IETF Logo Mail Archive

Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Sat, 14 February 2015 19:54 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EE5A1A0053 for <sidr@ietfa.amsl.com>; Sat, 14 Feb 2015 11:54:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6Vkc7PwK8Hx for <sidr@ietfa.amsl.com>; Sat, 14 Feb 2015 11:54:08 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0788.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::788]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA5621A0016 for <sidr@ietf.org>; Sat, 14 Feb 2015 11:54:07 -0800 (PST)
Received: from DM2PR09MB0302.namprd09.prod.outlook.com (25.160.96.147) by BL2PR09MB0161.namprd09.prod.outlook.com (10.255.233.147) with Microsoft SMTP Server (TLS) id 15.1.87.18; Sat, 14 Feb 2015 19:53:46 +0000
Received: from DM2PR09MB0302.namprd09.prod.outlook.com ([25.160.96.147]) by DM2PR09MB0302.namprd09.prod.outlook.com ([25.160.96.147]) with mapi id 15.01.0087.013; Sat, 14 Feb 2015 19:53:46 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Randy Bush <randy@psg.com>, "Montgomery, Douglas" <dougm@nist.gov>
Thread-Topic: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11
Thread-Index: AQHQObnP/eFvHk0J6E2CzGstO0tmlJzjGf4AgAcb4iqAAE0vAIAE7aoAgAD+GgCAAAaAAIAAMwz4
Date: Sat, 14 Feb 2015 19:53:45 +0000
Message-ID: <1423943624118.34986@nist.gov>
References: <54DA7C98.4040604@mandelberg.org> <D103DE3D.1041C%keyupate@cisco.com> <D104DC36.3310E%dougm@nist.gov>,<m2wq3klab3.wl%randy@psg.com>
In-Reply-To: <m2wq3klab3.wl%randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.6.219.139]
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BL2PR09MB0161;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:BL2PR09MB0161;
x-forefront-prvs: 0487C0DB7E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(76176999)(46102003)(50986999)(77156002)(102836002)(54356999)(66066001)(15975445007)(93886004)(62966003)(2900100001)(92566002)(230783001)(117636001)(86362001)(106116001)(40100003)(36756003)(122556002)(2950100001)(19580395003)(99286002)(87936001)(2656002)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR09MB0161; H:DM2PR09MB0302.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2015 19:53:45.8828 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR09MB0161
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/NLZE1HVqoqOxkJlYVAYGX36E7y4>
Cc: David Mandelberg <david@mandelberg.org>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Feb 2015 19:54:10 -0000

>> And even if we had not decoupled those two, just because you might
>> be authorized to announce 102::/16 to a peer, that is different than
>> saying that you actually announced it.
>point taken
>randy 

I agree that the solution should not merely rely on the presence of a validating ROA.
But there is some more detail here that is worth looking into. The path was fully signed 
and assume all signatures are valid. Then clearly the origin AS actually announced it.
The question or ambiguity is: Did the origin AS announce 1.2.0.0/16 (v4) or 102::/16 (v6)?
The ROA has AFI information, but the signed update does not (currently).
 https://tools.ietf.org/html/rfc6482#section-3.3   
    “Within the ROAIPAddressFamily structure, addressFamily contains the
    Address Family Identifier (AFI) of an IP address family.  This
    specification only supports IPv4 and IPv6.  Therefore, addressFamily
    MUST be either 0001 or 0002.” 

Hence, as Keyur has surmised, there is a possibility that the ROA can help resolve the ambiguity here.
But the ambiguity would still persist if the same origin AS happens to have ROA(s) for 
both prefixes 1.2.0.0/16 (v4) and 102::/16 (v6)  (though the probability is extremely small).
So, yes, a robust solution calls for something more than a validating ROA.
The ambiguity goes away if the AFI (of the announced prefix) is included by the origin AS 
on the wire as well as in the sequence of octets that are signed.

Sriram

v2.23.0 | Report a Bug | By Email