Re: [sidr] iBGP, BGPSEC and incremental deployment (was No BGPSEC intradomain ?)

Jeffrey Haas <jhaas@pfrc.org> Thu, 12 April 2012 14:53 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EAC321F8647; Thu, 12 Apr 2012 07:53:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.415
X-Spam-Level:
X-Spam-Status: No, score=-101.415 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, SARE_SUB_RAND_LETTRS4=0.799, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7zxFCVVhiMLb; Thu, 12 Apr 2012 07:53:00 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 51E8B21F8666; Thu, 12 Apr 2012 07:52:58 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 1D9A31703E7; Thu, 12 Apr 2012 10:52:58 -0400 (EDT)
Date: Thu, 12 Apr 2012 10:52:58 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: Christopher Morrow <morrowc.lists@gmail.com>
Message-ID: <20120412145258.GB9700@slice>
References: <4F832F5E.9030903@raszuk.net> <0BD03B75-CA3A-4CBA-BBF4-E2100AFA64E4@kumari.net> <4F846121.2050408@raszuk.net> <CAL9jLaYF-MW1cJ2n28BiV1mi+tpPS2ECKB2UxhFMQ=NXxbihCg@mail.gmail.com> <D7CF4F8F-AF93-43F2-BC0D-26E072307B4F@kumari.net> <20120411142053.GA1283@slice> <7309FCBCAE981B43ABBE69B31C8D21391B3EE934B5@EUSAACMS0701.eamcs.ericsson.se> <CAL9jLaZjXHBSXmuQ6p53o+0aPkfudTUm60xY2qTSbRu8+wLmMg@mail.gmail.com> <20120411194809.GE1283@slice> <CAL9jLaaqcTtpTbjiRCCDWSRvqfZPAP3DB9Uv9h+eA8Uc9hOYRQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL9jLaaqcTtpTbjiRCCDWSRvqfZPAP3DB9Uv9h+eA8Uc9hOYRQ@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: "sidr@ietf.org" <sidr@ietf.org>, "idr@ietf.org List" <idr@ietf.org>
Subject: Re: [sidr] iBGP, BGPSEC and incremental deployment (was No BGPSEC intradomain ?)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2012 14:53:02 -0000

On Wed, Apr 11, 2012 at 03:53:29PM -0400, Christopher Morrow wrote:
> > Functionally, confed segments are stripped prior to the global AS being
> > added to the path. ?The box performing this function is the one that needs
> > to amend the BGPSEC signature, not some box in the middle of the
> > confederation.
> 
> I suppose you could re-sign... the case I was thinking of was
> attempting to validate inside your domain a prefix supposedly
> originated by an iBGP speaker inside your domain.

If you don't trust your own boxes to originate, I think you have a  bigger
problem. :-)

That said, there's little stopping you from using RPKI (perhaps with a local
view) data to provide prefix sanity checking.  Internally the signature
piece is probably excessive.

-- Jeff