Re: [sidr] Comment on draft-ietf-sidr-origin-validation-signaling-01

Pradosh Mohapatra <pmohapat@cisco.com> Tue, 15 November 2011 23:39 UTC

Return-Path: <pmohapat@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09FF611E8127 for <sidr@ietfa.amsl.com>; Tue, 15 Nov 2011 15:39:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4X5BLeIvQn-W for <sidr@ietfa.amsl.com>; Tue, 15 Nov 2011 15:39:35 -0800 (PST)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 8BCD011E8119 for <sidr@ietf.org>; Tue, 15 Nov 2011 15:39:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pmohapat@cisco.com; l=1505; q=dns/txt; s=iport; t=1321400375; x=1322609975; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=8UI7JBEvv1ZuSzOr0pH6s7zwOpVpAqYJYGIBtlnnHuE=; b=hUCEtQEHJs6s97a3qi/VNZOQovkhV7YrDmhH6Jp1X8KLt8aD93rNDOel stIZMVXOn4DW/5UkuFNv9v+gJUwBho5hWO7j/vabTXgvjwpjSaysSqrHs 7VSNjePzvxz9Y40LcHJeX9QU/7jkgRyCwXiDUqPbBG/7+kDun4WCHP/Xy s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAJz3wk6rRDoH/2dsb2JhbABDqXGBBYFyAQEBAwESASUCPwULC0ZXBicOh2CaOwGeTIkuYwSIE4wfhTuMYA
X-IronPort-AV: E=Sophos;i="4.69,517,1315180800"; d="scan'208";a="14438867"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-2.cisco.com with ESMTP; 15 Nov 2011 23:39:35 +0000
Received: from [10.155.34.168] ([10.155.34.168]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id pAFNdZiW032096; Tue, 15 Nov 2011 23:39:35 GMT
Mime-Version: 1.0 (Apple Message framework v1075.2)
Content-Type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
From: Pradosh Mohapatra <pmohapat@cisco.com>
In-Reply-To: <74F0D6F4-EA7B-4B2E-B195-D34448CD4CDF@tcb.net>
Date: Tue, 15 Nov 2011 15:39:35 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <0A1020B9-07CB-4558-97C2-AE49AC9E8ED4@cisco.com>
References: <74F0D6F4-EA7B-4B2E-B195-D34448CD4CDF@tcb.net>
To: Danny McPherson <danny@tcb.net>
X-Mailer: Apple Mail (2.1075.2)
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Comment on draft-ietf-sidr-origin-validation-signaling-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2011 23:39:36 -0000

Hi Danny,

Thanks for the comments.

> In general, I don't like the idea of using an extcomm community to  
> convey
> a prefixes validation state, I think we should deal with this  
> problem natively
> (e.g., as BGPSEC inter-domain) if we're going to address the  
> problem, in
> particular if we're not going to address the AS Confederations  
> problem.

Can you describe specific concerns you have with using extended  
community?
It does work with confederations.

> Furthermore, I don't like the deployment considerations, in  
> particular because
> of "privilege escalation attacks" which could easily occur through  
> misconfiguration
> across multiple attribute mapping functions, or simply because the  
> extcomm was
> received from an BGP peer that isn't "upgraded to support the  
> extensions
> defined in this document":
>
>   "In deployment scenarios where not all the speakers in an autonomous
>   system are upgraded to support the extensions defined in this
>   document, it is necessary to define policies that match on the  
> origin
>   validation extended community and set another BGP attribute
>   [I-D.ietf-sidr-pfx-validate] that influences the best path selection
>   the same way as what would have been enabled by an implementation of
>   this extension."

Do you have alternatives in mind for incremental deployment case?

> Finally, this should certainly a normative reference in the pfx- 
> validate draft.

Ack.

- Pradosh