IETF Logo Mail Archive

[sidr] bgpsec and confeds [was: Minutes of 6/6/12 meeting uploaded]

Randy Bush <randy@psg.com> Sat, 16 June 2012 04:50 UTC

Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F8521F8470 for <sidr@ietfa.amsl.com>; Fri, 15 Jun 2012 21:50:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.572
X-Spam-Level:
X-Spam-Status: No, score=-2.572 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gzB3ho4SDOl0 for <sidr@ietfa.amsl.com>; Fri, 15 Jun 2012 21:50:34 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 3572921F8467 for <sidr@ietf.org>; Fri, 15 Jun 2012 21:50:34 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <randy@psg.com>) id 1Sfky1-000Kt3-Kq for sidr@ietf.org; Sat, 16 Jun 2012 04:50:33 +0000
Date: Sat, 16 Jun 2012 13:50:31 +0900
Message-ID: <m2fw9vq2qw.wl%randy@psg.com>
From: Randy Bush <randy@psg.com>
To: sidr wg list <sidr@ietf.org>
In-Reply-To: <4FDBF181.7060809@ops-netman.net>
References: <4FDBF181.7060809@ops-netman.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Subject: [sidr] bgpsec and confeds [was: Minutes of 6/6/12 meeting uploaded]
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jun 2012 04:50:35 -0000

bgpsec and confederations

allow me to try to state clearly for the list

    When an update enters the first AS in a confederation, all last
    internal ASBRs within the entry AS of the confederation, i.e the
    first signers within the confederation, set a flag in the signature
    block that says "I am the first signature within the confederation."

    The update wanders around normally in the confederation and every
    sending internal confederation ASBR signs it with their internal AS.

    A confederation's exit router looks backwards in the AS sequence
    until it finds the first, i.e. most recent, instance of that flag.
    If it finds no flag, the update is treated as originated within the
    confederation.

    It strips the signature block containing the flag and all subsequent
    signature blocks.  All signs of the internals of the confederation
    have now been removed.

    It then forward signs to the next AS, using the identity of the
    public confederation AS.

    While the update is traversing the confederation, if it should hit a
    peering where the peer is is not bgpsec capable, it strips all
    bgpsec gloop and reconstructs a classic AS_path.

this is believed to handle the loop disease (e.g. the cisco "neighbor
allowas-in" command).

what if anything should be done if you find the confed flag when you are
not inside a confed is a topic for discussion.

does anyone see a flaw in the above?  please please review so we can put
it to bed.

randy

v2.23.0 | Report a Bug | By Email