IETF Logo Mail Archive

Re: [sidr] request for agenda items for interim meeting 6 Jun

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Mon, 04 June 2012 18:53 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20A6A11E80BC; Mon, 4 Jun 2012 11:53:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.854
X-Spam-Level:
X-Spam-Status: No, score=-5.854 tagged_above=-999 required=5 tests=[AWL=-0.744, BAYES_05=-1.11, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DhHmVPP6B4nI; Mon, 4 Jun 2012 11:53:41 -0700 (PDT)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 92E9F11E80B5; Mon, 4 Jun 2012 11:53:38 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.1.355.2; Mon, 4 Jun 2012 14:53:35 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Mon, 4 Jun 2012 14:53:37 -0400
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: "John G. Scudder" <jgs@juniper.net>
Date: Mon, 04 Jun 2012 14:51:45 -0400
Thread-Topic: [sidr] request for agenda items for interim meeting 6 Jun
Thread-Index: Ac0/U5HRPlsCbHtVSUK1+tV3UsF//ADKs4sO
Message-ID: <D7A0423E5E193F40BE6E94126930C4930B9A71FA4B@MBCLUSTER.xchange.nist.gov>
References: <24B20D14B2CD29478C8D5D6E9CBB29F60F70A267@Hermes.columbia.ads.sparta.com> <24B20D14B2CD29478C8D5D6E9CBB29F625F0975D@Hermes.columbia.ads.sparta.com> <4FBBB6D1.9000008@bbn.com> <m2r4ub7vta.wl%randy@psg.com> <4FBC0936.7000905@bbn.com>, <5BA9D6DE-BE0E-4922-9E09-7B85BD6F9342@juniper.net> <24B20D14B2CD29478C8D5D6E9CBB29F625F12333@Hermes.columbia.ads.sparta.com> <AAAF2A7E-4CC7-426C-8956-BF68A2327009@juniper.net> <D7A0423E5E193F40BE6E94126930C4930B9B247700@MBCLUSTER.xchange.nist.gov>, <5F5F8CF8-061C-47C9-942C-7908963EF347@juniper.net>
In-Reply-To: <5F5F8CF8-061C-47C9-942C-7908963EF347@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Cc: "idr@ietf.org List" <idr@ietf.org>, "Murphy, Sandra" <Sandra.Murphy@sparta.com>, "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] request for agenda items for interim meeting 6 Jun
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2012 18:53:42 -0000

Thanks for the clarification.
The Secure_Path semantics in BGPSEC are the same as the *essential semantics* of BGP AS_PATH.
The *essential semantics* being the sequence of ASs the prefix announcement has passed through
(including AS prepending).
So the Secure_Path semantics would be compatible with AS_PATH as long as said essential semantics do not change.
I am curious if there is a realistic example of feature change to BGP 
such that the AS_PATH would no longer adhere to its essential semantics.

Sriram 
________________________________________
From: John G. Scudder [jgs@juniper.net]
Sent: Thursday, May 31, 2012 1:31 PM
To: Sriram, Kotikalapudi
Cc: Murphy, Sandra; idr@ietf.org List; sidr@ietf.org list
Subject: Re: [sidr] request for agenda items for interim meeting 6 Jun

On May 30, 2012, at 8:02 PM, Sriram, Kotikalapudi wrote:

>>
>> Right, and agreed (see "formally an attack" above). But to repeat my further
>> point, if the AS_PATH is present (even if not secured): "at least there's scope for a
>> network operator on the receiving end to tolerate the validation failure and use
>> the route anyway, if desired. In the case where there's no AS_PATH, the data are
>> just gone with no chance for appeal."
>>
>
> John,
>
> I do not agree that in the event of "validation failure" the route becomes unusable
> in BGPSEC as currently specified.

That's not what I meant. My point was that a feature may be applied that wants to change the AS_PATH in a way that can't be represented in the BGPSEC_Path_Signatures. In other words, your later statement:

> the Secure_Path segment is still usable as it provides the AS path info.

is not correct in all cases. Likewise, to this statement:

> So validation failure in BGPSEC does not mean that "the data are just gone."

My point is not that validation failure causes this. It's that absent AS_PATH, a semantically non-representable AS_PATH will be lost if forced through BGPSEC_Path_Signatures.

To reiterate, the options to address the case where a feature wants to produce output that can't be represented in BGPSEC_Path_Signatures are:

- Don't solve it. Effectively forbid any such feature.
- Carry both AS_PATH and BGPSEC_Path_Signatures in every update. Rules for reconciliation would be required.
- Downgrade BGPSEC update to BGP update.
- Extend BGPSEC_Path_Signatures format to be able to represent the needed feature. (As Sandy noted, this only makes sense insofar as the feature isn't formally an attack, so this option is incomplete.)

The validation failure I spoke of is a potential *consequence* of the middle two options above, and as you say, the operator can then decide what to do.

--John

v2.23.0 | Report a Bug | By Email