Re: [sidr] Follow-up on June 6 Interim : Confederations
Matt Lepinski <mlepinski@bbn.com> Fri, 15 June 2012 20:52 UTC
Return-Path: <mlepinski@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A030311E80D7 for <sidr@ietfa.amsl.com>; Fri, 15 Jun 2012 13:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnxR5311jwLg for <sidr@ietfa.amsl.com>; Fri, 15 Jun 2012 13:52:30 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id BECEB11E8088 for <sidr@ietf.org>; Fri, 15 Jun 2012 13:52:28 -0700 (PDT)
Received: from mail.bbn.com ([128.33.0.48]:34532) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <mlepinski@bbn.com>) id 1SfdUk-000F9T-Ny; Fri, 15 Jun 2012 16:51:50 -0400
Received: from [128.89.255.6] by mail.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from <mlepinski@bbn.com>) id 1SfdVL-0008Kl-Eg; Fri, 15 Jun 2012 16:52:27 -0400
Message-ID: <4FDBA094.5020906@bbn.com>
Date: Fri, 15 Jun 2012 16:52:36 -0400
From: Matt Lepinski <mlepinski@bbn.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
References: <4FDB8840.2030903@bbn.com> <D7A0423E5E193F40BE6E94126930C4930B9BA8404E@MBCLUSTER.xchange.nist.gov>
In-Reply-To: <D7A0423E5E193F40BE6E94126930C4930B9BA8404E@MBCLUSTER.xchange.nist.gov>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Follow-up on June 6 Interim : Confederations
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 20:52:34 -0000
If we want to make it optional for ASes to sign internally to a confed, that is perfectly fine with me. As long as they add their AS number to the Secure_Path, it would be easy to modify this solution so that ASes within a confed can optionally leave the digital signature field empty. With regard processing requirements and the AS_Path attribute. I believe that carrying the AS_Path attribute in BGPSEC messages slightly increases the amount of processing that must be done when receiving a signed update message (since the receiver must perform some additional checks to verify that the secured data in the Path_Signatures_Attribute is consistent with the AS_Path attribute), but slightly decreases the amount of work that must be done when sending to a non-BGPSEC peer (since stripping the signatures attribute is easier than recomputing the AS_Path). However, in either case, I don't think it a big difference in the amount of processing required. Also, I haven't thought enough about this to know to what extent processing changes in the "lazy" case or the confederation case. - Matt Lepinski On 6/15/2012 4:07 PM, Sriram, Kotikalapudi wrote: > This solution for confeds *requires* each AS within a confed to sign internally > (i.e., from AS to AS within the confed). It does not allow the choice to > a confed operator to sign or not sign the updates internally. > For instance, the operator may be satisfied with the level of mutual trust > within the confed, and therefore may choose to not sign updates internally. > > Do we want to provision this choice into the protocol? > > Discussion points: > > Having this choice helps the operator to avoid the extra processing burden for > the confed ASes when they have sufficient trust within the confed. > > If we decide that the protocol must be flexible enough to offer this choice, > then one solution would be to keep the AS_PATH. > Then the confed sequence info is carried in the AS_PATH as normal, > and the operator can choose to sign or not sign updates internally. > > A secondary advantage of the AS_PATH based approach is that > in the lazy mode or super lazy mode (which we discussed at the last meeting), > the processing of updates in the confed ASes becomes less complex. > The processing cost also decreases for the case when a BGPSEC router > needs to do conversion to regular BGP update for a non-BGPSEC peer. > > Sriram > >> -----Original Message----- >> From: sidr-bounces@ietf.org [mailto:sidr-bounces@ietf.org] On Behalf Of Matt >> Lepinski >> Sent: Friday, June 15, 2012 3:09 PM >> To: sidr@ietf.org >> Subject: [sidr] Follow-up on June 6 Interim : Confederations >> >> We had significant discussion at the June 6 Interim on the topic of supporting >> confederation in BGPSEC without an AS-Path attribute. >> >> My understanding was that at the interim there was some consensus for the >> following confederation solution (but this consensus has not yet been >> discussed/confirmed this consensus on the list): >> 1) We specify the first bit in the (signed) Flags field of the Secure_Path as a marker >> for entering a confederation. >> (Note: the Flags field is specified in -03 version of the bgpsec-protocol draft but >> all 8 Flag bits are reserved for future use in >> -03) >> 2) When a signed (BGPSEC) update message enters a confederation, the first >> member of the confederation who gets the update sets the first bit of the Flags >> field to 1. >> (That is, the first confederation member when adding its own AS number to the >> Secure_Path also includes a Flags octet with the first bit set to 1.) >> 3) When a signed (BGPSEC) update message is about to be sent to a peer outside >> the confederation, the BGPSEC speaker traces backward through the Secure_Path >> to find the most recently added Secure_Path segment containing a Flags field >> whose first bit is set to 1. The BGPSEC speaker then deletes all of the Secure_Path >> segments up to and including the segment with the Flags bit set to 1. Finally, this >> BGPSEC speaker then adds his a Secure_Path segment containing the Public AS of >> the confederation. >> (Note that this means that any BGPSEC speaker in a confederation who has a >> peer external to the confederation must have a signing key associated with an >> RPKI router certificate containing the public AS of the confederation.) >> >> The advantage of this above approach to confederations is that it does NOT >> require that a BGPSEC speaker in a confederation be explicitly configured with the >> AS numbers of every AS belonging to the confederation. Also, this approach does >> not make any assumptions about the loop detection algorithms employed by any >> BGP speaker on the path. >> >> If it would be helpful, I could push a quick -04 revision to the protocol >> specification next week that fleshes out what this change would look like when >> incorporated into the BGPSEC protocol draft. (Though not included in this >> message, the protocol draft will also need to include explicit instructions for re- >> constructing the AS_confed_segments of the AS_Path attribute in the case where >> within a confederation the update message is sent to a peer that does not >> support BGPSEC.) >> >> Final note: At the interim, we discussed both confederations as well as AS number >> migration (and other circumstances in which a single router needs to use different >> AS numbers on different BGP sessions to different peers). I outlined above the >> protocol change that I believe is needed to accommodate confederations, and I >> believe that no changes new protocol mechanisms are needed to accommodate >> routers that use different AS numbers on different BGP sessions. No one at the >> interim raised any other issues arising from the removal of AS_Path. (That is, if >> you weren't able to make it to the interim and you have a new issue that arises > >from the removal of AS_Path from BGPSEC update messages, please send mail to >> the SIDR list.) >>
- [sidr] Follow-up on June 6 Interim : Confederatio… Matt Lepinski
- Re: [sidr] Follow-up on June 6 Interim : Confeder… Sriram, Kotikalapudi
- Re: [sidr] Follow-up on June 6 Interim : Confeder… Matt Lepinski
- Re: [sidr] Follow-up on June 6 Interim : Confeder… Randy Bush
- Re: [sidr] Follow-up on June 6 Interim : Confeder… Sriram, Kotikalapudi
- Re: [sidr] Follow-up on June 6 Interim : Confeder… Randy Bush