Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
Randy Bush <randy@psg.com> Wed, 04 January 2017 03:04 UTC
Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBEED129B33 for <sidr@ietfa.amsl.com>; Tue, 3 Jan 2017 19:04:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.001
X-Spam-Level:
X-Spam-Status: No, score=-10.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nrABVIdNoJZ4 for <sidr@ietfa.amsl.com>; Tue, 3 Jan 2017 19:04:53 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D05CB12952B for <sidr@ietf.org>; Tue, 3 Jan 2017 19:04:53 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from <randy@psg.com>) id 1cObsh-0006xb-CD; Wed, 04 Jan 2017 03:04:51 +0000
Date: Wed, 04 Jan 2017 12:04:50 +0900
Message-ID: <m260lvmsod.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
In-Reply-To: <DM2PR09MB04468ABA2BB951F7C72C39AB846E0@DM2PR09MB0446.namprd09.prod.outlook.com>
References: <7055D209-5BF7-4B5D-A675-356CD2CBFF4D@cisco.com> <CY1PR09MB0444EAC40C875F576A451F8F846B0@CY1PR09MB0444.namprd09.prod.outlook.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.5 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/_u6Kcvd3oz6as_SLVn4tgvRH1Xo>
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 03:04:55 -0000
>> that is not the core of the problem. the bgpsec protocol doc has to >> specifically say that the public AS upon receiving the update from the >> private AS >> o if the private signed to the public, public should check sig, then >> strip it and then might sign as the originating AS or might not. on >> what criteria does it decide? >> o if the private did not sign, the public might sign or it might not. >> on what criteria does it decide? > >> as i said, once you burn that in, i will hack the ops doc > > Does this change (in Section 7 in the document) work for you? > > [OLD] > > It is possible that a stub customer of an ISP employs a private AS > number. Such a stub customer cannot publish a ROA in the global RPKI > for the private AS number and the prefixes that they use. Also, the > stub customer cannot become a BGPsec speaker. If a BGPsec speaker in > the ISP's AS receives an announcement for a prefix from the stub > customer and chooses to propagate it to BGPsec peers, then it MUST > strip the private AS and re-originate the prefix. In order to do > this, the prefix MUST have a ROA authorizing the ISP's AS to > originate it. > > [NEW] > > It is possible that a stub customer of an ISP employs a private AS > number. Such a stub customer cannot publish a ROA in the global RPKI > for the private AS number and the prefixes that they use. Also, the > global RPKI cannot support private AS numbers for issuing router > certificates for eBGP routers in the private AS. For interactions > between the stub customer and the ISP, the following two scenarios > are possible: > > 1. The stub customer sends an unsigned BGP update for a prefix to > the ISP's AS. An edge BGPsec speaker in the ISP's AS may choose > to propagate the prefix to its non-BGPsec and BGPsec peers. If > so, the ISP's edge BGPsec speaker MUST strip the AS_PATH with the > private AS number, and then (a) re-originate the prefix without > any signatures towards its non-BGPsec peer and (b) re-originate > the prefix including its own signature towards its BGPsec peer. > In both cases (i.e. (a) and (b)), the prefix MUST have a ROA in > the global RPKI authorizing the ISP's AS to originate it. > > 2. The ISP and the stub customer may use a local RPKI repository > (using a mechanism such as described in [I-D.ietf-sidr-slurm]). > Then there can be a ROA for the prefix originated by the sub AS, > and the eBGP speaker in the stub AS can be a BGPsec speaker > having a router certificate, albeit the ROA and router > certificate are valid only locally. With this arrangement, the > stub AS sends a signed update for the prefix to the ISP's AS. An > edge BGPsec speaker in the ISP's AS validates the update using > RPKI data based the local RPKI view. Further, it may choose to > propagate the prefix to its non-BGPsec and BGPsec peers. If so, > the ISP's edge BGPsec speaker MUST strip the Secure_Path and the > Signature Segment received from the stub AS with the private AS > number, and then (a) re-originate the prefix without any > signatures towards its non-BGPsec peer and (b) re-originate the > prefix including its own signature towards its BGPsec peer. In > both cases (i.e. (a) and (b)), the prefix MUST have a ROA in the > global RPKI authorizing the ISP's AS to originate it. i am easily confused. can this be said with significantly less words so i have a chance to actually understand it? randy
- [sidr] Confederations and Private ASNs (WAS: AD R… Alvaro Retana (aretana)
- Re: [sidr] Confederations and Private ASNs (WAS: … Sriram, Kotikalapudi (Fed)
- Re: [sidr] Confederations and Private ASNs (WAS: … Alvaro Retana (aretana)
- Re: [sidr] Confederations and Private ASNs (WAS: … Sriram, Kotikalapudi (Fed)
- Re: [sidr] Confederations and Private ASNs (WAS: … Alvaro Retana (aretana)
- Re: [sidr] Confederations and Private ASNs (WAS: … Sriram, Kotikalapudi (Fed)
- Re: [sidr] Confederations and Private ASNs (WAS: … Alvaro Retana (aretana)
- Re: [sidr] Confederations and Private ASNs (WAS: … Randy Bush
- Re: [sidr] Confederations and Private ASNs (WAS: … Sriram, Kotikalapudi (Fed)
- Re: [sidr] Confederations and Private ASNs (WAS: … Randy Bush
- Re: [sidr] Confederations and Private ASNs (WAS: … Randy Bush
- Re: [sidr] Confederations and Private ASNs (WAS: … Borchert, Oliver (Fed)
- Re: [sidr] Confederations and Private ASNs (WAS: … Sriram, Kotikalapudi (Fed)
- Re: [sidr] Confederations and Private ASNs (WAS: … David Farmer
- Re: [sidr] Confederations and Private ASNs (WAS: … Randy Bush