IETF Logo Mail Archive

Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Wed, 21 December 2016 17:47 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB9711294BD; Wed, 21 Dec 2016 09:47:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49GGvcRWAsSk; Wed, 21 Dec 2016 09:47:05 -0800 (PST)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0122.outbound.protection.outlook.com [23.103.201.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEC0D1293DB; Wed, 21 Dec 2016 09:47:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=g2mN48a33DoYfCvMVawzf4iTCGLto3GkkKMX/RoHZM8=; b=MKyT9KGjzDzdqvPFB8XfccDg1M2XHxuxXnRHvyNsM9Ylsh4BIu/UUj6lg7vZutXhDD0APuij8JRqML9lTJ6MG29V+rfb7H3mThwT7nNtcDwwPm98czU4lQc55YopdpQ3qTP4tayX+bxzhGfWcxDeq6s3eJ6FBCFh0d/Gh5AncnU=
Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0448.namprd09.prod.outlook.com (10.161.252.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.789.14; Wed, 21 Dec 2016 17:47:03 +0000
Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) by DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) with mapi id 15.01.0789.018; Wed, 21 Dec 2016 17:47:03 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "Alvaro Retana (aretana)" <aretana@cisco.com>, "draft-ietf-sidr-bgpsec-protocol@ietf.org" <draft-ietf-sidr-bgpsec-protocol@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "keyur@arrcus.com" <keyur@arrcus.com>
Thread-Topic: Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
Thread-Index: AQHSUmenE2EHhTbiU0q7IXrD4ZYx2aEF0Iz4gAN2lwCACDChKIABJNo0
Date: Wed, 21 Dec 2016 17:47:03 +0000
Message-ID: <DM2PR09MB0446772C784D57BE2A005E1284930@DM2PR09MB0446.namprd09.prod.outlook.com>
References: <7055D209-5BF7-4B5D-A675-356CD2CBFF4D@cisco.com> <DM2PR09MB04460DC9A23E1F58AEE629BF849B0@DM2PR09MB0446.namprd09.prod.outlook.com>, <98186E08-8CAC-4EB0-9E84-BBABACC43678@cisco.com>, <DM2PR09MB044634DCE6C5D55112DDEF6384900@DM2PR09MB0446.namprd09.prod.outlook.com>
In-Reply-To: <DM2PR09MB044634DCE6C5D55112DDEF6384900@DM2PR09MB0446.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.219.26]
x-ms-office365-filtering-correlation-id: b3cc05cf-aabc-4e8d-1749-08d429c95fc6
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM2PR09MB0448;
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0448; 7:NVkt5/BfYvP3p0j0oFo2i3/iJM5dJ2lGT83JPmpGmrw2rPYCQXTb28osxBPNDOfGusB8iKibPym2NzZfrYrlUC/cGi6JRxiTkPjn4e37D41dV3WBfJnxuExX7ZRdHreChmKTB9c6CkzogQXY+g7XxXBgjpvRO+bULmQo9y8Tql197qqqmYezeIT8zfsdCX9xH+uy5G5EUdumV8/w6OsbUBrI2KixbS0a8fmmsEtHlve0N884c/hndONM84QrrIUg/tPu1bOoAe5sjIUab+eoCG6eomaOrAJksqcj3e/Wit9gwSAjxZnQONmfWmF9JeTse9cfhUzj/2pg5WlNp4bKMOr1nAdUivgDGlJcy3viNG1RCPbVLLHbGOSHMsPgQezhIzpoPinZNozBshOCcTPfU7Ot2kM40ImKni1MQXkLz8Tskc/LT/naBZF8Xgr+lV97lWUV2A/GxCSupauFNl1Esw==
x-microsoft-antispam-prvs: <DM2PR09MB04484103F2A9940BDBD6A72684930@DM2PR09MB0448.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123555025)(20161123562025)(20161123564025)(20161123560025)(6072148); SRVR:DM2PR09MB0448; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0448;
x-forefront-prvs: 01630974C0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39860400002)(39450400003)(39840400002)(39850400002)(39410400002)(199003)(189002)(102836003)(86362001)(93886004)(101416001)(2950100002)(66066001)(76576001)(6606003)(68736007)(5660300001)(33656002)(7696004)(8676002)(3846002)(6116002)(230783001)(2501003)(76176999)(81156014)(81166006)(122556002)(2906002)(4326007)(9686002)(50986999)(54356999)(2201001)(5001770100001)(2900100001)(92566002)(19627405001)(8936002)(189998001)(106116001)(99286002)(106356001)(105586002)(6506006)(3660700001)(74316002)(3280700002)(77096006)(7736002)(7906003)(97736004)(6436002)(38730400001)(606005)(25786008)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0448; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR09MB0446772C784D57BE2A005E1284930DM2PR09MB0446namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Dec 2016 17:47:03.6163 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0448
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/cGE8zf3Auqu0CtvbuYFsa22oa70>
Cc: Matthias Waehlisch <m.waehlisch@fu-berlin.de>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 17:47:12 -0000

