Re: [sidr] draft-ietf-sidr-bgpsec-protocol
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Fri, 06 January 2017 16:27 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9B7129B53; Fri, 6 Jan 2017 08:27:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BgWziWx9xdIH; Fri, 6 Jan 2017 08:27:52 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0139.outbound.protection.outlook.com [23.103.200.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A478F1294C1; Fri, 6 Jan 2017 08:27:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=SVgxYUxQ22CEkRILHJAqFeeMYF4fOx/bqk4vTfiTPew=; b=VWn7JGQcI5zwce3dq7qHHRwOGmXOPV8+pDuEG2hVac2d4e7XHzv1oRo5akl27xsBaXJeZToHVDx+d2sHsIU7JDwMS/0W2dv7RZ0TmVE7C00vvGijI4Vm6/1wPZi0wu+RygQUi4agR9tSrHgKsqwtm4TeLrOBOYj9GYZsa07tmy0=
Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.817.10; Fri, 6 Jan 2017 16:27:50 +0000
Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) by DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) with mapi id 15.01.0817.012; Fri, 6 Jan 2017 16:27:50 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Keyur Patel <keyur@arrcus.com>, Jonathan Hardwick <jonathan.hardwick@metaswitch.com>, "Alvaro Retana (aretana)" <aretana@cisco.com>, Zhangxian Xian <zhang.xian@huawei.com>, Jon Hudson <jon.hudson@gmail.com>
Thread-Topic: draft-ietf-sidr-bgpsec-protocol
Thread-Index: AQHSZthkNfH8MXPYLkOmxwl9coeqv6EoZskAgAKH0dSAALXTbQ==
Date: Fri, 06 Jan 2017 16:27:50 +0000
Message-ID: <DM2PR09MB04460F8436EDBEA289420ED284630@DM2PR09MB0446.namprd09.prod.outlook.com>
References: <B3E00907-BF7C-400D-8A5B-4F02BA2A2C12@arrcus.com>, <C3B0482B-1007-4B29-B178-DE98C062E197@arrcus.com>, <DM2PR09MB0446573C5C4C482D62700B6884630@DM2PR09MB0446.namprd09.prod.outlook.com>
In-Reply-To: <DM2PR09MB0446573C5C4C482D62700B6884630@DM2PR09MB0446.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.219.212]
x-ms-office365-filtering-correlation-id: c8908edd-f6dc-4f0f-8693-08d43650f56f
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM2PR09MB0446;
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0446; 7:p0SLu568n6s12wrXMtgG6OLMDXqlmSiNN1lzywdpQnMVCD3S570Oibn1o6guqfergxgMmEIdJ+0BqpCtTssWO2FdDOG+3qmGjO/R4pON0ycL3zfFL9wf//FD2uBLytWQC33pFdD09dzk9Z5vSkHkKwMFmDtpAILbinsORIyDVAdOFiLnui5yJIcY1F9HF2hQUWUPJ1ErbZIu4BR6pZRxu9jozfl5DsiPEeXjbeBG+APR1AdrLG1P/YfuXUk98Kcg/zwZ2HwCURinmRdyXn4BzT8uUt3YIWIKP2YYv5yB1wNPrRFElFw1td9wlwULPTBd3sLdqYyfJCw/TdpIUargLya/h6OlNFtPkSWYO4ehnnb1ZZKlEu/HAOyk4nGBwXzcch0E7fPx3Gu0UaAEwmaWSpmeKsCDK7A69mL+PO6/wroKHbv+QAKtZstCaWC49n7t3TPSpmK+7oUyUWJFAuIOrw==
x-microsoft-antispam-prvs: <DM2PR09MB04460CBE14FC75646801424C84630@DM2PR09MB0446.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6041248)(20161123564025)(20161123555025)(20161123558021)(20161123562025)(20161123560025)(6072148); SRVR:DM2PR09MB0446; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0446;
x-forefront-prvs: 01792087B6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39860400002)(39450400003)(39410400002)(39840400002)(39850400002)(377454003)(189002)(199003)(102836003)(6506006)(5890100001)(54896002)(230783001)(101416001)(122556002)(86362001)(2906002)(229853002)(77096006)(39060400001)(2900100001)(19627405001)(3846002)(3280700002)(105586002)(6116002)(7736002)(345774005)(5001770100001)(4326007)(54906002)(189998001)(97736004)(5660300001)(99286003)(92566002)(33656002)(55016002)(66066001)(7416002)(106116001)(81166006)(7696004)(3660700001)(25786008)(74316002)(81156014)(68736007)(2950100002)(8936002)(6606003)(106356001)(9686002)(8676002)(6436002)(54356999)(76176999)(50986999)(38730400001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0446; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR09MB04460F8436EDBEA289420ED284630DM2PR09MB0446namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jan 2017 16:27:50.7711 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0446
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/SGYMuWghkQgSao1JG_QMAk3heSk>
Cc: sidr <sidr@ietf.org>, Routing Directorate <rtg-dir@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "mlepinski@ncf.edu" <mlepinski@ncf.edu>, Routing ADs <rtg-ads@tools.ietf.org>
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-protocol
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2017 16:27:55 -0000
