IETF Logo Mail Archive

Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server

"Chris Hall" <chris.hall@highwayman.com> Fri, 08 July 2011 13:37 UTC

Return-Path: <chris.hall@highwayman.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5142F21F86D6 for <sidr@ietfa.amsl.com>; Fri, 8 Jul 2011 06:37:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lm9gYAlLA0FQ for <sidr@ietfa.amsl.com>; Fri, 8 Jul 2011 06:37:35 -0700 (PDT)
Received: from anchor-post-3.mail.demon.net (anchor-post-3.mail.demon.net [195.173.77.134]) by ietfa.amsl.com (Postfix) with ESMTP id 917D921F86C5 for <sidr@ietf.org>; Fri, 8 Jul 2011 06:37:35 -0700 (PDT)
Received: from [80.177.246.162] (helo=hestia.halldom.com) by anchor-post-3.mail.demon.net with esmtp (Exim 4.69) id 1QfBFO-0002aB-oP; Fri, 08 Jul 2011 13:37:34 +0000
Received: from hyperion.halldom.com ([80.177.246.170] helo=HYPERION) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from <chris.hall@highwayman.com>) id 1QfBFO-0006hp-7t; Fri, 08 Jul 2011 14:37:34 +0100
From: Chris Hall <chris.hall@highwayman.com>
To: 'sidr wg list' <sidr@ietf.org>
References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <m2y609kptw.wl%randy@psg.com>
In-Reply-To: <m2y609kptw.wl%randy@psg.com>
Date: Fri, 08 Jul 2011 14:37:29 +0100
Organization: Highwayman
Message-ID: <014001cc3d74$319571c0$94c05540$@highwayman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLnVxnGjNWVOyUsj5rn4Yr0eH1c1gL48hq9kpRForA=
Content-Language: en-gb
Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2011 13:37:36 -0000

Randy Bush wrote (on Fri 08-Jul-2011 at 11:52 +0100):
> i have a design that covers you.  it is based on an 'optimization'
> and we have agreed to let optimizations sit for a bit.

OK.  But I quibble with the notion that support for Route Servers
should be treated as an "optimisation".

> the hack is as follows <hold nose>:
> 
>   o an early optimization will be that each bgpspeaking AS adds
>     a one byte prepend count, over which it signs.  this saves
>     signing 92 prepends.  the count is normally one.

OK.  That clears up a confusion I had... I wasn't sure whether there
was supposed to be one signature per ASN in the path, or one per
*distinct* ASN in the path.  For my money, prepending is common enough
to merit covering as a "feature.

>   o a bgpsec-speaking 'transparent' route server signs over a zero
>     prepend count.

You're right: <HOLD NOSE> indeed.
 
That would be, as you suggest, less 'transparent' than it used to be.
I don't know if "revealing" the use of the route server is a serious
issue.  But I'm not sure how much is gained by inserting the route
server ASN ?

It seems reasonable to me to treat the route server as an extension of
its clients' networks -- that's pretty much what it is.  So, if the
route server uses a different key for each client's routes, and the
*client* is responsible for issuing the certificate (as if the route
server were one of its routers), then that about covers it -- unless I
am missing something ?

I suppose that if the route server went off the reservation it could
sign all kinds of rubbish as being announced by its clients, but the
owners of the certificates could revoke them ?

BTW (and sorry if this is a stupid question) where should I be looking
for a discussion of the key/certificate management for AS Path signing
keys ?  This is intended to be added into the RPKI, yes ?

>   o bgpsec speakers calculate as path length by summing prepend
>     counts.

Are you suggesting placing the prepend count in the AS Path itself ?
Say, an AS_SEQUENCE_N, which is like an AS_SEQUENCE, but has a 1 byte
repeat count for the first ASN in the sequence ?  That would pay for
itself (bytes-wise) and mean that where there is no prepending, there
is no overhead -- except for the inclusion of the count (implied or
explicit) in the signed data.

>   o a bgpsec speaker passing a signed announcement to a non-speaker
>     expands all prepends.  of course, the expansion of a zero
>     prepend is rather small.
> 
> <release nose>

<collapse of stout party>

Chris

v2.23.0 | Report a Bug | By Email