Re: [sidr] Confeds and clusters
"John G. Scudder" <jgs@bgp.nu> Tue, 19 June 2012 19:19 UTC
Return-Path: <jgs@bgp.nu>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62E9111E814A for <sidr@ietfa.amsl.com>; Tue, 19 Jun 2012 12:19:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.043
X-Spam-Level:
X-Spam-Status: No, score=-102.043 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_IS_SMALL6=0.556, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wZED-xWttRDN for <sidr@ietfa.amsl.com>; Tue, 19 Jun 2012 12:19:28 -0700 (PDT)
Received: from bgp.nu (bgp.nu [147.28.0.53]) by ietfa.amsl.com (Postfix) with ESMTP id DD88611E8144 for <sidr@ietf.org>; Tue, 19 Jun 2012 12:19:28 -0700 (PDT)
Received: from [172.16.13.202] (75-151-14-10-Michigan.hfc.comcastbusiness.net [75.151.14.10]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by bgp.nu (Postfix) with ESMTP id EB2E666D370; Tue, 19 Jun 2012 15:19:27 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: "John G. Scudder" <jgs@bgp.nu>
In-Reply-To: <8F5B0091-FF46-479B-8608-DA0537B15427@ericsson.com>
Date: Tue, 19 Jun 2012 15:19:26 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <896FF5B3-960D-414C-A3AA-6A7F3AAA7F48@bgp.nu>
References: <4FDBF181.7060809@ops-netman.net> <m2fw9vq2qw.wl%randy@psg.com> <8F5B0091-FF46-479B-8608-DA0537B15427@ericsson.com>
To: Jakob Heitz <jakob.heitz@ericsson.com>
X-Mailer: Apple Mail (2.1278)
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Confeds and clusters
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2012 19:19:29 -0000
In addition to Wes and Randy's observations about trust boundaries, it's also the case that mechanically, the confederation embeds its loop prevention information in the AS path, so we have to have *some* way of dealing with it since bgpsec is monkeying with the AS path. The same problem doesn't exist for the cluster list since it's a separate attribute. --John On Jun 16, 2012, at 3:31 AM, Jakob Heitz wrote: > All the effort to sign the confed AS got me thinking. > A route reflector cluster is like a member AS in a confed. > Is there a case for signing the cluster list too? > > IMHO: AS boundaries are for marking boundaries of trust. > Confeds are for achieving scalability within an AS. > I think signatures are only needed across trust boundaries. > More is unnecessary complexity. > > -- > Jakob Heitz. > > > On Jun 15, 2012, at 9:50 PM, "Randy Bush" <randy@psg.com> wrote: > >> bgpsec and confederations >> >> allow me to try to state clearly for the list >> >> When an update enters the first AS in a confederation, all last >> internal ASBRs within the entry AS of the confederation, i.e the >> first signers within the confederation, set a flag in the signature >> block that says "I am the first signature within the confederation." >> >> The update wanders around normally in the confederation and every >> sending internal confederation ASBR signs it with their internal AS. >> >> A confederation's exit router looks backwards in the AS sequence >> until it finds the first, i.e. most recent, instance of that flag. >> If it finds no flag, the update is treated as originated within the >> confederation. >> >> It strips the signature block containing the flag and all subsequent >> signature blocks. All signs of the internals of the confederation >> have now been removed. >> >> It then forward signs to the next AS, using the identity of the >> public confederation AS. >> >> While the update is traversing the confederation, if it should hit a >> peering where the peer is is not bgpsec capable, it strips all >> bgpsec gloop and reconstructs a classic AS_path. >> >> this is believed to handle the loop disease (e.g. the cisco "neighbor >> allowas-in" command). >> >> what if anything should be done if you find the confed flag when you are >> not inside a confed is a topic for discussion. >> >> does anyone see a flaw in the above? please please review so we can put >> it to bed. >> >> randy >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr
- [sidr] Minutes of 6/6/12 meeting uploaded Chris Morrow
- [sidr] bgpsec and confeds [was: Minutes of 6/6/12… Randy Bush
- [sidr] Confeds and clusters Jakob Heitz
- Re: [sidr] bgpsec and confeds [was: Minutes of 6/… Sriram, Kotikalapudi
- Re: [sidr] bgpsec and confeds [was: Minutes of 6/… Matt Lepinski
- Re: [sidr] Confeds and clusters George, Wes
- Re: [sidr] Minutes of 6/6/12 meeting uploaded Stephen Kent
- Re: [sidr] Minutes of 6/6/12 meeting uploaded Randy Bush
- Re: [sidr] Confeds and clusters Randy Bush
- Re: [sidr] Minutes of 6/6/12 meeting uploaded Stephen Kent
- Re: [sidr] Confeds and clusters John G. Scudder