Re: [sidr] I-D Action: draft-ietf-sidr-usecases-03.txt

Brian Dickson <brian.peter.dickson@gmail.com> Sat, 31 March 2012 21:09 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92B8D21F8702 for <sidr@ietfa.amsl.com>; Sat, 31 Mar 2012 14:09:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.552
X-Spam-Level:
X-Spam-Status: No, score=-3.552 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LnMvdFI3Ayv3 for <sidr@ietfa.amsl.com>; Sat, 31 Mar 2012 14:09:26 -0700 (PDT)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 301A521F86F7 for <sidr@ietf.org>; Sat, 31 Mar 2012 14:09:26 -0700 (PDT)
Received: by wgbdr13 with SMTP id dr13so1071148wgb.13 for <sidr@ietf.org>; Sat, 31 Mar 2012 14:09:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ZKLotcoQa8UeH+BQVxWyVIPFz9o1Tk9HbAmdwIuCqUk=; b=Z8rqwgngZ31DbQetaYqhkZZKv3K8zvl+2e4x1gZRKcRO0pFnFXEVgT3fya964TgtPC 0ebN3/jtvgYYv0lka3pPcyXpJezToIyH8LseGztOa8irc71VenX9ehkf09kafSYVaoAA jj7DOBSNJtM2bl4TSD1myY2/pFsgw3g8l6VUk7zhRbe4VTYeDlVhG7TZnd+JbmLDuZjs DsxC6BtXP80VDshcuYJVoX6dA8yHncgC3OYzX+Mg1z/vtfR7s8kMxAPnSU9wDpjB51QN JXmDKouxhCeRlCFBiOOmG7vqAZrGLFjV0kwJDTQQAkKf6py25KQBhgkuFiV92ckhRDDE W4Iw==
MIME-Version: 1.0
Received: by 10.180.105.69 with SMTP id gk5mr11673754wib.3.1333228165317; Sat, 31 Mar 2012 14:09:25 -0700 (PDT)
Received: by 10.223.88.212 with HTTP; Sat, 31 Mar 2012 14:09:25 -0700 (PDT)
In-Reply-To: <D7A0423E5E193F40BE6E94126930C4930B96182E59@MBCLUSTER.xchange.nist.gov>
References: <20111031232022.26304.78773.idtracker@ietfa.amsl.com> <D7A0423E5E193F40BE6E94126930C49308E9E3552F@MBCLUSTER.xchange.nist.gov> <6BE70B4B-E585-459D-ACCF-56B6F800E430@kumari.net> <D7A0423E5E193F40BE6E94126930C49308EE1E84C3@MBCLUSTER.xchange.nist.gov> <CAL9jLaYRi1Uj1g1OXVt9O10ZCWWtoCm646fyqGsYrJkJG99HxQ@mail.gmail.com> <CAH1iCipDYJpWmMpmvdX+Z4AW7cg0QarJbaAmf1JeEBq0rGHiAw@mail.gmail.com> <CAL9jLaaZ2z+WfXJCgaa2ob71t4Qk_khC12UZrr8XT9OzCEs8FA@mail.gmail.com> <24B20D14B2CD29478C8D5D6E9CBB29F60F6E0391@Hermes.columbia.ads.sparta.com> <CAH1iCiqk4cgPwQGi4751mZCNes2J4B6z7BeRJ0AD0+An8M_DNg@mail.gmail.com> <24B20D14B2CD29478C8D5D6E9CBB29F60F6E0625@Hermes.columbia.ads.sparta.com> <D7A0423E5E193F40BE6E94126930C4930B96182E59@MBCLUSTER.xchange.nist.gov>
Date: Sat, 31 Mar 2012 17:09:25 -0400
Message-ID: <CAH1iCipMdzrTQDyZxuaQbA1FkVRv-6mbyonR7gHZqM-A7Ag5Cg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
Content-Type: multipart/alternative; boundary="f46d04426f1432c35304bc905fdd"
Cc: Chris Morrow <morrowc@ops-netman.net>, "Murphy, Sandra" <Sandra.Murphy@sparta.com>, "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-usecases-03.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Mar 2012 21:09:28 -0000

Sriram, and Sandy,

Yes, and no, on the question of whether this is an origin-validation or
path-validation issue.

