[sidr] Comment on draft-ietf-sidr-origin-validation-signaling-01
Danny McPherson <danny@tcb.net> Tue, 15 November 2011 02:12 UTC
Return-Path: <danny@tcb.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2070321F8D45 for <sidr@ietfa.amsl.com>; Mon, 14 Nov 2011 18:12:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SsAoqqErtsiI for <sidr@ietfa.amsl.com>; Mon, 14 Nov 2011 18:12:32 -0800 (PST)
Received: from dog.tcb.net (dog.tcb.net [64.78.150.133]) by ietfa.amsl.com (Postfix) with ESMTP id 9969C21F8D44 for <sidr@ietf.org>; Mon, 14 Nov 2011 18:12:32 -0800 (PST)
Received: by dog.tcb.net (Postfix, from userid 0) id 5A2E2268063; Mon, 14 Nov 2011 19:12:32 -0700 (MST)
Received: from dhcp-1267.meeting.ietf.org (dhcp-1267.meeting.ietf.org [130.129.18.103]) (authenticated-user smtp) (TLSv1/SSLv3 AES128-SHA 128/128) by dog.tcb.net with SMTP; for sidr@ietf.org; Mon, 14 Nov 2011 19:12:32 -0700 (MST) (envelope-from danny@tcb.net)
From: Danny McPherson <danny@tcb.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 14 Nov 2011 21:12:13 -0500
Message-Id: <74F0D6F4-EA7B-4B2E-B195-D34448CD4CDF@tcb.net>
To: sidr wg list <sidr@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [sidr] Comment on draft-ietf-sidr-origin-validation-signaling-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2011 02:12:33 -0000
In general, I don't like the idea of using an extcomm community to convey a prefixes validation state, I think we should deal with this problem natively (e.g., as BGPSEC inter-domain) if we're going to address the problem, in particular if we're not going to address the AS Confederations problem. Furthermore, I don't like the deployment considerations, in particular because of "privilege escalation attacks" which could easily occur through misconfiguration across multiple attribute mapping functions, or simply because the extcomm was received from an BGP peer that isn't "upgraded to support the extensions defined in this document": "In deployment scenarios where not all the speakers in an autonomous system are upgraded to support the extensions defined in this document, it is necessary to define policies that match on the origin validation extended community and set another BGP attribute [I-D.ietf-sidr-pfx-validate] that influences the best path selection the same way as what would have been enabled by an implementation of this extension." Finally, this should certainly a normative reference in the pfx-validate draft. -danny
- [sidr] Comment on draft-ietf-sidr-origin-validati… Danny McPherson
- Re: [sidr] Comment on draft-ietf-sidr-origin-vali… Danny McPherson
- Re: [sidr] Comment on draft-ietf-sidr-origin-vali… Pradosh Mohapatra