IETF Logo Mail Archive

Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-protocol-21: (with COMMENT)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Wed, 18 January 2017 03:41 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3B4D1294B7; Tue, 17 Jan 2017 19:41:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Okr_s3VJ6D3o; Tue, 17 Jan 2017 19:41:15 -0800 (PST)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0116.outbound.protection.outlook.com [23.103.201.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1506127058; Tue, 17 Jan 2017 19:41:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6AJ0Uw7ZMc/Xtoq9gJzqIEZKRajJSvMZZK8OGptxd7Q=; b=fUhpHhNJoKLS7QOEXFre9ao7uqL9ZzZtmj6VtKeQchRJUesK8aY7DwulR3Ch/4WuCWTUPwazPEs1FbOqh5o6eeNomKjJEXwBHXwYN3pz3x07KuoCwtfYbpuzViBQKJn5Vz48+QLgJqwHmCG1I3wH4KkKAWkbZCUCM97aTH/BVkk=
Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0445.namprd09.prod.outlook.com (10.161.252.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.845.12; Wed, 18 Jan 2017 03:41:12 +0000
Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) by DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) with mapi id 15.01.0845.013; Wed, 18 Jan 2017 03:41:12 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>, "Alvaro Retana (aretana)" <aretana@cisco.com>
Thread-Topic: Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-protocol-21: (with COMMENT)
Thread-Index: AQHSZrizhvIT4qoXnkq4q8a0RO1mhqE28/SggAWh0ACAAE7JgIAAAWaAgADCZCE=
Date: Wed, 18 Jan 2017 03:41:12 +0000
Message-ID: <DM2PR09MB0446F7886A5185BF2D96CD6C847F0@DM2PR09MB0446.namprd09.prod.outlook.com>
References: <148355465867.12949.10785749487953700357.idtracker@ietfa.amsl.com> <DM2PR09MB0446C09E1BE1CEE94D43852684780@DM2PR09MB0446.namprd09.prod.outlook.com> <B636DF13-0DAC-4DD9-876A-5AA02ECD4294@kuehlewind.net> <9B17A0C3-3430-4643-9D0C-B4554FF04510@cisco.com>, <1348EA28-8876-4B85-9F39-1AB74A5C6333@kuehlewind.net>
In-Reply-To: <1348EA28-8876-4B85-9F39-1AB74A5C6333@kuehlewind.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.222.227]
x-ms-office365-filtering-correlation-id: bdc7395e-c1f4-4b91-164c-08d43f53d962
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM2PR09MB0445;
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0445; 7:u+As5K6nw+FyOCEuEhWtLKpKksVGCAUoWhtCL6qvoMc+4XtX/4APQef9iqcHA4xJWOHaCn6EZxX3tnBSfSoIwsQT0YILdvxQOwuhVe9OkGx/HG5P3kYybju9JFQ9JQkKfxxFbZonwfzhsSoQqcgdZvVL4Z884RxbM9tDlEQtTHodZinqlQZ7ICqGkQf0zg3lc4vweK3uyedpHr66854PPDj5TJjpplFzqEJkRHzDet/XhBQtECwjW6Otc1CLhUS3pJc5sUF+Sv8qVR6xcTpkP7xeS6kF6sgah+vDht/1APFLx2BKuYOgD9FIp6RyeO9pkfW6hl9gjs+5aigGxujsD68btO16PAMoX7Bx7B5LuNZayHYVploJ0zFtuOs8XOWJaY2Df/7INaWM9WeDC1idRZZOY1yMr9wEr0k3+vmRIr8r4D7Vq2Ga22Ut7JnKHwkjPtj+PygtGlW8URL7wk/hJg==
x-microsoft-antispam-prvs: <DM2PR09MB0445B2BCCC14A93DA988FD6D847F0@DM2PR09MB0445.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(95692535739014);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6041248)(20161123560025)(20161123564025)(20161123555025)(20161123562025)(6072148); SRVR:DM2PR09MB0445; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0445;
x-forefront-prvs: 01917B1794
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39840400002)(39450400003)(39860400002)(39850400002)(39410400002)(189002)(377454003)(199003)(51914003)(24454002)(53936002)(4326007)(189998001)(2906002)(55016002)(5001770100001)(54906002)(97736004)(33656002)(2900100001)(81156014)(5660300001)(6436002)(99286003)(9686003)(66066001)(77096006)(92566002)(8666007)(229853002)(6506006)(38730400001)(230783001)(54356999)(76176999)(8936002)(93886004)(50986999)(86362001)(101416001)(7696004)(3280700002)(3660700001)(74316002)(224313004)(102836003)(6116002)(25786008)(105586002)(7736002)(68736007)(3900700001)(122556002)(3846002)(224303003)(106116001)(81166006)(106356001)(2950100002)(305945005); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0445; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2017 03:41:12.6761 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0445
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/_O-DbJfWaAIWm2cgCC4629KvV1U>
Cc: "draft-ietf-sidr-bgpsec-protocol@ietf.org" <draft-ietf-sidr-bgpsec-protocol@ietf.org>, Alexey Melnikov <aamelnikov@fastmail.fm>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, The IESG <iesg@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>, Matthias Waehlisch <m.waehlisch@fu-berlin.de>
Subject: Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-protocol-21: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 03:41:18 -0000

Hi Mirja,

>thanks for the very clear clarification. 
>Not sure if it’s just me or if that’s not clearly stated 
>in the draft, but maybe it would be worth it double-checking.

