IETF Logo Mail Archive

[sidr] comment on draft-ietf-sidr-bgpsec-protocol and draft-ietf-sidr-bgpsec-ops

Sandra Murphy <sandy@tislabs.com> Thu, 24 July 2014 18:54 UTC

Return-Path: <sandy@tislabs.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 616911A0063 for <sidr@ietfa.amsl.com>; Thu, 24 Jul 2014 11:54:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZXtslCKJ00Y for <sidr@ietfa.amsl.com>; Thu, 24 Jul 2014 11:54:07 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) by ietfa.amsl.com (Postfix) with ESMTP id 2F63C1A002A for <sidr@ietf.org>; Thu, 24 Jul 2014 11:54:07 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id DE86328B0041 for <sidr@ietf.org>; Thu, 24 Jul 2014 14:54:06 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id AE74E1F8032; Thu, 24 Jul 2014 14:54:06 -0400 (EDT)
From: Sandra Murphy <sandy@tislabs.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_9E590C59-02B3-428C-8659-621197C6DD40"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Date: Thu, 24 Jul 2014 14:54:06 -0400
Message-Id: <4C2B730F-3BED-40CF-BBD6-90F97B69E22D@tislabs.com>
To: IETF SIDR <sidr@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
X-Mailer: Apple Mail (2.1510)
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/MO7W75jaoPlsYu_5dX9dLmGGjU4
Cc: Sandra Murphy <sandy@tislabs.com>
Subject: [sidr] comment on draft-ietf-sidr-bgpsec-protocol and draft-ietf-sidr-bgpsec-ops
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 18:54:09 -0000

Speaking as regular ol' member

The bgpsec-protocol draft has the following text:

   Next, the BGPSEC speaker verifies that the origin AS is authorized to
   advertise the prefix in question.  To do this, consult the valid ROA
   data to obtain a list of AS numbers that are associated with the
   given IP address prefix in the update message.  Then locate the last
   (least recently added) AS number in the Secure_Path portion of the
   BGPSEC_Path attribute.  If the origin AS in the Secure_Path is not in
   the set of AS numbers associated with the given prefix, then the
   BGPSEC update message is 'Not Valid' and the validation algorithm
   terminates.

This text reprises the origin validation algorithm, without some of the more detailed pieces.

I believe it would be better instead to refer to RFC6483 or RFC6811, rather than try to reprise the algorithm.  Something like:  "To do this, the speaker performs the algorithm of RFC6483/RFC6811.  If the result is not Valid, then the BGP Update is 'Not Valid'."

(This seems particularly prudent as we might be reconsidering the validation algorithm.)

This also brought to mind a point I'm curious about.  

Does a bgpsec speaking router have one configuration about the results of the bgpsec validation, or does it have two configurations, one for the results of the origin validation and a second for the results of the bgpsec validation?  Are the two validation states separated?

Should this be a point to be explained in the bgpsec-ops document? 

--Sandy, speaking as regular ol' member

v2.23.0 | Report a Bug | By Email