Re: [sidr] [Idr] No BGPSEC intradomain ?

"George, Wes" <> Thu, 12 April 2012 17:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B309021F86A4; Thu, 12 Apr 2012 10:07:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.734
X-Spam-Status: No, score=-0.734 tagged_above=-999 required=5 tests=[AWL=0.729, BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cAuf3tV2rPL8; Thu, 12 Apr 2012 10:07:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0600D21F865C; Thu, 12 Apr 2012 10:07:39 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.75,411,1330923600"; d="scan'208";a="366874950"
Received: from unknown (HELO ([]) by with ESMTP/TLS/RC4-MD5; 12 Apr 2012 13:07:05 -0400
Received: from ([]) by ([]) with mapi; Thu, 12 Apr 2012 13:07:38 -0400
From: "George, Wes" <>
To: Jeffrey Haas <>, Robert Raszuk <>
Date: Thu, 12 Apr 2012 13:07:38 -0400
Thread-Topic: [Idr] [sidr] No BGPSEC intradomain ?
Thread-Index: Ac0Yu52Sb0fgrDVUQ3i/YwnZDhisQwAEHdgA
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <20120412145033.GA9700@slice>
In-Reply-To: <20120412145033.GA9700@slice>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: " List" <>, Paul Jakma <>, "" <>
Subject: Re: [sidr] [Idr] No BGPSEC intradomain ?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Apr 2012 17:07:40 -0000

> -----Original Message-----
> From: Jeffrey Haas []
> Sent: Thursday, April 12, 2012 10:51 AM
> To: Robert Raszuk
> Cc: George, Wes; Paul Jakma; List;
> Subject: Re: [Idr] [sidr] No BGPSEC intradomain ?
> On Thu, Apr 12, 2012 at 03:52:29PM +0200, Robert Raszuk wrote:
> > I very much agree with both Paul and Wes that new BGP version number
> > or at least new set of AFIs would be the best way to smoothly
> > migrate unsecure BGP to secure one.
> If it's not backward compatible, sure.
[WEG] that's sort of the point -- there are a lot of factors to consider when determining what "backward compatible" truly means as far as BGPSec is concerned, especially when it comes to monitoring tools and other things that need to know the data but not necessarily make routing decisions on it.
> > I have not seem anyone resisting that idea yet with real technical
> > arguments against it ;)
> See my migration comments earlier.  If you think you can get a given SP that
> might be willing to install BGPSEC at the edges also willing to upgrade
> every other BGP speaker inside their AS... you're more optimistic than I.

[WEG] I'm not totally sure which message you're referring to, but I think that may be a red herring. I'm not seeing how incrementing the BGP version automatically means that all routers in an ASN must upgrade to it. This isn't exactly the same flag day sort of driver as the move between v3 and v4. BGP speakers that support BGPv5 also SHOULD support BGPv4, and would determine which they should use on initial capability negotiation. Same way as they would do if BGPSec (and any other option) is a standalone capability to negotiate. Even if you look at this from a scaling perspective (the BGPv5 speaker would have to craft and send out two different versions of update) we've already sort of said that this is acceptable collateral damage because of the fact that it can't send the same updates to neighbors of multiple different ASNs because it has to sign them all differently.
What am I missing?

Wes George

This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.