The draft says the following which covey it (IMO):

Section 2.2, p.5

BGP update messages without the BGPsec_Path attribute MAY be
   sent within a session regardless of whether or not the use of BGPsec
   is successfully negotiated. 

#Sriram: BGP update messages without the BGPsec_Path attribute 
== Traditional BGP update message with AS_PATH
(I should make that substitution in the document for clarity.) 

Top of Section 4.4:

   BGPsec update messages do not contain the AS_PATH attribute.
   However, the AS_PATH attribute can be reconstructed from the
   BGPsec_Path attribute.  This is necessary in the case where a route
   advertisement is received via a BGPsec update message and then
   propagated to a peer via a non-BGPsec update message (e.g., because
   the latter peer does not support BGPsec).

Section 7, p 32. 

   How will migration from BGP to BGPsec look like?  What are the
   benefits for the first adopters?  Initially small groups of
   contiguous ASes would be doing BGPsec.  There would be possibly one
   or more such groups in different geographic regions of the global
   Internet.  Only the routes originated within each group and
   propagated within its borders would get the benefits of cryptographic
   AS path protection.  As BGPsec adoption grows, each group grows in
   size and eventually they join together to form even larger BGPsec
   capable groups of contiguous ASes.  The benefit for early adopters
   starts with AS path security within the contiguous-AS regions spanned
   by their respective groups.  Over time they would see those
   contiguous-AS regions grow much larger.

But I'll see if Alvaro's wording can be additionally 
folded into the document in an appropriate place.

Thank you.

Sriram

________________________________________
From: Mirja Kuehlewind (IETF) <ietf@kuehlewind.net>
Sent: Tuesday, January 17, 2017 10:52 AM
To: Alvaro Retana (aretana)
Cc: Sriram, Kotikalapudi (Fed); draft-ietf-sidr-bgpsec-protocol@ietf.org; Alexey Melnikov; sidr-chairs@ietf.org; The IESG; sidr@ietf.org; Matthias Waehlisch
Subject: Re: Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-protocol-21: (with COMMENT)

Hi Alvaro,

thanks for the very clear clarification. Not sure if it’s just me or if that’s not clearly stated in the draft, but maybe it would be worth it double-checking.

Mirja


> Am 17.01.2017 um 16:47 schrieb Alvaro Retana (aretana) <aretana@cisco.com>:
>
> Mirja:
>
> Hi!
>
> If an AS in the path doesn’t support BGPsec, then BGP goes back to “normal” mode (as in before BGPsec), and the assurance that the “update propagated via the sequence of ASes listed” is lost.  In other words, from the origin AS to the AS before the one not supporting BGPsec, we can still provide the assurance, but not beyond that – so any AS including and beyond the one not supporting BGPsec won’t be able to verify anything.
>
> Alvaro.
>
>
>
>
>> On 1/17/17, 6:05 AM, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> wrote:
>>
>> Hi Sriram,
>>
>> thanks for your reply. That’s all fine. I really didn’t expect any protocol changes at this late stage of the draft but wanted at least to know if these points were previously discussed. Also happy to see that some parts where discussed with Ross.
>>
>> One final question (related to point 4): What happens if one router on the path does not support/understand BGPsec? Sorry, if that is a stupid question but it’s still not fully clear to me from the draft…
>>
>> Mirja
>>> …
>>> > 4) section 8.1 says "the recipient of a valid BGPsec update message is assured that the update propagated via the sequence of ASes listed in the Secure_Path portion of the BGPsec_Path attribute."
>>> > Is that true? It is assured that at least these ASes have been crossed but there might have been others on the path that did not sign the BGPsec_Path attribute, no?
>>>
>>>
>>> [Sriram] Yes, it is true. Each AS in the path MUST sign to the next AS (Target AS). Section 3.1 says:
>>>
>>>
>>>     The Secure_Path contains one Secure_Path Segment (see Figure 5) for
>>>     each Autonomous System in the path to the originating AS of the
>>>     prefix specified in the update message.
>>>
>>>
>>> [Sriram] Also, Section 3.2 says:
>>>
>>>
>>>     A Signature_Block in Figure 6 has exactly one Signature Segment (see
>>>     Figure 7) for each Secure_Path Segment in the Secure_Path portion of
>>>     the BGPsec_Path Attribute.
>>>
>>>
>>>
>>> [Sriram] The following check listed in Section 5.2 make it clear as well:
>>>
>>>
>>>     3.  Check that each Signature_Block contains one Signature segment
>>>         for each Secure_Path Segment in the Secure_Path portion of the
>>>         BGPsec_Path attribute.  (Note that the entirety of each
>>>         Signature_Block must be checked to ensure that it is well formed,
>>>         even though the validation process may terminate before all
>>>         signatures are cryptographically verified.)
>>>
>>>
>>

v2.23.0 | Report a Bug | By Email