Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-protocol-21: (with COMMENT)
"Alvaro Retana (aretana)" <aretana@cisco.com> Tue, 17 January 2017 15:47 UTC
Return-Path: <aretana@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6709E12947A; Tue, 17 Jan 2017 07:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.72
X-Spam-Level:
X-Spam-Status: No, score=-17.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5G_CoDDWb-R; Tue, 17 Jan 2017 07:47:27 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 375F61294CD; Tue, 17 Jan 2017 07:47:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15036; q=dns/txt; s=iport; t=1484668047; x=1485877647; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ow5DlVoPt9ki4dBSdNSKZM1G+zLEU1UzgxVUHgmfp/c=; b=ELFsjp8lpllaZQ4vihOf4kvTRps6BYMSxHXGntJY3QiedeMIGWT0dbEz atEgYaGSNaK9wy0SfTPRtF/MXFvQzc2SwRyFSCUgxAkCAkzupOJ8pqrM9 KtvCDEycS0XVwXQtWBxT1j2aji4hXH/CifTrtX50uVLu4a1HHNn66FhFO w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ArAQBDO35Y/5JdJa1dGQEBAQEBAQEBAQEBBwEBAQEBgm9KAQEBAQEfX4EJB4NKigeReR+QAVCCTIIPgguGIgIagXg/GAECAQEBAQEBAWMohGoBBAEjUQUFCwIBCD8DAgICMBQGCwIEDgUfiFwIrzmCJSuJWQEBAQEBAQEBAQEBAQEBAQEBAQEBAR2GRYICCIJdh04tgjEFlS+GCwGRXoF3jnaIGopRAR84gUQVSgGEJhwYgUdzhh0rgQOBDQEBAQ
X-IronPort-AV: E=Sophos;i="5.33,245,1477958400"; d="scan'208,217";a="373653448"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Jan 2017 15:47:26 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id v0HFlQdv021630 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 17 Jan 2017 15:47:26 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 17 Jan 2017 09:47:25 -0600
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1210.000; Tue, 17 Jan 2017 09:47:25 -0600
From: "Alvaro Retana (aretana)" <aretana@cisco.com>
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
Thread-Topic: Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-protocol-21: (with COMMENT)
Thread-Index: AQHScLGgbhRfSiDCEU+RaxlXyOSsTqE84V2A
Date: Tue, 17 Jan 2017 15:47:25 +0000
Message-ID: <9B17A0C3-3430-4643-9D0C-B4554FF04510@cisco.com>
References: <148355465867.12949.10785749487953700357.idtracker@ietfa.amsl.com> <DM2PR09MB0446C09E1BE1CEE94D43852684780@DM2PR09MB0446.namprd09.prod.outlook.com> <B636DF13-0DAC-4DD9-876A-5AA02ECD4294@kuehlewind.net>
In-Reply-To: <B636DF13-0DAC-4DD9-876A-5AA02ECD4294@kuehlewind.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1d.0.161209
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.117.15.3]
Content-Type: multipart/alternative; boundary="_000_9B17A0C3343046439D0CB4554FF04510ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/_QEf209rm6oqku7LUEOiZb9IA5Q>
Cc: "draft-ietf-sidr-bgpsec-protocol@ietf.org" <draft-ietf-sidr-bgpsec-protocol@ietf.org>, Alexey Melnikov <aamelnikov@fastmail.fm>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, The IESG <iesg@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>, Matthias Waehlisch <m.waehlisch@fu-berlin.de>
Subject: Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-protocol-21: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2017 15:47:34 -0000
Mirja:
Hi!
If an AS in the path doesn’t support BGPsec, then BGP goes back to “normal” mode (as in before BGPsec), and the assurance that the “update propagated via the sequence of ASes listed” is lost. In other words, from the origin AS to the AS before the one not supporting BGPsec, we can still provide the assurance, but not beyond that – so any AS including and beyond the one not supporting BGPsec won’t be able to verify anything.
Alvaro.
On 1/17/17, 6:05 AM, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net<mailto:ietf@kuehlewind.net>> wrote:
Hi Sriram,
thanks for your reply. That’s all fine. I really didn’t expect any protocol changes at this late stage of the draft but wanted at least to know if these points were previously discussed. Also happy to see that some parts where discussed with Ross.
One final question (related to point 4): What happens if one router on the path does not support/understand BGPsec? Sorry, if that is a stupid question but it’s still not fully clear to me from the draft…
Mirja
…
> 4) section 8.1 says "the recipient of a valid BGPsec update message is assured that the update propagated via the sequence of ASes listed in the Secure_Path portion of the BGPsec_Path attribute."
> Is that true? It is assured that at least these ASes have been crossed but there might have been others on the path that did not sign the BGPsec_Path attribute, no?
[Sriram] Yes, it is true. Each AS in the path MUST sign to the next AS (Target AS). Section 3.1 says:
The Secure_Path contains one Secure_Path Segment (see Figure 5) for
each Autonomous System in the path to the originating AS of the
prefix specified in the update message.
[Sriram] Also, Section 3.2 says:
A Signature_Block in Figure 6 has exactly one Signature Segment (see
Figure 7) for each Secure_Path Segment in the Secure_Path portion of
the BGPsec_Path Attribute.
[Sriram] The following check listed in Section 5.2 make it clear as well:
3. Check that each Signature_Block contains one Signature segment
for each Secure_Path Segment in the Secure_Path portion of the
BGPsec_Path attribute. (Note that the entirety of each
Signature_Block must be checked to ensure that it is well formed,
even though the validation process may terminate before all
signatures are cryptographically verified.)
- [sidr] Mirja Kühlewind's No Objection on draft-ie… Mirja Kuehlewind
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Alexey Melnikov
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Mirja Kuehlewind (IETF)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Alvaro Retana (aretana)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Mirja Kuehlewind (IETF)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Alvaro Retana (aretana)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Sriram, Kotikalapudi (Fed)