IETF Logo Mail Archive

Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 13 December 2016 12:26 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38E2B12964B; Tue, 13 Dec 2016 04:26:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPwb6IfLCUGo; Tue, 13 Dec 2016 04:26:08 -0800 (PST)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0107.outbound.protection.outlook.com [23.103.201.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B1D5129648; Tue, 13 Dec 2016 04:26:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tnoIeZAsvBjI9QZbTbo7OCCmdwOdQTovC2tbhKFgr0I=; b=2K0iIEwf6uJTbYL/geOGYtYDZwmggknVK4G3yJKj3VgG+Qfd0pQ7rfAaVypCY09UMdfEwApw7O6WN8EtY13Yk6c1bXpiI1ywJNaQRan96Rt87kI+SyH2yshc4VKhhq3n9EzqWT34NjKptOEOh1wDkd9mwWNec42/bvA5wv0YICw=
Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0445.namprd09.prod.outlook.com (10.161.252.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.771.8; Tue, 13 Dec 2016 12:26:05 +0000
Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) by DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) with mapi id 15.01.0771.014; Tue, 13 Dec 2016 12:26:05 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "Alvaro Retana (aretana)" <aretana@cisco.com>, "draft-ietf-sidr-bgpsec-protocol@ietf.org" <draft-ietf-sidr-bgpsec-protocol@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>
Thread-Topic: Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
Thread-Index: AQHSUmenE2EHhTbiU0q7IXrD4ZYx2aEF0Iz4
Date: Tue, 13 Dec 2016 12:26:05 +0000
Message-ID: <DM2PR09MB04460DC9A23E1F58AEE629BF849B0@DM2PR09MB0446.namprd09.prod.outlook.com>
References: <7055D209-5BF7-4B5D-A675-356CD2CBFF4D@cisco.com>
In-Reply-To: <7055D209-5BF7-4B5D-A675-356CD2CBFF4D@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.218.229]
x-ms-office365-filtering-correlation-id: 21fdd3ac-06ba-43a5-128c-08d4235335da
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM2PR09MB0445;
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0445; 7:2yZZkF1Hz9Fl0OZ853I7Q3VFMNNIgR1zr7BwzTDrxfXPXN5t5FTbupEKZl5TrQpNpP+b/vfh+ZZHk1+gk7WHb87s53MrxTMirwJ2+ZSrCtb3pphngl3aJ4IZmXsVeE9PSxGeNtQIqqkhspvh2zJKBlP71HBHRaGL4+wt7KBPIlkBI7BFT3/ds3K1BmyOCmJ3daKRYCX7+HgyAbEW2xbcpZMM+NEXVZQsY8xPePozrQnrtadLKR9iht4eQVNVxfxsK2GGiFPlob1k5xAra2sbPM8KQKjtTNhmHHbTTGVSMhVlafo/JypFWOte4rKP1dqiD2ivT8hMZPugr8b17PNOH+lq8h1Vz7gdyTAQq7tEF9cw/mwuwoGLYkjMTDZS9BWcUR8glKj6+8hrrCWhRKBh5nzfbFNSvPKoe+waZxUzq1VawskpVZzQuKogOt8DKW8e2rH/fiiGS9W/VpXoFE0I7Q==
x-microsoft-antispam-prvs: <DM2PR09MB0445758B7381EDDC95CC2096849B0@DM2PR09MB0445.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6041248)(20161123560025)(20161123555025)(20161123562025)(20161123564025)(6072148); SRVR:DM2PR09MB0445; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0445;
x-forefront-prvs: 01559F388D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39450400003)(39850400002)(39860400002)(39840400002)(189002)(199003)(51444003)(5660300001)(19627405001)(92566002)(4326007)(76176999)(2900100001)(54356999)(106356001)(106116001)(50986999)(99286002)(105586002)(101416001)(6606003)(2950100002)(189998001)(97736004)(5001770100001)(122556002)(7696004)(76576001)(7736002)(74316002)(33656002)(2906002)(102836003)(6116002)(3846002)(230783001)(66066001)(86362001)(68736007)(81166006)(3280700002)(2501003)(2201001)(9686002)(8936002)(38730400001)(3660700001)(229853002)(81156014)(6436002)(77096006)(8676002)(6506006); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0445; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR09MB04460DC9A23E1F58AEE629BF849B0DM2PR09MB0446namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Dec 2016 12:26:05.5691 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0445
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/PPf9MGE5acEzUJjwlVEwxoAhBg8>
Cc: Matthias Waehlisch <m.waehlisch@fu-berlin.de>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2016 12:26:15 -0000

>Hi!  I think the only item left is the Confederations one…and we might be speaking past each other.



