IETF Logo Mail Archive

Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)

"Alvaro Retana (aretana)" <aretana@cisco.com> Wed, 21 December 2016 19:28 UTC

Return-Path: <aretana@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DFCF129580; Wed, 21 Dec 2016 11:28:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.621
X-Spam-Level:
X-Spam-Status: No, score=-17.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BMf0wv0M0Hhs; Wed, 21 Dec 2016 11:28:35 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AAE71298CF; Wed, 21 Dec 2016 11:28:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19240; q=dns/txt; s=iport; t=1482348509; x=1483558109; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=latnrnCLQg8ejf7+nV9Ujv0n10dhSZnO7fSoWVKiIoU=; b=NhtRp8FOejiU6dKO3Knr1NC+PWbN/68fDwVXotS6Zo9V0du+RcSl5z/T b9nkfMTJz8xJWyyZIhz961hHuD8z0mD3w8B8N+34zkWHnKflIWVUn9GIA 0ttRq32PWaqyX2ZfukQkGtVdwQcPlCCbtcKv+cWMtYOq4tAVBGQh+YBb1 E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AfAQAj11pY/5pdJa1dGQEBAQEBAQEBAQEBBwEBAQEBgnFEAQEBAQEfXIEIB41Kpj2FJoIKKoV4AhqBRD8UAQIBAQEBAQEBYiiEaQYjBFIQAgEIQgICAjAlAgQBDQUbiFEOqEGBbDwvilEBAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYY2gX2CXIQjAQEygm0tgjAFlQeFcAGROIF1jlyHeYo5AR83gSo8AYNWHBiBRXIBhhwNFweBA4ENAQEB
X-IronPort-AV: E=Sophos;i="5.33,384,1477958400"; d="scan'208,217";a="185990793"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Dec 2016 19:28:28 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id uBLJSStY012534 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 21 Dec 2016 19:28:28 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 21 Dec 2016 13:28:27 -0600
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1210.000; Wed, 21 Dec 2016 13:28:27 -0600
From: "Alvaro Retana (aretana)" <aretana@cisco.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, "draft-ietf-sidr-bgpsec-protocol@ietf.org" <draft-ietf-sidr-bgpsec-protocol@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "keyur@arrcus.com" <keyur@arrcus.com>
Thread-Topic: Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
Thread-Index: AQHSUmenE2EHhTbiU0q7IXrD4ZYx2aEF0Iz4gAN2lwCACDChKIABJNo0gABQJIA=
Date: Wed, 21 Dec 2016 19:28:27 +0000
Message-ID: <F318D2E5-0A4A-430F-BDC1-7C8AAF96C68B@cisco.com>
References: <7055D209-5BF7-4B5D-A675-356CD2CBFF4D@cisco.com> <DM2PR09MB04460DC9A23E1F58AEE629BF849B0@DM2PR09MB0446.namprd09.prod.outlook.com> <98186E08-8CAC-4EB0-9E84-BBABACC43678@cisco.com> <DM2PR09MB044634DCE6C5D55112DDEF6384900@DM2PR09MB0446.namprd09.prod.outlook.com> <DM2PR09MB0446772C784D57BE2A005E1284930@DM2PR09MB0446.namprd09.prod.outlook.com>
In-Reply-To: <DM2PR09MB0446772C784D57BE2A005E1284930@DM2PR09MB0446.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1d.0.161209
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.117.15.4]
Content-Type: multipart/alternative; boundary="_000_F318D2E50A4A430FBDC17C8AAF96C68Bciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/coNsGYJQlt7GdLjOYdKEwWqAVhU>
Cc: Matthias Waehlisch <m.waehlisch@fu-berlin.de>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 19:28:38 -0000

On 12/21/16, 12:47 PM, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> wrote:



Sriram:



Hi!



| I said in my previous post:

| "(2) It also keeps confed ASes from failing to validate properly the signature injected at the boundary."

|

| I retract my observation…

…

|

| So let us focus back on only your original concern.

| If we need the solution of "confed AS signing to itself with  pCount = 0",

| it would be only to address your original concern of an apparent discontinuity.

| I looked at the implications of the solution once again.

| While it may be easy to describe it in terms of sender actions,

| the solution would have ripple effects in several places in the document.

|

| So I wish to take another fresh look at your concern with your help,

| and try to understand if there isn't another way to address it.

|

| The example scenario is:

| AS1 -> AS2/AS65001 -> AS65002/AS2 -> AS3 (AS2 is the Confederation ID and AS65001 and AS65002 are Members)

|

| With the current specification, we have the following sequence of signed updates:

| (Notation: (S-i-j) means signature from AS i to AS j,

| P is the prefix; and most recent AS appears in the right most position)

|

| #1  AS1 to AS2/AS65001:  P [AS1 {(S-1-2)}]

|

| #2  AS2/AS65001 to AS2/AS65002:  P [AS1, AS65001 {(S-1-2), (S-65001-65002)}],

|

| #3  AS2/AS65002 to AS3:  P [AS1, AS2, {(S-1-2), ( S-2-3)}]

| (Secure_Path Segment and Signature within the confed are stripped)

|

| The discontinuity you are concerned about is in the middle (2nd) update above, i.e.,

| the first signature is from AS1 to AS2 while the second signature is from AS65001 to AS65002.

| Am I right?



Yes.





| But then you have observed the following earlier:

|

| "Well, the PE with both AS2 and AS65001 *is* both AS2 *and* AS65001…so I don’t see it as a proxy."

| https://www.ietf.org/mail-archive/web/sidr/current/msg08107.html

|

| Given this observation, would you accept that there is no discontinuity in update #2 above

| since AS65001 is AS2?

|

| If this is acceptable, then can we assert that the security guarantee is Section 8.1

| is good inside confederations as well with the understanding that each member AS

| is also the public AS of the confed? For instance, AS65002 is cognizant that

| AS65001 is also AS2. So AS65002 does not see a discontinuity.



No, it is not ok to me.



Even though in theory all the routers in a confederation know the confederation ID, in practice the only reason that it is needed is if an external (to the confederation) peering session exists in that member AS.  In other words, it is possible to configure a router to be an “internal” member (i.e. not having any external-to-the-confederation peers) by only indicating the confederation peers and not the confederation ID.



For example, extending the network above:



AS1 -> AS2/AS65001 -> AS65003 -> AS65004 -> AS65002/AS2 -> AS3

(AS2 is the Confederation ID and AS65001, AS65002 AS65003, AS65004 are Members)



In this network AS65003 (for example) only needs to know (i.e. be configured) that AS65001 and AS65004 as confederation peers, and not the specific knowledge of which is the confederation ID.  In fact, if AS65003 was configured with the wrong confederation ID (AS4, for example), everything would still work with no issues, because the confederation ID wouldn’t be used in the existing peering sessions.



IOW, AS65003 doesn’t necessarily always know that AS65001 is also AS2.  It may not know the confederation ID at all, or it may even think that AS65001 is also some other AS.



Yes, I have to admit that we could argue whether either case/or both (of not knowing the proper confederation ID) is a misconfiguration…but the fact persists that there is no explicit indication that AS2 intended to send the Update to AS65001 (even if they are, or should be, the same box).





This is where I think we’re again at a place where we’re probably agreeing to disagree – and where more input from the WG would be great.   I am happy to be in the rough if the WG agrees with you.





Thanks!



Alvaro.

v2.23.0 | Report a Bug | By Email