Re: [sidr] bgpsec and confeds [was: Minutes of 6/6/12 meeting uploaded]
"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Sat, 16 June 2012 14:24 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0018721F8551 for <sidr@ietfa.amsl.com>; Sat, 16 Jun 2012 07:24:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WSXRXMutIfYE for <sidr@ietfa.amsl.com>; Sat, 16 Jun 2012 07:24:01 -0700 (PDT)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 2DF1521F8549 for <sidr@ietf.org>; Sat, 16 Jun 2012 07:24:00 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.1.355.2; Sat, 16 Jun 2012 10:23:50 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Sat, 16 Jun 2012 10:23:59 -0400
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Randy Bush <randy@psg.com>, sidr wg list <sidr@ietf.org>
Date: Sat, 16 Jun 2012 10:21:25 -0400
Thread-Topic: [sidr] bgpsec and confeds [was: Minutes of 6/6/12 meeting uploaded]
Thread-Index: Ac1LezwsOsGomRojS9WmFifAVRAiLwAPgk5p
Message-ID: <D7A0423E5E193F40BE6E94126930C4930B9A71FA59@MBCLUSTER.xchange.nist.gov>
References: <4FDBF181.7060809@ops-netman.net>,<m2fw9vq2qw.wl%randy@psg.com>
In-Reply-To: <m2fw9vq2qw.wl%randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Subject: Re: [sidr] bgpsec and confeds [was: Minutes of 6/6/12 meeting uploaded]
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jun 2012 14:24:02 -0000
My notes / suggested wording changes inline below, marked with "KS:". One other observation: We also discussed Lazy and Super Lazy modes of router operation at 6/6/12 meeting. If we were to include descriptions for those cases for the confed ASBRs, the description gets a bit more complicated. Especially because the ASBR has to perform operations that are different depending on whether it is in an AS in the middle of the confed or in an exit AS connecting to an external peer. Sriram ________________________________________ From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Randy Bush [randy@psg.com] Sent: Saturday, June 16, 2012 12:50 AM To: sidr wg list Subject: [sidr] bgpsec and confeds [was: Minutes of 6/6/12 meeting uploaded] bgpsec and confederations allow me to try to state clearly for the list When an update enters the first AS in a confederation, all last internal ASBRs within the entry AS of the confederation, i.e the first signers within the confederation, set a flag in the signature block that says "I am the first signature within the confederation." KS: Please add: However, the flag MUST NOT be set if the update entered the confed at an AS and also exits from the same AS to go to an external peer AS. (In this case, the update is not traversing any eBGP peering links internal to the confed.) The update wanders around normally in the confederation and every sending internal confederation ASBR signs it with their internal AS. A confederation's exit router looks backwards in the AS sequence until it finds the first, i.e. most recent, instance of that flag. If it finds no flag, the update is treated as originated within the confederation. KS: The last sentence above is not true. Explanation as follows. Consider: AS1 --- (AS2 --- AS3 --- AS4) --- AS5 AS2, AS3, AS4 form a confed. AS1 and AS5 are external peers. Consider an update that is exiting the confed at AS4 and being forward signed to AS5. If the update originated from AS2 or AS3, then it is an update that indeed originated from within the confed but it *will* come with the flag set. And if the update originated in AS4, it should not have any signatures yet; AS4 will add the first signature when it forward signs to AS5. So I suggest the following change of wording: "If the ASBR finds no flag, then it means that the update has entered the confed at this AS (i.e., the same AS where the ASBR is) and hence it has not traversed any confed internal eBGP links." It strips the signature block containing the flag and all subsequent signature blocks. All signs of the internals of the confederation have now been removed. KS: Please add the following: It also strips from the Secure_Path segment the sequence of ASN and pCount fields corresponding to the internal ASs in the confed. It then forward signs to the next AS, using the identity of the public confederation AS. While the update is traversing the confederation, if it should hit a peering where the peer is is not bgpsec capable, it strips all bgpsec gloop and reconstructs a classic AS_path. KS: Suggest adding the following for clarity: The classic AS_path will include the standard confed sequence that is reconstructed from the Secure_Path and includes the sequence of ASNs starting with the ASN with the flag set and all ASNs that follow.
- [sidr] Minutes of 6/6/12 meeting uploaded Chris Morrow
- [sidr] bgpsec and confeds [was: Minutes of 6/6/12… Randy Bush
- [sidr] Confeds and clusters Jakob Heitz
- Re: [sidr] bgpsec and confeds [was: Minutes of 6/… Sriram, Kotikalapudi
- Re: [sidr] bgpsec and confeds [was: Minutes of 6/… Matt Lepinski
- Re: [sidr] Confeds and clusters George, Wes
- Re: [sidr] Minutes of 6/6/12 meeting uploaded Stephen Kent
- Re: [sidr] Minutes of 6/6/12 meeting uploaded Randy Bush
- Re: [sidr] Confeds and clusters Randy Bush
- Re: [sidr] Minutes of 6/6/12 meeting uploaded Stephen Kent
- Re: [sidr] Confeds and clusters John G. Scudder