Thanks, Alvaro. My comments are marked with [Sriram-3].



[Sriram-3] I understand now your main comment about confederation. I think there are two ways to address it (of course I hope other people chime in as well):



Choice A: The pCount = 0 solution that you have suggested.



But I feel that this is somewhat a cosmetic solution. In your example, it can be perhaps questioned whether the signature with pCount = 0 from AS2 to AS65001 does actually fit the security guarantee from Section 8.1 that you’ve cited.  Because AS2 (the AS with the public ASN) did not produce that signature directly. Instead AS65001 played proxy for AS2 -- which is of course part of the original solution anyway. So we may consider choice B below.



Choice B: Include a caveat to the statement in Section 8.1. For instance, we modify it as follows:



For each AS in the path, a BGPsec speaker authorized by the holder

      of the AS number intentionally chose (in accordance with local

      policy) to propagate the route advertisement to the subsequent AS

      in the path (except for a minor caveat that applies in the case of BGPsec speakers

      in a  confederation). The caveat applies because a BGPsec speaker

      in a confederation-member AS can be a proxy receiver and signer for the public AS

      (identified by the public AS number of the confederation). Therefore, a signature that appears to

     correspond to an AS with the public AS number may actually

     be proxy produced by a member AS that has an internal AS number

     not matching the public AS number. The confederation-member ASes

     are cognizant of this and hence it poses no security concern

     within the confederation, and it is transparent to ASes outside

     the confederation (see Section 4.3).



[Sriram-3] Do you feel Choice B makes sense?



[Sriram-3] Please see inline below for the rest of my comments (all marked with [Sriram-3]).





>Yes, I agree that the collusion problem is one that (as you mentioned below) is out of the scope of BGPsec.  You are right that pCount=0 (as proposed below) doesn’t solve the collusion problem – but it does address the following security guarantee that is currently not met in the Confederations case (from 8.1):



>   o  For each AS in the path, a BGPsec speaker authorized by the holder

      of the AS number intentionally chose (in accordance with local

      policy) to propagate the route advertisement to the subsequent AS

      in the path.



>In the case of Confederations, it cannot be (currently) verified that all the ASNs in the path intentionally chose to send the update to the next ASN because there is a discontinuity at the border.  For a topology like this: AS1 -> AS2/AS65001 -> AS65002/AS2 -> AS3 (AS2 is the Confederation ID and AS65001 and AS65002 are Members), it can be verified that AS1 intentionally sent the Update to AS2, but there is no explicit indication (even if symbolic: pCount=0) of the intention for AS65001 to “receive” the update, and then be able to send it to AS65002.



>I still think that this continuity issue should be addressed; it nothing more just because the intentionality is mentioned as a security guarantee of BGPsec.



[Sriram-3] Please see solution choices and A and B above and the related discussion.



Chairs: Please poll the WG or make a decision of whether there is consensus (or not) to not solve this continuity issue (maybe from prior discussions on the list).  If the WG decides not to solve this issue (or if it was already discussed), I’m ok with being in the rough.



Related to the above, is the support for private ASNs --- this topic also came up in the review of draft-ietf-sidr-bgpsec-ops, and the GenArt/SecDir reviews.  There are two related points:



1. It is common to use private ASNs in Confederations, but the global RPKI can’t support that.  draft-ietf-sidr-slurm seems to address the issue of local management of private resources in the RPKI.  Given that the signing of Updates is mandated, I think that support of draft-ietf-sidr-slurm is necessary; IOW, I think that draft-ietf-sidr-slurm should be a Normative reference.



[Sriram-3]  OK, will include draft-ietf-sidr-slurm as a normative reference.



2. Private ASNs (as pointed out in the SecDir review) are commonly used for stubs.  This document should include something (I’m thinking in the Ops Section) about the protocol considerations: there must be a ROA from the resource owner for the ISP to properly re-originate the Update, etc..



[Sriram-3]  Agree. I’ll factor in your inputs and those from Joel, Russ, and Randy to include a paragraph on this topic in the ops and mgmt. section.



[Sriram-3]  Perhaps I should wait for some more IESG LC reviews to roll in

before I include this set of changes and those from Russ (Gen-ART)

and Nevil (OPS-DIR)? Please advise.



Thank you.



Sriram

v2.23.0 | Report a Bug | By Email