Hi Alvaro,



I said in my previous post:

"(2) It also keeps confed ASes from failing to validate properly the signature injected at the boundary."




I retract my observation that the document had a problem in that

"confed ASes fail to validate properly the signature injected at the boundary."

The document does not have that problem. My apologies for not being careful earlier.

Confed ASes do validate properly the signature injected at the boundary :)

Because the document says the following in Section 4.3 (page 18):



When validating a received BGPsec update message, confederation
   members need to make the following adjustment to the algorithm
   presented in Section 5.2<https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-20#section-5.2>.  When a confederation member processes
   (validates) a Signature Segment and its corresponding Secure_Path
   Segment, the confederation member must note the following.  For a
   signature produced by a peer BGPsec speaker outside of a
   confederation, the 'Target AS Number' will always be the AS
   Confederation Identifier (the public AS number of the confederation)
   as opposed to the Member-AS Number.


So let us focus back on only your original concern.
If we need the solution of "confed AS signing to itself with  pCount = 0",
it would be only to address your original concern of an apparent discontinuity.
I looked at the implications of the solution once again.
While it may be easy to describe it in terms of sender actions,
the solution would have ripple effects in several places in the document.


So I wish to take another fresh look at your concern with your help,
and try to understand if there isn't another way to address it.


The example scenario is:
AS1 -> AS2/AS65001 -> AS65002/AS2 -> AS3 (AS2 is the Confederation ID and AS65001 and AS65002 are Members)


With the current specification, we have the following sequence of signed updates:
(Notation: (S-i-j) means signature from AS i to AS j,
P is the prefix; and most recent AS appears in the right most position)


#1  AS1 to AS2/AS65001:  P [AS1 {(S-1-2)}]


#2  AS2/AS65001 to AS2/AS65002:  P [AS1, AS65001 {(S-1-2), (S-65001-65002)}],


#3  AS2/AS65002 to AS3:  P [AS1, AS2, {(S-1-2), ( S-2-3)}]
(Secure_Path Segment and Signature within the confed are stripped)


The discontinuity you are concerned about is in the middle (2nd) update above, i.e.,
the first signature is from AS1 to AS2 while the second signature is from AS65001 to AS65002.
Am I right?


But then you have observed the following earlier:


"Well, the PE with both AS2 and AS65001 *is* both AS2 *and* AS65001...so I don't see it as a proxy."
https://www.ietf.org/mail-archive/web/sidr/current/msg08107.html


Given this observation, would you accept that there is no discontinuity in update #2 above
since AS65001 is AS2?


If this is acceptable, then can we assert that the security guarantee is Section 8.1
is good inside confederations as well with the understanding that each member AS
is also the public AS of the confed? For instance, AS65002 is cognizant that
AS65001 is also AS2. So AS65002 does not see a discontinuity.


Thank you.


Sriram

v2.23.0 | Report a Bug | By Email