IETF Logo Mail Archive

Re: [sidr] Stephen Farrell's No Objection on draft-ietf-sidr-bgpsec-ops-13: (with COMMENT)

Randy Bush <randy@psg.com> Wed, 04 January 2017 15:44 UTC

Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FD051295BA; Wed, 4 Jan 2017 07:44:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.001
X-Spam-Level:
X-Spam-Status: No, score=-10.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_B2QLt5IroU; Wed, 4 Jan 2017 07:44:39 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FC4B129496; Wed, 4 Jan 2017 07:44:39 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from <randy@psg.com>) id 1cOnjv-00020W-2X; Wed, 04 Jan 2017 15:44:35 +0000
Date: Thu, 05 Jan 2017 00:44:32 +0900
Message-ID: <m2mvf6lti7.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <148353764984.13034.8506727126675155642.idtracker@ietfa.amsl.com>
References: <148353764984.13034.8506727126675155642.idtracker@ietfa.amsl.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.5 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/6d55KrKlioPeNtGQJAXHJirYSK4>
Cc: The IESG <iesg@ietf.org>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Stephen Farrell's No Objection on draft-ietf-sidr-bgpsec-ops-13: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 15:44:40 -0000

> - general: given where we are with deployment I wonder
> would it be a good idea if this document explicitly said
> sometthing to the effect that "it's early days, this is
> what we think is the BCP but that may change over time, so
> while we think doing this is right, be careful to not
> paint yourself into a corner when doing this."

added

    As with most operational practices, this document will likely
    evolve.
    
> - intro: this seems to say: first do rpki and only when
> that's finished start on bgpsec - is that really what's
> meant? The rest of the document makes me doubt that. I
> think what you maybe meant was "Any specific ASN needs to
> have setup RPKI for itself before it can speak BGPsec."

we are in a twisty maze of nomenclature.  to be boringly clear (i
suspect you know this stuff, but i believe that you are using the wrong
terms).

    The RPKI is the X.509 based hierarchy [rfc 6481] with is congruent
    with the internet IP address allocation administration, the IANA,
    RIRS, ISPs, ...  It is the substrate on which the next two are
    based.  It is currently deployed in all five administrative regions.

    RPKI-based Origin Validation [rfc 6811] uses some of the RPKI data
    to allow a router to verify that the autonomous system announcing an
    IP address prefix is in fact authorized to do so.  This is not
    crypto checked so can be violated.  But it should prevent the vast
    majority of accidental 'hijackings' on the internet today, e.g. the
    famous Pakistani accidental announcement of YouTube's address space.
    RPKI-based origin validation is in shipping code from Cisco,
    Juniper, AlcLu, and others.

    Path validation, AKA BGPsec, is a the next technology step with only
    proto/test code.  It uses the full crypto information of the RPKI to
    allow a receiver of a BGP announcement to formally cryptographically
    validate that the originating autonomous system was truly authorized
    to announce the IP address prefix, and that the systems through
    which the announcement passed were indeed those which the
    sender/forwarder at each hop intended.

so, i think you are referring to

   As core BGPsec-capable routers may require large memory and/or modern
   CPUs, origin validation based on the Resource Public Key
   Infrastructure (RPKI), [RFC6811], will occur over some years and
   BGPsec will start to deploy after that.

as rpki is deployed to a fair extent, origin validation is baked into
current routers, and bgpsec in the core will require bigger hardware, OV
before BGPsec would seem to be the sequence.

otoh, your last statement is true, an operator will have to set up rpki
data before deploying either origin validation or bgpsec.  rpki is
needed for both.

so i am not sure what you are suggesting i do.

> - intro, 3rd para: where are the "special operational
> considerations" explained? A reference would be good.  If
> there's no good reference, I'm not clear why saying this
> is useful. (Actual operators might find this clear of
> course, in which case, please ignore me.)

how about

    This has special operational considerations, see Section 6.

> - section 2: this refers to the BGPsec overview which
> refers back to this document, but says that this is
> informational rather than a BCP. Just noting that in case
> there's confusion and that's not just a typo or a case of
> the overview not having been updated. I expect the fix is
> to change the text in the overview.

i can support that :)

> - section 5: What does "fully BGPSEC enabled" mean
> exactly? That could be referring to signing or to
> validation of signatures (with or without hard fails) or
> to never emitting unsigned or accepting unsigned
> announcements or to some combination of the above.  It
> might be better to avoid use of such a term in order to
> avoid having to define it for now. (This relates also to
> the mail subsequent to Mirja's comments.)

somehow i do not think that adding more words helps, but

   In an AS where edge routers speak BGPsec and therefore inject BGPsec
   paths into the iBGP, Route Reflectors MUST have BGPsec enabled if and
   only if there are eBGP speakers in their client cone, i.e. an RR
   client or the transitive closure of a client's customers' customers'
   customers' etc.

> - section 7: MED could do with expansion and a reference.

how about

    ... value such as local-preference or multi-exit discriminator
    (MED).

> - section 7: I'm not clear what you mean by "RPKI version
> skew." You could explain that or maybe use another basis
> to explain why R0 and R1 might disagree, e.g. revocation
> status info availability or freshness maybe.

sigh.  more words.

   As the mildly stochastic timing of RPKI propagation may cause version
   skew across routers, an AS Path which does not validate at router R0
   might validate at R1.

> - section 8: "forward signed to R" is a bit opaque (for me
> anyway, before I read the protocol draft). Maybe better to
> explain this a bit more.

2.  Suggested Reading

   It is assumed that the reader understands BGP, see [RFC4271], BGPsec,
   [I-D.ietf-sidr-bgpsec-overview], the RPKI, see [RFC6480], the RPKI
   Repository Structure, see [RFC6481], and Route Origin Authorizations
   (ROAs), see [RFC6482].

should i change that from -overview to -protocol?

randy

v2.23.0 | Report a Bug | By Email