IETF Logo Mail Archive

Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 03 January 2017 07:17 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FC96129457 for <sidr@ietfa.amsl.com>; Mon, 2 Jan 2017 23:17:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gHN-oThkWIsV for <sidr@ietfa.amsl.com>; Mon, 2 Jan 2017 23:17:36 -0800 (PST)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0124.outbound.protection.outlook.com [23.103.201.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22162129405 for <sidr@ietf.org>; Mon, 2 Jan 2017 23:17:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zsrhnBw9suC6qx0maysEyJMqhustbPOw77Z/KO62vhc=; b=J1q2vZNVyD5+XTJJNN0FrVRmjjxT/p95OYJKL5cqC4oiQAm6qzzbQTutTKqaxbqVDfj28CX2i/xRrogVr+kD7G6N08PxMnOYxkN0AEMTj9ebJxg6bxKdJlT1Imlr/cr38lvyXCAzbeRB7udBewrnRRbFnO3jXH0aF78GY21lXH8=
Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0448.namprd09.prod.outlook.com (10.161.252.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.817.10; Tue, 3 Jan 2017 07:17:33 +0000
Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) by DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) with mapi id 15.01.0817.009; Tue, 3 Jan 2017 07:17:33 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Randy Bush <randy@psg.com>
Thread-Topic: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
Thread-Index: AQHSUmenE2EHhTbiU0q7IXrD4ZYx2aEfNZ3QgAB0ygCABtAc/A==
Date: Tue, 03 Jan 2017 07:17:32 +0000
Message-ID: <DM2PR09MB04468ABA2BB951F7C72C39AB846E0@DM2PR09MB0446.namprd09.prod.outlook.com>
References: <7055D209-5BF7-4B5D-A675-356CD2CBFF4D@cisco.com> <CY1PR09MB0444EAC40C875F576A451F8F846B0@CY1PR09MB0444.namprd09.prod.outlook.com>, <m21swq730j.wl-randy@psg.com>
In-Reply-To: <m21swq730j.wl-randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.219.133]
x-ms-office365-filtering-correlation-id: 6d6b2d87-9cf7-4242-0053-08d433a8960e
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM2PR09MB0448;
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0448; 7:Ds8dV/MVZmF21C0ALz2jgbxgIpyhlLxne5mpF28tKFlFwbU2XeIzSGWFfWlYywlQpaz5TcSfwn6sNIkC+jCHVw4DoSC1DPXFO8Sc9NSYvCT6YWFxQM7UTsmdJUfP7cpY78QHiaX5e6KUHQ+NLM6In4OoHSU7ZV9EsImxM9Z3c4fjY1YGC+JV8FB5PVOxL9/juYiKGvGvvvYhDOOeXnUIVhm5MFvkJ1LN56p7lkqGulpnkoCXX9dvgLCIi2Q0hthkfDGAgwMGPgAi+l24IGHvhl5RuKKb/uUp4JLetGKAlhJKFPSS+YWSrgXQ4qilowq74wJyWMYvBOuc0g3pKlByPwEYlJF7EXgVCjXsaCJaqOiA/CavFW2+GfukkToJh8n+oByJR8MB2VIldD0tQSUAHzYYYHnryPeEXonZZdaYaxLwEVRBDXzm0/OmfdETHNEUZpXtBUcXPt+4N13scgxeMA==
x-microsoft-antispam-prvs: <DM2PR09MB0448537118A6419358C9DF39846E0@DM2PR09MB0448.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(6072148); SRVR:DM2PR09MB0448; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0448;
x-forefront-prvs: 01762B0D64
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39850400002)(39840400002)(39450400003)(377454003)(189002)(199003)(81166006)(38730400001)(5660300001)(6506006)(110136003)(81156014)(99286003)(92566002)(3280700002)(8936002)(3660700001)(55016002)(189998001)(101416001)(7696004)(54906002)(6916009)(2900100001)(33656002)(66066001)(50986999)(25786008)(106116001)(102836003)(86362001)(9686002)(2950100002)(97736004)(68736007)(2906002)(54356999)(7736002)(230783001)(122556002)(229853002)(74316002)(305945005)(77096006)(105586002)(106356001)(6116002)(76176999)(8676002)(6436002)(3846002)(4326007); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0448; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2017 07:17:32.8793 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0448
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/Wq5MJHvs6sry52F83Ax-z9bFXUU>
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2017 07:17:38 -0000

>From: Randy Bush <randy@psg.com>
>Sent: Thursday, December 29, 2016 6:02 PM

>that is not the core of the problem.  the bgpsec protocol doc has to
>specifically say that the public AS upon receiving the update from the
>private AS
>  o if the private signed to the public, public should check sig, then
>    strip it and then might sign as the originating AS or might not.  on
>    what criteria does it decide?
>  o if the private did not sign, the public might sign or it might not.
>    on what criteria does it decide?

>as i said, once you burn that in, i will hack the ops doc

Does this change (in Section 7 in the document) work for you?

[OLD]

   It is possible that a stub customer of an ISP employs a private AS
   number.  Such a stub customer cannot publish a ROA in the global RPKI
   for the private AS number and the prefixes that they use.  Also, the
   stub customer cannot become a BGPsec speaker.  If a BGPsec speaker in
   the ISP's AS receives an announcement for a prefix from the stub
   customer and chooses to propagate it to BGPsec peers, then it MUST
   strip the private AS and re-originate the prefix.  In order to do
   this, the prefix MUST have a ROA authorizing the ISP's AS to
   originate it.

[NEW]

   It is possible that a stub customer of an ISP employs a private AS
   number.  Such a stub customer cannot publish a ROA in the global RPKI
   for the private AS number and the prefixes that they use.  Also, the
   global RPKI cannot support private AS numbers for issuing router
   certificates for eBGP routers in the private AS.  For interactions
   between the stub customer and the ISP, the following two scenarios
   are possible:

   1.  The stub customer sends an unsigned BGP update for a prefix to
       the ISP's AS.  An edge BGPsec speaker in the ISP's AS may choose
       to propagate the prefix to its non-BGPsec and BGPsec peers.  If
       so, the ISP's edge BGPsec speaker MUST strip the AS_PATH with the
       private AS number, and then (a) re-originate the prefix without
       any signatures towards its non-BGPsec peer and (b) re-originate
       the prefix including its own signature towards its BGPsec peer.
       In both cases (i.e. (a) and (b)), the prefix MUST have a ROA in
       the global RPKI authorizing the ISP's AS to originate it.

   2.  The ISP and the stub customer may use a local RPKI repository
       (using a mechanism such as described in [I-D.ietf-sidr-slurm]).
       Then there can be a ROA for the prefix originated by the sub AS,
       and the eBGP speaker in the stub AS can be a BGPsec speaker
       having a router certificate, albeit the ROA and router
       certificate are valid only locally.  With this arrangement, the
       stub AS sends a signed update for the prefix to the ISP's AS.  An
       edge BGPsec speaker in the ISP's AS validates the update using
       RPKI data based the local RPKI view.  Further, it may choose to
       propagate the prefix to its non-BGPsec and BGPsec peers.  If so,
       the ISP's edge BGPsec speaker MUST strip the Secure_Path and the
       Signature Segment received from the stub AS with the private AS
       number, and then (a) re-originate the prefix without any
       signatures towards its non-BGPsec peer and (b) re-originate the
       prefix including its own signature towards its BGPsec peer.  In
       both cases (i.e. (a) and (b)), the prefix MUST have a ROA in the
       global RPKI authorizing the ISP's AS to originate it.

Sriram

v2.23.0 | Report a Bug | By Email