[sidr] 4-byte vs 2 byte ASN (was re: I-D Action: draft-ietf-sidr-pfx-validate-03.txt)

"George, Wes" <wesley.george@twcable.com> Tue, 01 November 2011 21:30 UTC

Return-Path: <wesley.george@twcable.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0660811E80A2 for <sidr@ietfa.amsl.com>; Tue, 1 Nov 2011 14:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.767
X-Spam-Level:
X-Spam-Status: No, score=-0.767 tagged_above=-999 required=5 tests=[AWL=0.696, BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2bmYfNH+-dk for <sidr@ietfa.amsl.com>; Tue, 1 Nov 2011 14:30:20 -0700 (PDT)
Received: from cdpipgw01.twcable.com (cdpipgw01.twcable.com [165.237.59.22]) by ietfa.amsl.com (Postfix) with ESMTP id 1BF2911E809C for <sidr@ietf.org>; Tue, 1 Nov 2011 14:30:20 -0700 (PDT)
X-SENDER-IP: 10.136.163.12
X-SENDER-REPUTATION: None
X-IronPort-AV: E=Sophos;i="4.69,438,1315195200"; d="scan'208";a="292132830"
Received: from unknown (HELO PRVPEXHUB03.corp.twcable.com) ([10.136.163.12]) by cdpipgw01.twcable.com with ESMTP/TLS/RC4-MD5; 01 Nov 2011 14:01:49 -0400
Received: from PRVPEXVS03.corp.twcable.com ([10.136.163.27]) by PRVPEXHUB03.corp.twcable.com ([10.136.163.12]) with mapi; Tue, 1 Nov 2011 14:05:52 -0400
From: "George, Wes" <wesley.george@twcable.com>
To: "sidr@ietf.org" <sidr@ietf.org>
Date: Tue, 01 Nov 2011 14:05:51 -0400
Thread-Topic: 4-byte vs 2 byte ASN (was re: I-D Action: draft-ietf-sidr-pfx-validate-03.txt)
Thread-Index: AcyX+dk9b8n5fxH8QzGzzXqJPGmKMgAxG48A
Message-ID: <DCC302FAA9FE5F4BBA4DCAD4656937791451740474@PRVPEXVS03.corp.twcable.com>
References: <20111031182058.24592.70473.idtracker@ietfa.amsl.com>
In-Reply-To: <20111031182058.24592.70473.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [sidr] 4-byte vs 2 byte ASN (was re: I-D Action: draft-ietf-sidr-pfx-validate-03.txt)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2011 21:30:21 -0000

Posing the question about 4-byte ASNs in my review of the BGPSec design reqs draft yesterday makes me wonder about the same in pfx-validate. The draft makes reference to AS_PATH in several locations. I'm thinking that we need a comment early in the draft stating that for the remainder of the draft no distinction is being made between AS_PATH and AS4_PATH, and that this standard is expected to support origin validation of both. Or alternatively, specify that this validation is performed on AS4_PATH and require support for 4893 as a prerequisite for SIDR.
If we don't explicitly require hosts that support SIDR origin validation to support 4-byte ASN, we may also need some direction regarding specific handling for AS23456, such as to always treat as unknown since there is no way to determine validity for the combination of a prefix and a non-unique placeholder ASN (except for local TA), but we don't necessarily want those routes to be treated as invalid.

I'm not sure if some of this belongs within sidr-arch, roa-validation, origin-ops, etc, but a quick scan through those docs don't reveal any obvious references to 4893, AS4_PATH, etc.

Thanks
Wes George

> -----Original Message-----
> From: sidr-bounces@ietf.org [mailto:sidr-bounces@ietf.org] On Behalf Of
> internet-drafts@ietf.org
> Sent: Monday, October 31, 2011 2:21 PM
> To: i-d-announce@ietf.org
> Cc: sidr@ietf.org
> Subject: [sidr] I-D Action: draft-ietf-sidr-pfx-validate-03.txt
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories. This draft is a work item of the Secure Inter-Domain
> Routing Working Group of the IETF.
>
>       Title           : BGP Prefix Origin Validation
>       Author(s)       : Pradosh Mohapatra
>                           John Scudder
>                           David Ward
>                           Randy Bush
>                           Rob Austein
>       Filename        : draft-ietf-sidr-pfx-validate-03.txt
>       Pages           : 13
>       Date            : 2011-10-31
>
>    To help reduce well-known threats against BGP including prefix mis-
>    announcing and monkey-in-the-middle attacks, one of the security
>    requirements is the ability to validate the origination AS of BGP
>    routes.  More specifically, one needs to validate that the AS number
>    claiming to originate an address prefix (as derived from the AS_PATH
>    attribute of the BGP route) is in fact authorized by the prefix
>    holder to do so.  This document describes a simple validation
>    mechanism to partially satisfy this requirement.
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-sidr-pfx-validate-03.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> This Internet-Draft can be retrieved at:
> ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-pfx-validate-03.txt
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr

This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.