[sidr] iBGP, BGPSEC and incremental deployment (was No BGPSEC intradomain ?)
Jeffrey Haas <jhaas@pfrc.org> Wed, 11 April 2012 14:20 UTC
Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 666BA11E809C; Wed, 11 Apr 2012 07:20:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.215
X-Spam-Level:
X-Spam-Status: No, score=-101.215 tagged_above=-999 required=5 tests=[AWL=0.251, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, SARE_SUB_RAND_LETTRS4=0.799, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id alhdU2jfulXh; Wed, 11 Apr 2012 07:20:53 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id BC85521F8584; Wed, 11 Apr 2012 07:20:53 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 15CDD1703D7; Wed, 11 Apr 2012 10:20:53 -0400 (EDT)
Date: Wed, 11 Apr 2012 10:20:53 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: Warren Kumari <warren@kumari.net>
Message-ID: <20120411142053.GA1283@slice>
References: <D7A0423E5E193F40BE6E94126930C4930B96182E71@MBCLUSTER.xchange.nist.gov> <4F828D6D.10907@raszuk.net> <D7A0423E5E193F40BE6E94126930C4930B96C507DA@MBCLUSTER.xchange.nist.gov> <4F830E75.70606@raszuk.net> <24B20D14B2CD29478C8D5D6E9CBB29F60F6F1533@Hermes.columbia.ads.sparta.com> <4F832F5E.9030903@raszuk.net> <0BD03B75-CA3A-4CBA-BBF4-E2100AFA64E4@kumari.net> <4F846121.2050408@raszuk.net> <CAL9jLaYF-MW1cJ2n28BiV1mi+tpPS2ECKB2UxhFMQ=NXxbihCg@mail.gmail.com> <D7CF4F8F-AF93-43F2-BC0D-26E072307B4F@kumari.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <D7CF4F8F-AF93-43F2-BC0D-26E072307B4F@kumari.net>
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: "idr@ietf.org List" <idr@ietf.org>, sidr@ietf.org
Subject: [sidr] iBGP, BGPSEC and incremental deployment (was No BGPSEC intradomain ?)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2012 14:20:54 -0000
I'm not at my usual spot in the week to catch up on IETF mail, but this thread is noisy enough that it's caught my attention anyway. :-) On Tue, Apr 10, 2012 at 01:37:34PM -0400, Warren Kumari wrote: > I think that sone of the biggest issues to keep in mind with carrying the "same" data in two places is what to do when you suddenly discover that they are not actually the same? The apparent issue in this thread is basically, "what happens to AS_PATH?" Glancing at draft-ietf-sidr-bgpsec-protocol-02 (and not thoroughly reading it), there's commentary about what should be done with the AS_PATH. That commentary is mostly correct in the sense that all of the path loop detection is already present. (And the mostly is important.) IMO, there are two specific issues with regard to removing the AS_PATH and one with keeping it. 1. What do you do about confederations? These ASes are not only typically internal but would have to use some sort of internal certs if we decided to cover the confederation case. Additionally, the current encoding format doesn't include AS_PATH segment type as part of the signature. Note in particular that confederation segments MUST be stripped when crossing an eBGP boundary. 2. More generally, what do you do about incremental deployment *within* the AS? One presumption I've been working on that I *thought* was shared by the WG was that BGPSEC procedures only had to be done at eBGP edges. While this is primarily true for signature validation purposes, a desired side effect of having the signature as a optional,transitive that paralleled the AS_PATH was that iBGP speakers don't have to even be BGPSEC aware. This lets you upgrade your network from the outside first and get benefit. As John Scudder likes to say, "a hard, crunchy shell". :-) IMO, we should keep the AS_PATH. 3. Which brings us to the third point - what do we do when the signature and the AS_PATH disagree with each other? Note that this was also a problem for 4-byte ASes (RFC 4893). That spec chose to simply trust the 4-byte path beyond a certain point. (I don't necessarily agree with it, but that's what consensus was.) Exactly what we do here needs to be specified, and some of that specification will come from deciding what we want to do about some things. For example, we want to prevent the path from being shortened. As long as the ASes involved in both signature and path are congruent, we can use the length in the signature if the number of ASes in the path are shorter than the signature. In the case where the paths are still congruent but the AS_PATH has a longer prepend (see my ingress prepending use case from a few sessions back), it may be fine to use the AS_PATH (and its length for route selection purposes). Yes, I understand there isn't consensus here. In the case where the paths are not congruent (which shouldn't happen unlike the AS4_PATH case in RFC 4893 - we don't tunnel bgpsec across other BGP), we probably have some sort of hard error case. One reasonable assumption is that a non-BGPSEC speaker mucked with the AS_PATH - perhaps an iBGP speaker doing path manipulations for policy. IMO, the proper behavior here is to *not* propagate the route at a BGPSEC ASBR boundary; any BGP speaker that manipulates the AS_PATH in such a way as to break the congruency of ASes between AS_PATH and signature MUST be a BGPSEC speaker. The above still doesn't deal with common deployment considerations such as as-override, replace-as and remove-private. I see there's a thread about proxy signing and perhaps that discussion is over there. I'll hopefully get to it in a few days. (And if you're not familiar with those three features and their deployment scenarios, please take some time to become familiar. Not dealing with them will be a significant deployment hurdle.) -- Jeff
- [sidr] draft-ietf-sidr-bgpsec-threats-02: Path sh… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Stephen Kent
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Jakob Heitz
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Murphy, Sandra
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Sriram, Kotikalapudi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Robert Raszuk
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Jakob Heitz
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Sriram, Kotikalapudi
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Murphy, Sandra
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Montgomery, Douglas
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Murphy, Sandra
- [sidr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Stephen Kent
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Stephen Kent
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Stephen Kent
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] No BGPSEC intradomain ? Warren Kumari
- Re: [sidr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Warren Kumari
- Re: [sidr] [Idr] No BGPSEC intradomain ? Montgomery, Douglas
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jakob Heitz
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jakob Heitz
- Re: [sidr] [Idr] No BGPSEC intradomain ? Randy Bush
- Re: [sidr] [Idr] No BGPSEC intradomain ? Randy Bush
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Paul Jakma
- [sidr] iBGP, BGPSEC and incremental deployment (w… Jeffrey Haas
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jakob Heitz
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Brian Dickson
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? George, Wes
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… George, Wes
- Re: [sidr] [Idr] No BGPSEC intradomain ? George, Wes
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Christopher Morrow
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] [Idr] No BGPSEC intradomain ? George, Wes
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jeffrey Haas
- Re: [sidr] [Idr] No BGPSEC intradomain ? Paul Jakma
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jakob Heitz
- Re: [sidr] [Idr] iBGP, BGPSEC and incremental dep… Brian Dickson