Re: [sidr] draft-ietf-sidr-bgpsec-protocol
Keyur Patel <keyur@arrcus.com> Wed, 04 January 2017 22:53 UTC
Return-Path: <keyur@arrcus.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E896A1296AC; Wed, 4 Jan 2017 14:53:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K5r1Or2Nz0cr; Wed, 4 Jan 2017 14:53:20 -0800 (PST)
Received: from dispatch1-us1.ppe-hosted.com (dispatch1-us1.ppe-hosted.com [67.231.154.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7103129497; Wed, 4 Jan 2017 14:53:19 -0800 (PST)
Received: from pure.maildistiller.com (unknown [10.110.50.29]) by dispatch1-us1.ppe-hosted.com (Proofpoint Essentials ESMTP Server) with ESMTP id 468318007D; Wed, 4 Jan 2017 22:53:14 +0000 (UTC)
X-Virus-Scanned: Proofpoint Essentials engine
Received: from mx2-us1.ppe-hosted.com (unknown [10.110.49.251]) by pure.maildistiller.com (Proofpoint Essentials ESMTP Server) with ESMTPS id D4CB980054; Wed, 4 Jan 2017 22:53:13 +0000 (UTC)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03lp0052.outbound.protection.outlook.com [216.32.180.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mx2-us1.ppe-hosted.com (Proofpoint Essentials ESMTP Server) with ESMTPS id 3982D80087; Wed, 4 Jan 2017 22:53:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector1-arrcus-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=FutD/SRAammxGAacq9BKZnwAhJJZ+4g7MDhU2KI2y4k=; b=LIYtB5CoZFJNZzyg4kryFbl8XG+/027xOA6eoBn8WC+49kdzPrtY0GxN7l3CxAd6r5xzEuyc6zMkjW6Qw0pjKTWRxvrzOvB5GBw9bE/7qcqHItuIVDL0YqQcqUec/eW/0KR8LNW8NKIaZ/t9VGjVS5QZiqjVw9FdGEgcdQyCKcY=
Received: from BY2PR18MB0262.namprd18.prod.outlook.com (10.163.72.152) by BY2PR18MB0261.namprd18.prod.outlook.com (10.163.72.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.817.10; Wed, 4 Jan 2017 22:53:01 +0000
Received: from BY2PR18MB0262.namprd18.prod.outlook.com ([10.163.72.152]) by BY2PR18MB0262.namprd18.prod.outlook.com ([10.163.72.152]) with mapi id 15.01.0817.009; Wed, 4 Jan 2017 22:53:01 +0000
From: Keyur Patel <keyur@arrcus.com>
To: Jonathan Hardwick <jonathan.hardwick@metaswitch.com>, "Alvaro Retana (aretana)" <aretana@cisco.com>, Zhangxian Xian <zhang.xian@huawei.com>, Jon Hudson <jon.hudson@gmail.com>
Thread-Topic: draft-ietf-sidr-bgpsec-protocol
Thread-Index: AQHSZthkNfH8MXPYLkOmxwl9coeqv6EoZskA
Date: Wed, 04 Jan 2017 22:53:01 +0000
Message-ID: <C3B0482B-1007-4B29-B178-DE98C062E197@arrcus.com>
References: <B3E00907-BF7C-400D-8A5B-4F02BA2A2C12@arrcus.com>
In-Reply-To: <B3E00907-BF7C-400D-8A5B-4F02BA2A2C12@arrcus.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=keyur@arrcus.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2602:306:c446:9490:c160:7303:35b8:9b52]
x-ms-office365-filtering-correlation-id: d30f5182-0dc2-471f-e733-08d434f46fb3
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BY2PR18MB0261;
x-microsoft-exchange-diagnostics: 1; BY2PR18MB0261; 7:joWYA82vzxYcLH/3gCooZZ8qo1OTWOpulyl8x1XhYwAw3hHDdd+ideqrpCQpyStqh2sVHFxROB8ij0bfWK0lzzcS+/Drs43/NcGgr1u4LFGqzWfzamg44UZKIWG3p+AgdUAJrQyj4hB78tzlOBGWvOrt3eWBgIVOVUOO/rm1EpO9Qbu3ptO1rjhAWE6CrBhyoecm3ZyycVWrMZ17pExRooF+ftPeCmq1LVPhzKhysc0DELi7u4vVpThO5tN2WdNMmO4w+f9kPznKoXhYdR5wavnQ7bWn1NfIUlgEJeq67MXco4ssCxfAkHtyrHq3TcB6LX4cftjGxgw1UG3wEJV8qT+q5CSYcUuQMf6Snbbjd8DYmdtceL6JsYUUeF3depJY/qXMuDoWlOMEbwSxGi96biS+hLlMF0tzzGX4ZR8ZLEerETre0Rw0hTHEnLxTxhgjguGGXt3ZGeMho8XRwi+68g==
x-microsoft-antispam-prvs: <BY2PR18MB02619157731E8503AD27CCD3C1610@BY2PR18MB0261.namprd18.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705)(50582790962513)(95692535739014)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041248)(20161123555025)(20161123560025)(2016111802025)(20161123564025)(20161123562025)(6072148)(6043046); SRVR:BY2PR18MB0261; BCL:0; PCL:0; RULEID:; SRVR:BY2PR18MB0261;
x-forefront-prvs: 0177904E6B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(6009001)(7916002)(39410400002)(39450400003)(39830400002)(199003)(377454003)(189002)(54896002)(81166006)(122556002)(5660300001)(230783001)(8656002)(189998001)(101416001)(2906002)(54906002)(50986999)(54356999)(2900100001)(102836003)(106356001)(68736007)(92566002)(6306002)(106116001)(105586002)(76176999)(38730400001)(6116002)(3660700001)(229853002)(6506006)(6486002)(6512006)(97736004)(6436002)(36756003)(83716003)(82746002)(25786008)(33656002)(7736002)(99286003)(8936002)(5001770100001)(2950100002)(7416002)(39060400001)(4326007)(81156014)(8676002)(3280700002)(77096006)(86362001)(104396002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR18MB0261; H:BY2PR18MB0262.namprd18.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arrcus.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_C3B0482B10074B29B178DE98C062E197arrcuscom_"
