Re: [sidr] Prefix Origin Validation & AS_SET
Sandra Murphy <Sandra.Murphy@sparta.com> Mon, 27 June 2011 16:21 UTC
Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1388C11E8108 for <sidr@ietfa.amsl.com>; Mon, 27 Jun 2011 09:21:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xueSFYZf7FMx for <sidr@ietfa.amsl.com>; Mon, 27 Jun 2011 09:21:57 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 59F2C11E8106 for <sidr@ietf.org>; Mon, 27 Jun 2011 09:21:57 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p5RGLq8O032638; Mon, 27 Jun 2011 11:21:52 -0500
Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p5RGLqLI029097; Mon, 27 Jun 2011 11:21:52 -0500
Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.117]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Mon, 27 Jun 2011 12:21:51 -0400
Date: Mon, 27 Jun 2011 12:21:51 -0400
From: Sandra Murphy <Sandra.Murphy@sparta.com>
To: Hannes Gredler <hannes@juniper.net>
In-Reply-To: <Pine.WNT.4.64.1106271148340.936@SMURPHY-LT.columbia.ads.sparta.com>
Message-ID: <Pine.WNT.4.64.1106271220570.936@SMURPHY-LT.columbia.ads.sparta.com>
References: <Pine.WNT.4.64.1106271606140.3352@mw-PC> <20110627143625.GA2251@juniper.net> <Pine.WNT.4.64.1106271148340.936@SMURPHY-LT.columbia.ads.sparta.com>
X-X-Sender: sandy@mailbin.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 27 Jun 2011 16:21:51.0843 (UTC) FILETIME=[52845B30:01CC34E6]
Cc: Matthias Waehlisch <m.waehlisch@fu-berlin.de>, sidr@ietf.org
Subject: Re: [sidr] Prefix Origin Validation & AS_SET
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2011 16:21:58 -0000
Forgot to say.... Since I'm speaking on chair judgement of group consensus, this is.. --Sandy, speaking as wg chair On Mon, 27 Jun 2011, Sandra Murphy wrote: > > > On Mon, 27 Jun 2011, Hannes Gredler wrote: > >> On Mon, Jun 27, 2011 at 04:06:22PM +0200, Matthias Waehlisch wrote: >> | Hi, >> | >> | this question addresses the scenario, in which a BGP update contains >> | an AS_SET. According to draft-ietf-sidr-pfx-validate-01, the variable >> | origin_as would be defined as "NONE". In case of a valid certificate for >> | the prefix, the prefix validation function would return "INVALID". >> | >> | BGP updates including an AS_SET with a valid certificate would never >> | be valid. Correct? This seems a bit rough. Can you clarify the reason >> | behind? I would expect that if a valid record for at least one origin AS >> | within the AS_SET exists, the funcion will return "VALID". >> >> depends ... - my understanding of the logic for extracting the >> "to-be-validated" AS is something alike: >> >> If aggregator is present and right-most AS segment type is AS-Set, >> then use aggregator AS for validating, > > That rule was proposed at one point but discarded. > > The current rule is that a route containing an AS_SET is not to be considered > "valid". > > The text in draft-ietf-sidr-roa-validation-10 > > A route's "origin AS" is defined as follows: If the final path > segment of the AS_PATH is of type AS_SEQUENCE, the "origin AS" is the > first element of the sequence (i.e. the AS in the rightmost position > with respect to the position of octets in the protocol message). If > the AS_PATH contains a path segment of type AS_SET, indicating that > the route is an aggregate, then the "origin AS" cannot be determined. > > (Note that this is even harsher than judging just the /right-most/final/least > recently added/whatever/ path segment - it says if the AS_PATH *contains* an > AS_SET, then the origin AS "cannot be determined.") > > The subsequent table and steps on page 5 can lead to a decision of "not > found" or "invalid" but not a decision of "valid": > > 3. If the route's origin AS can be determined and ... > ... > .......................................... then the procedure > halts with an outcome of "valid". > > Since the origin AS can not be determined, this step can not produce an > outcome of "valid". > > --Sandy > > >> else if if right-most AS segment type is AS-set -> result: not found >> else use right-most AS for validating >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >> > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr >
- [sidr] Prefix Origin Validation & AS_SET Matthias Waehlisch
- Re: [sidr] Prefix Origin Validation & AS_SET Ruediger Volk
- Re: [sidr] Prefix Origin Validation & AS_SET Hannes Gredler
- Re: [sidr] Prefix Origin Validation & AS_SET Sandra Murphy
- Re: [sidr] Prefix Origin Validation & AS_SET Sandra Murphy