Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening

"Montgomery, Douglas" <dougm@nist.gov> Mon, 09 April 2012 17:48 UTC

Return-Path: <dougm@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D6FA21F8796; Mon, 9 Apr 2012 10:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OP6Nv7JZ38e; Mon, 9 Apr 2012 10:48:24 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 1EAFE21F8793; Mon, 9 Apr 2012 10:48:23 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.355.2; Mon, 9 Apr 2012 13:48:20 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Mon, 9 Apr 2012 13:48:22 -0400
From: "Montgomery, Douglas" <dougm@nist.gov>
To: "robert@raszuk.net" <robert@raszuk.net>, "Murphy, Sandra" <Sandra.Murphy@sparta.com>
Date: Mon, 9 Apr 2012 13:48:08 -0400
Thread-Topic: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening
Thread-Index: Ac0WeNTw+xkeBDfiTiWJaKyynRKoYw==
Message-ID: <CBA8984B.A6215%dougm@nist.gov>
In-Reply-To: <4F831ACE.8090903@raszuk.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.10.0.110310
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Cc: "idr@ietf.org List" <idr@ietf.org>, "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2012 17:48:25 -0000

On 4/9/12 1:22 PM, "Robert Raszuk" <robert@raszuk.net> wrote:

>Hi Sandy,
>
>> There is no reverse direction.
>
>What do you mean there is no reverse direction ?
>
>Sriram said:
>
>"When the update is to leave a BGPSEC island to go to a BGP-4 only AS,
>then the Secure Path is easily converted to BGP-4 AS_PATH at the edge of
>the BGPSEC island."
>
>That means that there is EBGP peering at the two ASes which on one side
>supports BGPSEC on the other does not.

Right.  BGPSEC doesn't support partially signed PATHS.  Thus a update
either starts off signed, or it is not signed at all.

You can take a signed path, strip the PATH-SIG, reconstruct the AS-PATH
and transmit it to a non-BGPSEC speaker.  But from that point on, the PATH
remains unsigned.

A path that starts off unsigned, will always remain unsigned.

Dougm