Re: [sidr] iBGP, BGPSEC and incremental deployment (was No BGPSEC intradomain ?)

Jakob Heitz <jakob.heitz@ericsson.com> Wed, 11 April 2012 16:17 UTC

Return-Path: <jakob.heitz@ericsson.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F07A311E8083; Wed, 11 Apr 2012 09:17:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.2
X-Spam-Level:
X-Spam-Status: No, score=-6.2 tagged_above=-999 required=5 tests=[AWL=-0.400, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FK9+If0m5X38; Wed, 11 Apr 2012 09:17:46 -0700 (PDT)
Received: from imr4.ericy.com (imr4.ericy.com [198.24.6.9]) by ietfa.amsl.com (Postfix) with ESMTP id 25EDC11E8074; Wed, 11 Apr 2012 09:17:46 -0700 (PDT)
Received: from eusaamw0712.eamcs.ericsson.se ([147.117.20.181]) by imr4.ericy.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id q3BGHhSj008408; Wed, 11 Apr 2012 11:17:45 -0500
Received: from EUSAACMS0701.eamcs.ericsson.se ([169.254.1.55]) by eusaamw0712.eamcs.ericsson.se ([147.117.20.181]) with mapi; Wed, 11 Apr 2012 12:17:41 -0400
From: Jakob Heitz <jakob.heitz@ericsson.com>
To: Jeffrey Haas <jhaas@pfrc.org>, Warren Kumari <warren@kumari.net>
Date: Wed, 11 Apr 2012 12:17:40 -0400
Thread-Topic: [sidr] iBGP, BGPSEC and incremental deployment (was No BGPSEC intradomain ?)
Thread-Index: Ac0X7mp45WFSp501Qb+tTgo50fNyTwADu/SQ
Message-ID: <7309FCBCAE981B43ABBE69B31C8D21391B3EE934B5@EUSAACMS0701.eamcs.ericsson.se>
References: <D7A0423E5E193F40BE6E94126930C4930B96182E71@MBCLUSTER.xchange.nist.gov> <4F828D6D.10907@raszuk.net> <D7A0423E5E193F40BE6E94126930C4930B96C507DA@MBCLUSTER.xchange.nist.gov> <4F830E75.70606@raszuk.net> <24B20D14B2CD29478C8D5D6E9CBB29F60F6F1533@Hermes.columbia.ads.sparta.com> <4F832F5E.9030903@raszuk.net> <0BD03B75-CA3A-4CBA-BBF4-E2100AFA64E4@kumari.net> <4F846121.2050408@raszuk.net> <CAL9jLaYF-MW1cJ2n28BiV1mi+tpPS2ECKB2UxhFMQ=NXxbihCg@mail.gmail.com> <D7CF4F8F-AF93-43F2-BC0D-26E072307B4F@kumari.net> <20120411142053.GA1283@slice>
In-Reply-To: <20120411142053.GA1283@slice>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "idr@ietf.org List" <idr@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] iBGP, BGPSEC and incremental deployment (was No BGPSEC intradomain ?)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2012 16:17:47 -0000

Confeds are out of scope.

VPN address families are out of scope.

If the BGPSEC path does not match the AS_PATH, the update
is invalid.

The validity of an update is used as an input to route selection.
If you have been replace/override/removing ASNs, you are free to
use that information in route selection too.

IOW, the BGPSEC validity of an update does not necessarily
prevent you from using the update if you have inside knowledge
about AS path mucking. How you use the BGPSEC validity in
your route selection is a private matter.

On Wednesday, April 11, 2012 7:21 AM, Jeffrey Haas <> wrote:

> I'm not at my usual spot in the week to catch up on IETF mail, but
> this 
> thread is noisy enough that it's caught my attention anyway. :-)
> 
> On Tue, Apr 10, 2012 at 01:37:34PM -0400, Warren Kumari wrote:
>> I think that sone of the biggest issues to keep in mind with
>> carrying the "same" data in two places is what to do when you
>> suddenly discover that they are not actually the same?  
> 
> The apparent issue in this thread is basically, "what happens to
> AS_PATH?" Glancing at draft-ietf-sidr-bgpsec-protocol-02 (and not
> thoroughly reading 
> it), there's commentary about what should be done with the AS_PATH. 
> That commentary is mostly correct in the sense that all of the path
> loop 
> detection is already present.  (And the mostly is important.)
> 
> IMO, there are two specific issues with regard to removing the
> AS_PATH and 
> one with keeping it.
> 
> 1. What do you do about confederations?  These ASes are not only
> typically internal but would have to use some sort of internal certs
> if we decided to cover the confederation case.  Additionally, the
> current encoding format doesn't include AS_PATH segment type as part
> of the signature. 
> 
> Note in particular that confederation segments MUST be stripped when
> crossing an eBGP boundary.
> 
> 2. More generally, what do you do about incremental deployment
> *within* the 
> AS?  One presumption I've been working on that I *thought* was shared
> by the 
> WG was that BGPSEC procedures only had to be done at eBGP edges. 
> While this 
> is primarily true for signature validation purposes, a desired side
> effect 
> of having the signature as a optional,transitive that paralleled the
> AS_PATH was that iBGP speakers don't have to even be BGPSEC aware. 
> This lets you upgrade your network from the outside first and get
> benefit. 
> 
> As John Scudder likes to say, "a hard, crunchy shell". :-)
> 
> IMO, we should keep the AS_PATH.
> 
> 3. Which brings us to the third point - what do we do when the
> signature and the AS_PATH disagree with each other?  Note that this
> was also a problem for 4-byte ASes (RFC 4893).  That spec chose to
> simply trust the 4-byte path 
> beyond a certain point.  (I don't necessarily agree with it, but
> that's what consensus was.)  Exactly what we do here needs to be
> specified, and some of that specification will come from deciding
> what we want to do about some things. 
> 
> For example, we want to prevent the path from being shortened.  As
> long as 
> the ASes involved in both signature and path are congruent, we can
> use the length in the signature if the number of ASes in the path are
> shorter than 
> the signature.
> 
> In the case where the paths are still congruent but the AS_PATH has a
> longer prepend (see my ingress prepending use case from a few
> sessions back), it 
> may be fine to use the AS_PATH (and its length for route selection
> purposes).  Yes, I understand there isn't consensus here.
> 
> In the case where the paths are not congruent (which shouldn't happen
> unlike the AS4_PATH case in RFC 4893 - we don't tunnel bgpsec across
> other BGP), we probably have some sort of hard error case.  One
> reasonable assumption is 
> that a non-BGPSEC speaker mucked with the AS_PATH - perhaps an iBGP
> speaker doing path manipulations for policy.  IMO, the proper
> behavior here is to *not* propagate the route at a BGPSEC ASBR
> boundary; any BGP speaker that manipulates the AS_PATH in such a way
> as to break the congruency of ASes between AS_PATH and signature MUST
> be a BGPSEC speaker. 
> 
> The above still doesn't deal with common deployment considerations
> such as as-override, replace-as and remove-private.  I see there's a
> thread about 
> proxy signing and perhaps that discussion is over there.  I'll
> hopefully get 
> to it in a few days.
> 
> (And if you're not familiar with those three features and their
> deployment scenarios, please take some time to become familiar.  Not
> dealing with them will be a significant deployment hurdle.)
> 
> -- Jeff

-- 
Jakob Heitz.