=68FBU7XpUEc1k96168VHQ@mail.gmail.com>
To: Randy Bush <randy@psg.com>
Content-Type: multipart/alternative; boundary="001a1147998aa349b50545477165"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/5axLYR2S11oEo7ZykN2gsoWVNO0>
Cc: Chris Morrow <morrowc@ops-netman.net>, sidr wg list <sidr@ietf.org>, Mirja Kuehlewind <ietf@kuehlewind.net>, Peter Hessler <phessler@theapt.org>, The IESG <iesg@ietf.org>
Subject: Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-ops-12: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 16:40:37 -0000
On Tue, Jan 3, 2017 at 6:31 PM, Randy Bush <randy@psg.com> wrote: > >> ok, i have had coffee. > >> > >> as a bif gedanken experiment, posit a global registry where r0 can say > >> "i can speak bgpsec." i am a distant r1 and receive an unsigned path > >> with r0 in it. > >> o did someone before r0 on the path not speak bgpsec, so the path was > >> never signed? > >> o did someone between us not speak bgpsec, so the path was stripped? > >> o was there a monkey in the middle? > >> > >> i think we did discuss this problem space, and decided that, as long as > >> we allow islands of partial deployment, and therefore path stripping, > >> the monkey is on our back. we might have been wrong in this; but even > >> with coffee i do not see a way out. > >> > >> and i do not think the idea of partial path signing, r0 signing a > >> received unsigned path, would have helped a lot. > >> > >> it is not clear to me that this is a space where the ops doc can help > >> much. i am open to ideas. > > > > I'm currently not using bgpsec (or rpki for that matter). BUT, if there > > was no path to go back, I would never ever use it. Destroying my ASN > > because I wasn't ready to migrate is a straight-up No Go(tm). > > > > Mistakes will be made. Rolling back will happen. Preventing rolling > > back will kill the baby and will guarentee this will never be rolled > > out. > > what do you mean by "no path to go back" and "rolling back?" > > perhaps to paraphrase peter's question/comment: He's worried that the proposed standard may leave a user of the technology in a position where 'old bgp' is not functioning for him. I believe we ran over this horse several times in the WG and other places, basically to provide a path from 'today' to 'tomorrow' the ability to co-exist is required. On day-0 no bgpsec exists, on day-1 you (peter) turn up your first bgpsec peer pop champagne and rejoice... On day-2 you turn up 200 more... then on day-10 you realize things are not working so you disable bgpsec via some knob on your vendors' devices... All along both 'old bgp' and 'new bgpsec bgp' are working alongside each other. Randy's correct that the protocol / etc specs cover this sort of thing... fairly well. Because 'there are no flag days' on the intertubes, we have to plan for co-existence... Just like ipv6 did... wait, I mean dnssec. ;) -chris
- [sidr] Mirja Kühlewind's No Objection on draft-ie… Mirja Kuehlewind
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Randy Bush
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Mirja Kuehlewind (IETF)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Randy Bush
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Chris Morrow
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Randy Bush
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Peter Hessler
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Chris Morrow
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Alvaro Retana (aretana)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Mirja Kuehlewind (IETF)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Randy Bush
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Randy Bush
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Christopher Morrow