IETF Logo Mail Archive

Re: [sidr] bgpsec and confeds [was: Minutes of 6/6/12 meeting uploaded]

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Sat, 16 June 2012 14:24 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0018721F8551 for <sidr@ietfa.amsl.com>; Sat, 16 Jun 2012 07:24:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WSXRXMutIfYE for <sidr@ietfa.amsl.com>; Sat, 16 Jun 2012 07:24:01 -0700 (PDT)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 2DF1521F8549 for <sidr@ietf.org>; Sat, 16 Jun 2012 07:24:00 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.1.355.2; Sat, 16 Jun 2012 10:23:50 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Sat, 16 Jun 2012 10:23:59 -0400
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Randy Bush <randy@psg.com>, sidr wg list <sidr@ietf.org>
Date: Sat, 16 Jun 2012 10:21:25 -0400
Thread-Topic: [sidr] bgpsec and confeds [was: Minutes of 6/6/12 meeting uploaded]
Thread-Index: Ac1LezwsOsGomRojS9WmFifAVRAiLwAPgk5p
Message-ID: <D7A0423E5E193F40BE6E94126930C4930B9A71FA59@MBCLUSTER.xchange.nist.gov>
References: <4FDBF181.7060809@ops-netman.net>,<m2fw9vq2qw.wl%randy@psg.com>
In-Reply-To: <m2fw9vq2qw.wl%randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Subject: Re: [sidr] bgpsec and confeds [was: Minutes of 6/6/12 meeting uploaded]
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jun 2012 14:24:02 -0000

My notes / suggested wording changes inline below, marked with "KS:".

One other observation:
We also discussed Lazy and Super Lazy modes of router operation at 6/6/12 meeting.
If we were to include descriptions for those cases for the confed ASBRs,
the description gets a bit more complicated.
Especially because the ASBR has to perform operations that are different depending on 
whether it is in an AS in the middle of the confed or in an exit AS connecting to an external peer.

Sriram
________________________________________
From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Randy Bush [randy@psg.com]
Sent: Saturday, June 16, 2012 12:50 AM
To: sidr wg list
Subject: [sidr] bgpsec and confeds [was: Minutes of 6/6/12 meeting uploaded]

bgpsec and confederations

allow me to try to state clearly for the list

    When an update enters the first AS in a confederation, all last
    internal ASBRs within the entry AS of the confederation, i.e the
    first signers within the confederation, set a flag in the signature
    block that says "I am the first signature within the confederation."

KS: Please add:
However, the flag MUST NOT be set if the update entered the confed
at an AS and also exits from the same AS to go to an external peer AS.
(In this case, the update is not traversing any eBGP peering links internal to
the confed.)

    The update wanders around normally in the confederation and every
    sending internal confederation ASBR signs it with their internal AS.

    A confederation's exit router looks backwards in the AS sequence
    until it finds the first, i.e. most recent, instance of that flag.
    If it finds no flag, the update is treated as originated within the
    confederation.

KS: The last sentence above is not true. Explanation as follows.
Consider: 
AS1 --- (AS2 --- AS3 --- AS4) --- AS5
AS2, AS3, AS4  form a confed. AS1 and AS5 are external peers.
Consider an update that is exiting the confed at AS4 and being forward signed to AS5.
If the update originated from AS2 or AS3, then it is an update that indeed
originated from within the confed but it *will* come with the flag set.
And if the update originated in AS4, it should not have any signatures yet;
AS4 will add the first signature when it forward signs to AS5.
So I suggest the following change of wording: 
"If the ASBR finds no flag, then it means that the update has entered the
confed at this AS (i.e., the same AS where the ASBR is) and hence
it has not traversed any confed internal eBGP links."

    It strips the signature block containing the flag and all subsequent
    signature blocks.  All signs of the internals of the confederation
    have now been removed.

KS: Please add the following:
It also strips from the Secure_Path segment the sequence of 
ASN and pCount fields corresponding to the internal ASs in the confed.

    It then forward signs to the next AS, using the identity of the
    public confederation AS.

    While the update is traversing the confederation, if it should hit a
    peering where the peer is is not bgpsec capable, it strips all
    bgpsec gloop and reconstructs a classic AS_path.

KS: Suggest adding the following for clarity:
The classic AS_path will include the standard confed sequence that is 
reconstructed from the Secure_Path and includes the sequence of 
ASNs starting with the ASN with the flag set and all ASNs that follow.

v2.23.0 | Report a Bug | By Email