IETF Logo Mail Archive

Re: [sidr] draft-ietf-sidr-bgpsec-protocol-13's security guarantees

David Mandelberg <david@mandelberg.org> Fri, 11 September 2015 00:28 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 758A71B3D62 for <sidr@ietfa.amsl.com>; Thu, 10 Sep 2015 17:28:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.701
X-Spam-Level:
X-Spam-Status: No, score=-0.701 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hS3QPeuuehzW for <sidr@ietfa.amsl.com>; Thu, 10 Sep 2015 17:28:10 -0700 (PDT)
Received: from nm10-vm2.access.bullet.mail.bf1.yahoo.com (nm10-vm2.access.bullet.mail.bf1.yahoo.com [216.109.114.209]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3FF11B46B7 for <sidr@ietf.org>; Thu, 10 Sep 2015 17:28:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1441931289; bh=nrZ99CWQ2/FTqq05TkfPAzC/pJsPzAC0k5V+upDNEZc=; h=Date:From:To:Subject:In-Reply-To:References:From:Subject; b=bGmZ/A7KCOhAINdmp/Ucgt7xxjs4IM1aKZsAWU88Wa8P6JRCzJFHkCcf5wvoa+Y3lw2xo9FEkKYqzNmlO2c1A/C8xv3ZgFmbLwoSdviu5s+G6wczzfeTxa5qXwHv21n9j2ZAxaWoKqOZ3mE33xS/Cls0XvlRQlME3w0H5p9AWLIWvDX1vOEKzrrxWHT2nxZ1IgXDNEYxg4BQJJftBNh/x1pxRoKQ0tWQ+DqAPHEC1foxDDNyOc05mMtnZ9vSbYEvBg1p1JUMDkH2MzQd4xVRnp4H6uT1wS/3Ja8cd8gSr/44k0/bb4Qi0NwGwxcXUFhuR54afMwEtFjdY3m2JV8vAA==
Received: from [66.196.81.156] by nm10.access.bullet.mail.bf1.yahoo.com with NNFMP; 11 Sep 2015 00:28:09 -0000
Received: from [98.138.226.242] by tm2.access.bullet.mail.bf1.yahoo.com with NNFMP; 11 Sep 2015 00:28:09 -0000
Received: from [127.0.0.1] by smtp113.sbc.mail.ne1.yahoo.com with NNFMP; 11 Sep 2015 00:28:08 -0000
X-Yahoo-Newman-Id: 898999.59398.bm@smtp113.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: LhTDSkgVM1mgai2JUgr7ebDemlI9ppdvD.jjpmS2RWQt7Iw mseqUBbIPew27jxW12vRKhIbEEm6r2XQ7siBAidHdRXlRX.NgZ8buZZKXKvC EdpUgEWcZM.V9RN5MMZz4dpAj85ucal14Zy2AmpwekkdVUfdf0rVwms0zMie .fMOqX2m6qWXp1CI3z8ASoY0FxYVzAFf0jX06qfWzMOZ24pE_M1WFyMKv77i lcnZAZmro8LT1ulAZmtBx1JeuQH22lS02kBwpUvEoBGnq_hZwU4E3XmmswZK U.qWa2nnk_ACpnIj0FS.htqYwQ_v8Lf2dKlSiEeFcyyppWqS52kgQDhcIDDQ UOuMBBVdnOH5OvFxnwNnzWCt2Utz9kmZ.00VpV1jR.i5kKzfHafNiHhJzmHn FYfc5JQB37luOAeZu3Ehe9WkmeIWdhDuE78LIh.6c7fsOfbldDsSkuCqLQIl L5XbJ0eWm7sgZ5AVB2VM90sYNGuMRLWIVfsZYbDEjKQ57GLJy2NPYxbbKW56 dzrrsDoX9grDTxkNjcArm.Xc_Boii0UKe2je36g--
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from secure.mandelberg.org (c-76-24-31-176.hsd1.ma.comcast.net [76.24.31.176]) by uriel.mandelberg.org (Postfix) with ESMTPSA id EE7DB1C6095 for <sidr@ietf.org>; Thu, 10 Sep 2015 20:28:06 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Thu, 10 Sep 2015 20:28:06 -0400
From: David Mandelberg <david@mandelberg.org>
To: sidr@ietf.org
In-Reply-To: <55F1D560.9070608@bbn.com>
References: <f12cf36b3ee80798852c3fa13485b50d@mail.mandelberg.org> <20150827024945.B46A51ABFFC4@minas-ithil.hactrn.net> <ee74f52b5ad188553f7706a4a3c0e707@mail.mandelberg.org> <20150909010709.1682A1B25E5C@minas-ithil.hactrn.net> <4a6b03813484d7cd53bca4a9a8d86b83@mail.mandelberg.org> <55F1D560.9070608@bbn.com>
Message-ID: <c9f6b61a6897c159a1a19fdb1c97f3e7@mail.mandelberg.org>
X-Sender: david@mandelberg.org
User-Agent: Roundcube Webmail/0.7.2
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/DqPG2CMWaSWHqRL7cY27H7tpIkw>
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-protocol-13's security guarantees
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2015 00:28:11 -0000

On 2015-09-10 15:09, Stephen Kent wrote:
> At least initially, sig order was required to match the AS transit
> order, to ensure that the
> AS transit order is accurately represented. Is that no longer true?

Are you talking about (1) the order of the signatures on the wire, (2) 
the order of which AS path is covered by which signature, or (3) the 
chronological order in which the signatures are generated? I think Rob 
and I were talking about (3), but Rob should tell me if I misunderstood 
him.

For (1), the order needs to specified such that each signature can be 
correctly verified. Having the order of the signatures match the AS 
transit order seems like the most sensible way to do this.

For (2), I think it's critical that each signature covers that correct 
AS path, in the correct order.

For (3), the signatures will typically be generated in order, but I 
don't see the value of enforcing that. I.e., while I don't see the point 
of pre-computing signatures before including them in a BGPsec UPDATE, I 
also don't see any harm in it.

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

v2.23.0 | Report a Bug | By Email