Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11
"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Sat, 14 February 2015 19:54 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EE5A1A0053 for <sidr@ietfa.amsl.com>; Sat, 14 Feb 2015 11:54:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6Vkc7PwK8Hx for <sidr@ietfa.amsl.com>; Sat, 14 Feb 2015 11:54:08 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0788.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::788]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA5621A0016 for <sidr@ietf.org>; Sat, 14 Feb 2015 11:54:07 -0800 (PST)
Received: from DM2PR09MB0302.namprd09.prod.outlook.com (25.160.96.147) by BL2PR09MB0161.namprd09.prod.outlook.com (10.255.233.147) with Microsoft SMTP Server (TLS) id 15.1.87.18; Sat, 14 Feb 2015 19:53:46 +0000
Received: from DM2PR09MB0302.namprd09.prod.outlook.com ([25.160.96.147]) by DM2PR09MB0302.namprd09.prod.outlook.com ([25.160.96.147]) with mapi id 15.01.0087.013; Sat, 14 Feb 2015 19:53:46 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Randy Bush <randy@psg.com>, "Montgomery, Douglas" <dougm@nist.gov>
Thread-Topic: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11
Thread-Index: AQHQObnP/eFvHk0J6E2CzGstO0tmlJzjGf4AgAcb4iqAAE0vAIAE7aoAgAD+GgCAAAaAAIAAMwz4
Date: Sat, 14 Feb 2015 19:53:45 +0000
Message-ID: <1423943624118.34986@nist.gov>
References: <54DA7C98.4040604@mandelberg.org> <D103DE3D.1041C%keyupate@cisco.com> <D104DC36.3310E%dougm@nist.gov>,<m2wq3klab3.wl%randy@psg.com>
In-Reply-To: <m2wq3klab3.wl%randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.6.219.139]
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BL2PR09MB0161;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:BL2PR09MB0161;
x-forefront-prvs: 0487C0DB7E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(76176999)(46102003)(50986999)(77156002)(102836002)(54356999)(66066001)(15975445007)(93886004)(62966003)(2900100001)(92566002)(230783001)(117636001)(86362001)(106116001)(40100003)(36756003)(122556002)(2950100001)(19580395003)(99286002)(87936001)(2656002)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR09MB0161; H:DM2PR09MB0302.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2015 19:53:45.8828 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR09MB0161
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/NLZE1HVqoqOxkJlYVAYGX36E7y4>
Cc: David Mandelberg <david@mandelberg.org>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Feb 2015 19:54:10 -0000
>> And even if we had not decoupled those two, just because you might >> be authorized to announce 102::/16 to a peer, that is different than >> saying that you actually announced it. >point taken >randy I agree that the solution should not merely rely on the presence of a validating ROA. But there is some more detail here that is worth looking into. The path was fully signed and assume all signatures are valid. Then clearly the origin AS actually announced it. The question or ambiguity is: Did the origin AS announce 1.2.0.0/16 (v4) or 102::/16 (v6)? The ROA has AFI information, but the signed update does not (currently). https://tools.ietf.org/html/rfc6482#section-3.3 “Within the ROAIPAddressFamily structure, addressFamily contains the Address Family Identifier (AFI) of an IP address family. This specification only supports IPv4 and IPv6. Therefore, addressFamily MUST be either 0001 or 0002.” Hence, as Keyur has surmised, there is a possibility that the ROA can help resolve the ambiguity here. But the ambiguity would still persist if the same origin AS happens to have ROA(s) for both prefixes 1.2.0.0/16 (v4) and 102::/16 (v6) (though the probability is extremely small). So, yes, a robust solution calls for something more than a validating ROA. The ambiguity goes away if the AFI (of the announced prefix) is included by the origin AS on the wire as well as in the sequence of octets that are signed. Sriram
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11 Sandra Murphy
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… George, Wes
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Sriram, Kotikalapudi
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Michael Baer
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Michael Baer
- [sidr] David M's point about the bgpsec protocol … Sandra Murphy
- Re: [sidr] David M's point about the bgpsec proto… Randy Bush
- Re: [sidr] David M's point about the bgpsec proto… Randy Bush
- Re: [sidr] David M's point about the bgpsec proto… Sandra Murphy
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Keyur Patel (keyupate)
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Montgomery, Douglas
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Randy Bush
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Sriram, Kotikalapudi
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Matthew Lepinski
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Michael Baer
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Sriram, Kotikalapudi
- [sidr] Levels of BGPsec/RPKI validation, was: Re:… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Roque Gagliano (rogaglia)
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… David Mandelberg
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Sandra Murphy
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Roque Gagliano (rogaglia)
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Randy Bush
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Geoff Huston
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Sriram, Kotikalapudi
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Randy Bush
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Jared Mauch
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Sriram, Kotikalapudi
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Randy Bush
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Tim Bruijnzeels
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Matthew Lepinski
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Iljitsch van Beijnum
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Matthew Lepinski
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Iljitsch van Beijnum
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Sriram, Kotikalapudi
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Stephen Kent
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Iljitsch van Beijnum
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Stephen Kent
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Sriram, Kotikalapudi