IETF Logo Mail Archive

Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-protocol-21: (with COMMENT)

"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Tue, 17 January 2017 15:52 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33406129546 for <sidr@ietfa.amsl.com>; Tue, 17 Jan 2017 07:52:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.101
X-Spam-Level:
X-Spam-Status: No, score=-5.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DwKvTk6YvA5H for <sidr@ietfa.amsl.com>; Tue, 17 Jan 2017 07:52:28 -0800 (PST)
Received: from kuehlewind.net (kuehlewind.net [83.169.45.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33887129541 for <sidr@ietf.org>; Tue, 17 Jan 2017 07:52:28 -0800 (PST)
Received: (qmail 28402 invoked from network); 17 Jan 2017 16:52:26 +0100
Received: from p5dec276e.dip0.t-ipconnect.de (HELO ?192.168.178.33?) (93.236.39.110) by kuehlewind.net with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 17 Jan 2017 16:52:26 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <9B17A0C3-3430-4643-9D0C-B4554FF04510@cisco.com>
Date: Tue, 17 Jan 2017 16:52:25 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <1348EA28-8876-4B85-9F39-1AB74A5C6333@kuehlewind.net>
References: <148355465867.12949.10785749487953700357.idtracker@ietfa.amsl.com> <DM2PR09MB0446C09E1BE1CEE94D43852684780@DM2PR09MB0446.namprd09.prod.outlook.com> <B636DF13-0DAC-4DD9-876A-5AA02ECD4294@kuehlewind.net> <9B17A0C3-3430-4643-9D0C-B4554FF04510@cisco.com>
To: "Alvaro Retana (aretana)" <aretana@cisco.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/K9OgDlUueDfOdVNnfC5iQ_p2vTU>
Cc: "draft-ietf-sidr-bgpsec-protocol@ietf.org" <draft-ietf-sidr-bgpsec-protocol@ietf.org>, Alexey Melnikov <aamelnikov@fastmail.fm>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, The IESG <iesg@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>, Matthias Waehlisch <m.waehlisch@fu-berlin.de>
Subject: Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-protocol-21: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2017 15:52:32 -0000

Hi Alvaro,

thanks for the very clear clarification. Not sure if it’s just me or if that’s not clearly stated in the draft, but maybe it would be worth it double-checking.

Mirja


> Am 17.01.2017 um 16:47 schrieb Alvaro Retana (aretana) <aretana@cisco.com>:
> 
> Mirja:
>  
> Hi!
>  
> If an AS in the path doesn’t support BGPsec, then BGP goes back to “normal” mode (as in before BGPsec), and the assurance that the “update propagated via the sequence of ASes listed” is lost.  In other words, from the origin AS to the AS before the one not supporting BGPsec, we can still provide the assurance, but not beyond that – so any AS including and beyond the one not supporting BGPsec won’t be able to verify anything.
>  
> Alvaro.
>  
>  
>  
>  
>> On 1/17/17, 6:05 AM, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> wrote:
>>  
>> Hi Sriram,
>>  
>> thanks for your reply. That’s all fine. I really didn’t expect any protocol changes at this late stage of the draft but wanted at least to know if these points were previously discussed. Also happy to see that some parts where discussed with Ross.
>>  
>> One final question (related to point 4): What happens if one router on the path does not support/understand BGPsec? Sorry, if that is a stupid question but it’s still not fully clear to me from the draft…
>>  
>> Mirja
>>> … 
>>> > 4) section 8.1 says "the recipient of a valid BGPsec update message is assured that the update propagated via the sequence of ASes listed in the Secure_Path portion of the BGPsec_Path attribute."
>>> > Is that true? It is assured that at least these ASes have been crossed but there might have been others on the path that did not sign the BGPsec_Path attribute, no?
>>>   
>>>   
>>> [Sriram] Yes, it is true. Each AS in the path MUST sign to the next AS (Target AS). Section 3.1 says:
>>>   
>>>   
>>>     The Secure_Path contains one Secure_Path Segment (see Figure 5) for
>>>     each Autonomous System in the path to the originating AS of the
>>>     prefix specified in the update message.
>>>   
>>>   
>>> [Sriram] Also, Section 3.2 says:
>>>   
>>>   
>>>     A Signature_Block in Figure 6 has exactly one Signature Segment (see
>>>     Figure 7) for each Secure_Path Segment in the Secure_Path portion of
>>>     the BGPsec_Path Attribute.  
>>>   
>>>   
>>>   
>>> [Sriram] The following check listed in Section 5.2 make it clear as well:
>>>   
>>>   
>>>     3.  Check that each Signature_Block contains one Signature segment
>>>         for each Secure_Path Segment in the Secure_Path portion of the
>>>         BGPsec_Path attribute.  (Note that the entirety of each
>>>         Signature_Block must be checked to ensure that it is well formed,
>>>         even though the validation process may terminate before all
>>>         signatures are cryptographically verified.)
>>>   
>>>   
>>

v2.23.0 | Report a Bug | By Email