Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-validate-02.txt
Roque Gagliano <rogaglia@cisco.com> Wed, 03 August 2011 10:05 UTC
Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 606CC21F8B48 for <sidr@ietfa.amsl.com>; Wed, 3 Aug 2011 03:05:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9ybsxb1+xAN for <sidr@ietfa.amsl.com>; Wed, 3 Aug 2011 03:05:56 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 0D73821F8AFC for <sidr@ietf.org>; Wed, 3 Aug 2011 03:05:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=8346; q=dns/txt; s=iport; t=1312365967; x=1313575567; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=0UA716Xv4aW/wEPJzEAlZh7XeVNjU0tElw0Winr2OUE=; b=UO3fUAMOwVyJAVJ+9+L9+4EUZsPXqdYRQsZqVReb/CvcDFc2+7c5UuVK Q1AAuuzq6eXqWHTPI9EY70f2ndSXzYZpcErfMrQdvSDGgYfU6ecm1vOK7 fhIdTqlqg9XriBcda1kTloo4DH31HDSPJHyhOly5wZzMK/eJtstlIdUjU Y=;
X-Files: smime.p7s : 4389
X-IronPort-AV: E=Sophos; i="4.67,309,1309737600"; d="p7s'?scan'208"; a="106446754"
Received: from ams-core-1.cisco.com ([144.254.72.81]) by ams-iport-1.cisco.com with ESMTP; 03 Aug 2011 10:03:33 +0000
Received: from dhcp-144-254-20-178.cisco.com (dhcp-144-254-20-178.cisco.com [144.254.20.178]) by ams-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p73A3WBN006903; Wed, 3 Aug 2011 10:03:32 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/signed; boundary="Apple-Mail-41--948842138"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Roque Gagliano <rogaglia@cisco.com>
In-Reply-To: <A353E38F-0E81-40DA-A9B0-0166EA5DDD45@cisco.com>
Date: Wed, 03 Aug 2011 12:03:24 +0200
Message-Id: <8C46CE12-AA87-4DD2-B6A8-731D8AB72045@cisco.com>
References: <20110711215154.14120.98609.idtracker@ietfa.amsl.com> <DD9DA398-4853-4F2D-8CA7-A7C58B5E26F3@cisco.com> <39DD9BDD-C1A8-43B3-9A69-CA8DB1E3E685@cisco.com> <AE4B4C50-C4CE-48A2-9AA4-D81F5CA88735@cisco.com> <A353E38F-0E81-40DA-A9B0-0166EA5DDD45@cisco.com>
To: Pradosh Mohapatra <pmohapat@cisco.com>
X-Mailer: Apple Mail (2.1084)
Cc: "sidr@ietf.org wg" <sidr@ietf.org>
Subject: Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-validate-02.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2011 10:05:57 -0000
Hi Pradosh, (skiping) >> Section 2: >> "An AS can originate more than one >> prefix set. Thus, multiple prefix sets in the database can contain >> the same origin AS(es)." >> >> I believe you also need to mention that in the table there may be "multi-origin prefixes". Geoff report identifies 2400 but you may find more in local/regional environments (http://bgp.potaroo.net/as6447/report.txt). > > I looked at the document again and I see many places where we say there can be multiple origin ASes for the prefix. E.g.: > > we define terms "UPDATE prefix" and "UPDATE origin > AS number" to denote the values derived from the received UPDATE message, and > "database prefix set" and "database origin AS number set" to mean the values > derived from the database lookup. > > where it's defined as "database origin AS number set" instead of just an AS number. > Ok. I got it now. >> >> Section 5: >> p5: >> I believe you should reference draft-ietf-sidr-origin-validation-signaling-00 > > Ack > >> Security Consideration: >> I think you need to consider what you already mentioned in section 4, if the connectivity to the local-caches is lost, invalid routes will be classified as "not-found", which could have a different set of local policies. > > Is this different from current behavior? Not sure what do you refer for "current behavior". My point was that in the security considerations you should point to the analysis in Section 4 on loosing connectivity to the cache servers. Example: Router set loc-pref 100 for "valid" and loc-pref 50 for "not-found". If the router looses connectivity with caches, either by operational issues or by malicious event (on the cache/ the router or the network between the two), the set of prefixes that should be "valid" based on RPKI will be classified as "not found" and loc-pref set to 50. Roque > > - Pradosh
- [sidr] I-D Action: draft-ietf-sidr-pfx-validate-0… internet-drafts
- [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-valid… Pradosh Mohapatra
- Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-v… Randy Bush
- Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-v… Roque Gagliano
- Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-v… Pradosh Mohapatra
- Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-v… Roque Gagliano
- Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-v… Pradosh Mohapatra
- Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-v… Roque Gagliano