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jan 2017 22:53:01.4636 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR18MB0261
X-MDID: 1483570394-1hvfSYrvpfm2
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/Wo4O55GCJe8jIA9Jopb4R2tSfUo>
Cc: Routing Directorate <rtg-dir@ietf.org>, sidr <sidr@ietf.org>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, "mlepinski@ncf.edu" <mlepinski@ncf.edu>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, Routing ADs <rtg-ads@tools.ietf.org>
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-protocol
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 22:53:22 -0000
[adding routing-ads] From: Keyur Patel <keyur@arrcus.com> Date: Wednesday, January 4, 2017 at 2:17 PM To: Jonathan Hardwick <jonathan.hardwick@metaswitch.com>, "Alvaro Retana (aretana)" <aretana@cisco.com>, Zhangxian Xian <zhang.xian@huawei.com>, Jon Hudson <jon.hudson@gmail.com> Cc: rtg-dir <rtg-dir-bounces@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, sidr <sidr-bounces@ietf.org>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, "mlepinski@ncf.edu" <mlepinski@ncf.edu> Subject: draft-ietf-sidr-bgpsec-protocol Hello, Apologies for the delayed response. I have been selected as the Routing Directorate QA reviewer for draft-ietf-sidr-bgpsec-protocol. The Routing Directorate QA reviews are intended to be a support to improve the quality of RTG Area documents as they pass through the IETF process. This is the QA review at the time of the WG document adoption poll. Summary: This document describes BGPsec, an extension to the Border Gateway Protocol (BGP) that provides security for the path of autonomous systems (ASes) through which a BGP update message passes. The document is well written, easy to read and follow. Some minor comments are listed below: Comments for the authors: 1) Section 4.1 “The BGPsec Path attribute and the AS_PATH attribute are mutually exclusive. That is, any update message containing the BGPsec Path attribute MUST NOT contain the AS_PATH attribute”. For any restarting speakers in a GR mode, where the bgp capability is not exchanged, the existing stale routes won’t have an AS_PATH attribute. We could add some clarifying that helps to indicate that such routes should be considered valid in stale mode (till they get refreshed)? 2) 4.1 4th paragraph: “Note also that new signatures are only added to a BGPsec update message when a BGPsec speaker is generating an update message to send to an external peer (i.e., when the AS number of the peer is not equal to the BGPsec speaker's own AS number). Therefore, a BGPsec speaker who only sends BGPsec update messages to peers within its own AS does not need to possess any private signature keys.” This text doesn’t seem to apply to confed peers? If so, it would be nice to clarify that this text doesn’t apply to any confed peers. 3) Section 5 and Section 5.2, 1st paragraph: RFC4271 considers update message received without a wellknown AS_PATH attribute as an error. We need some text to clarify the (error handling if any) behavior when an update message is received without a bgpsec and an aspath attribute. The current draft text seems unclear about generation of bgpsec attribute as well (in a ibgp scenario). Is it a requirement to generate an empty bgpsec attribute? 4) With an AS_PATH attribute in 4271 there was loop detection in place. With BGPSec I don’t see that being called explicitly other than a passing remark in section 5. Section 5.2 should have a check that allows a BGPsec speaker to bail out of a validation procedure when a aspath loop is detected. Best Regards, Keyur
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Keyur Patel
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Randy Bush
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Sriram, Kotikalapudi (Fed)
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Sriram, Kotikalapudi (Fed)
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Alvaro Retana (aretana)
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Randy Bush
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Keyur Patel
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Sriram, Kotikalapudi (Fed)
- Re: [sidr] draft-ietf-sidr-bgpsec-protocol Alvaro Retana (aretana)