My previous post of this message seems to have line wrap issue. Resending ... hopefully this avoids that issue. - Sriram ------------------- Keyur, Thank you for taking the time to read and offer comments. I find the comments very insightful and helpful. My comments are marked with [Sriram] below. >From: Keyur Patel keyur@arrcus.com >Sent: Wednesday, January 4, 2017 5:53 PM >The document is well written, easy to read and follow. >Some minor comments are listed below: >1) Section 4.1 “The BGPsec Path attribute and the AS_PATH attribute are mutually exclusive. That is, any update message containing the BGPsec Path attribute MUST NOT contain the AS_PATH attribute”. For any restarting speakers in a GR mode, where the bgp capability is not exchanged, the existing stale routes won’t have an AS_PATH attribute. We could add some clarifying that helps to indicate that such routes should be considered valid in stale mode (till they get refreshed)? [Sriram] As you have clarified for me on the phone, what you are saying here is that the two BGPsec peers lost the BGPsec session and now restarting in GR mode, but they have not exchanged BGPsec capability this time. Hence, they are now simple BGP (non-BGPsec) peers in GR mode. RFC4271 considers update message received without a well-known AS_PATH attribute as an error, and unfortunately in this case the cached BGPsec updates do not have AS_PATH (albeit they have BGPsec_Path). So you are saying "the router should not panic" and instead simply treat each cached update as NOT-IN-ERROR even though it is missing AS_PATH attribute. This way the GR can work properly. Of course, shortly the updates will have AS_PATH (and not considered in error) when they get refreshed (over the new simple BGP session). Per your suggestion, I will include new text in Section 7 to describe this required behavior for the GR mode. >2) 4.1 4th paragraph: "Note also that new signatures are only added to a BGPsec update message when a BGPsec speaker is generating an update message to send to an external peer (i.e., when the AS number of the peer is not equal to the BGPsec speaker's own AS number). Therefore, a BGPsec speaker who only sends BGPsec update messages to peers within its own AS does not need to possess any private signature keys." This text doesn't seem to apply to confed peers? If so, it would be nice to clarify that this text doesn't apply to any confed peers. [Sriram] You have clarified in our phone conversation that you consider the inter-AS-member sessions as "iBGP" since they are all within a confederation AS domain. The BGPsec document considers the inter-AS-member sessions as "eBGP" (not "iBGP") and intra-Member-AS sessions as "iBGP". You also clarified that you may call inter-AS-member sessions as "confederation-eBGP" sessions. Obviously, private key is required to sign over such "confederation-eBGP/BGPsec" sessions. I understand your point. I will put in new text (notes) to clarify this in the document. >3) Section 5 and Section 5.2, 1st paragraph: RFC4271 considers update message received without a well-known AS_PATH attribute as an error. We need some text to clarify the (error handling if any) behavior when an update message is received without a bgpsec and an aspath attribute. The current draft text seems unclear about generation of bgpsec attribute as well (in a ibgp scenario). Is it a requirement to generate an empty bgpsec attribute? [Sriram] As you have clarified for me over the phone, RFC 4271 (page 26) says the following : "When a BGP speaker originates a route then: b) the originating speaker includes an empty AS_PATH attribute in all UPDATE messages sent to internal peers. (An empty AS_PATH attribute is one whose length field contains the value zero)." [Sriram] So what needs to be said in the BGPsec document is the following: The BGPsec_Path attribute is not attached in updates originated inside an AS and propagated to BGPsec capable internal peers. However, when a route is originated inside an AS and propagated to non-BGPsec internal peers, an empty AS_PATH attribute is included in the update (see [RFC 4271], page 26). >4) With an AS_PATH attribute in 4271 there was loop detection in place. With BGPSec I don’t see that being called explicitly other than a passing remark in section 5. Section 5.2 should have a check that allows a BGPsec speaker to bail out of a validation procedure when a aspath loop is detected. [Sriram] I agree. I will include loop detection in the list of error checks in Section 5.2. Sriram
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Keyur Patel
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Randy Bush
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Sriram, Kotikalapudi (Fed)
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Sriram, Kotikalapudi (Fed)
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Alvaro Retana (aretana)
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Randy Bush
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Keyur Patel
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Sriram, Kotikalapudi (Fed)
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Alvaro Retana (aretana)