Actually, that is where the problem originates, if you forgive the double
meaning.

Both the protocol spec (for bgpsec) and the use-cases, and all of the
particulars of the RPKI design,
require all the pertinent details to be aligned.

If you consider what the current draft of the protocol spec says,
specifically on sections 4.1 and 5.1,
about originating, and validating origination, it specifically references
ROA from RPKI.

What this means is, that any change to where bgpsec "begins" signatures,
will necessarily require
revisiting ROA components or structures or whatever, which then require
revisiting anything that
refers to those ROAs, which includes pretty much everything on the
origin-validation front.

It is all fine and well to do origin-validation based on BGP origination,
but since the current design
of bgpsec is anchored to (vanilla, non-sec) BGP origination as well, this
means identifying affected
elements when challenging the bgpsec design.

And, what I'm suggesting is, that restricting bgpsec deployment to only
origin AS operators who deploy
bgpsec (i.e. excluding proxy injection into bgpsec from non-bgpsec
origins), is not something the operator
community is likely to accept with open arms.

There are too many edge ASNs today, using too many vendors' equipment with
too many varieties
of equipment within vendors, and too varied code base, to believe rapid
uptake or critical mass is
feasible in the timeline the WG participants might like to believe.

And I don't believe the opinions of participants in the WG is sufficient to
say yay or nay to the current assumption.

So, it is only a consequence of other decisions, that use-cases is touched
on. However, that it is, is provable
by simple classic logic.

A->B and B->C, when combined with !C, means !B, means !A.
Here, C is edge-ASNs doing BGPSEC, B is ROAs exclusively tied to BGP origin
ASNs, and A is use-cases as currently enumerated.

The document, other than the corner cases such as this (proxy origination
on the bgpsec side), is fine.

Brian

On Sat, Mar 31, 2012 at 4:31 PM, Sriram, Kotikalapudi <
kotikalapudi.sriram@nist.gov> wrote:

> Brian,
>
> There is a clear distinction between “prefix-origin validation” (based on
> ROA information)
> and "origination (signed injection into BGPSEC)" in the SIDR working
> group's usage of these terms.
> You seem to be attempting to use these two terms with the same connotation.
> Your comments clearly pertain to path signing. You seem to be especially
> concerned about
> path signing by a stub origin AS or by a proxy AS (e.g., the stub AS's
> upstream transit provider).
> Draft-ietf-sidr-usecases I-D documents use cases relating only to
> “prefix-origin validation”.
> A use-cases document for the path signing would be a separate document;
> as far as I know no one is working on it at the moment.
> So your comments seem misplaced, i.e., they appear not relevant to
> draft-ietf-sidr-usecases.
> Please also see my response in my other post that follows this post, but
> with the subject:
> stub AS and proxy signing.
> Thank you.
>
> Sriram
>
> >
> > To: Brian Dickson <brian.peter.dickson at gmail.com>
> > Subject: Re: [sidr] I-D Action: draft-ietf-sidr-usecases-03.txt
> > From: "Murphy, Sandra" <Sandra.Murphy at sparta.com>
> > Date: Sat, 31 Mar 2012 04:12:10 +0000
> >
> > speaking as regular ol' member
> >
> > I'm not really sure what you are talking about here.
> >
> > You speak of bgpsec and signing - that is not origin validation, that
> > is path validation.
> >
> > Origin validation is strictly and only judging whether the origin has
> > the authority to originate announcements of the prefix.  Origin
> > validation does not ensure that the authorized AS is actually making
> > the announcement.
> >
> > It is bgpsec path validation that ensures that the announcement is
> > currently and authentically being announced by the AS.  That's the
> > "signed injection" you mention.
> >
> > --Sandy
> >
> > From: Brian Dickson [brian.peter.dickson at gmail.com]
> > Sent: Friday, March 30, 2012 8:55 AM
> > To: Murphy, Sandra
> > Cc: Christopher Morrow; Sriram, Kotikalapudi; Chris Morrow; sidr at
> > ietf.org list
> > Subject: Re: [sidr] I-D Action: draft-ietf-sidr-usecases-03.txt
> >
> > Sandy,
> >
> > The use case example I included, is an origin validation use case.
> >
> > The problem is the inability to have "origination" (signed injection
> > into BGPSEC) done by proxy, at all or especially by more than one
> > party.
> >
> > The particular situation leading to the need for this, would be a stub
> > AS whose router vendor does not support BGPSEC, or whose router
> > hardware or code base is not included in BGPSEC support by their
> > router vendor.
> >
> > (Doing a forklift upgrade to do BGPSEC is generally seen as #FAIL by
> operators.)
> >
> > This is likely to be a fairly common situation _among stub AS_ and,
> > given the current requirement for origin injection for BGPSEC,
> > addressing this _may_ impact the use cases document, for _origin
> > validation_.
> >
> > I'm just saying...
> >
> > Brian
> >
> > On Fri, Mar 30, 2012 at 4:21 AM, Murphy, Sandra <Sandra.Murphy at
> > sparta.com> wrote:
> > Brian, Chris.
> >
> > The usecases draft was intended to describe origin validation use cases.
> >
> > Route leaks (and other path validation issues) might need their own
> > usecases draft.
> >
> > But I don't think we should add those cases to this draft.
> >
> > --Sandy
> >
> > ________________________________________
> > From: christopher.morrow at gmail.com [christopher.morrow at
> > gmail.com] on behalf of Christopher Morrow [morrowc.lists at
> > gmail.com]
> > Sent: Thursday, March 29, 2012 7:21 PM
> > To: Brian Dickson
> >
> > On Thu, Mar 29, 2012 at 3:11 PM, Brian Dickson
> > <brian.peter.dickson at gmail.com> wrote:
> >
> >> I think the use cases are likely to be informed by protocol design, so
> even
> >
> > s/informed by protocol design/altered if the protocol design changes/
> >
> > I'm not sure if the protocol design's going to change the use-cases...
> > you're still going to want to secure a route. (not an important point)
> >
> >> I have a few examples that I can think of, which would necessarily
> depend
> > <snip>
> >> I'd prefer this to be added to a "raft" of IDs, for which there is no
> rush
> >> to publish until they are all completed, after which the timing would be
> >> appropriate.
> >
> > I'm not against this, though we've got a document hanging out post
> > WGLC (perhaps it ought to be re-reviewed if the changes were
> > significant... anyway) and we'll have to keep kicking it each 5.5
> > months to stay 'alive'. (again, not super important, and see below as
> > well)
> >
> >> Here's an example of use-case, which depends on certain assumptions
> (which
> >> may or may not be appropriate, but which are fodder for discussion):
> >>
> >> Suppose there is an Edge-AS "E", and transit providers to "E", which
> would
> >> be "X" and "Y".
> >>
> >> Suppose "E" does not do BGPSEC (per se), but wants to have BGPSEC
> signing
> >> done "for her", by "X" and "Y".
> >>
> >> (Ignore for the moment that the _current_ designs don't support that,
> that
> >> is an entirely other rat-hole for the moment.)
> >
> > hrm, in:
> >
> >  <http://tools.ietf.org/id/draft-ietf-sidr-bgpsec-ops-04.txt>
> >
> > section-6 there's discussion of 'only sign your one prefix, do nothing
> > else complex' which fits the model, albeit requiring the end site to
> > run some small number of commands on their device. If they wanted to
> > hand their private key materials to the upstreams they could do the
> > signing, but that seems icky (to me).
> >
> > I don't know that, if implications are understood by the end site and
> > configurations available for use on their side, end-sites would want
> > to hand over control of their IP assets in this way. Running the
> > signing on their side should be simple enough, and low/no-cost.
> >
> >> And publishing something IMHO prematurely, locks the WG into that RFC,
> >> making revising it much harder, than if it were still in-WG and
> >> not-yet-published.
> >
> > I think the authors said something like: "send text" where you think
> > it is fit to be inserted... If other folks want to delay/re-review
> > they need to speak up. Consensus so far was that the document was
> > ready to move along.
> >
> > -chris
>