IETF Logo Mail Archive

Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope?

Shane Amante <shane@castlepoint.net> Thu, 28 July 2011 21:18 UTC

Return-Path: <shane@castlepoint.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC5D11E80FB for <sidr@ietfa.amsl.com>; Thu, 28 Jul 2011 14:18:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydCBQzvyOQb9 for <sidr@ietfa.amsl.com>; Thu, 28 Jul 2011 14:18:04 -0700 (PDT)
Received: from dog.tcb.net (dog.tcb.net [64.78.150.133]) by ietfa.amsl.com (Postfix) with ESMTP id 98B5611E8099 for <sidr@ietf.org>; Thu, 28 Jul 2011 14:18:04 -0700 (PDT)
Received: by dog.tcb.net (Postfix, from userid 0) id 5F685368199; Thu, 28 Jul 2011 15:18:04 -0600 (MDT)
Received: from host2.tcb.net (64.78.235.218 [64.78.235.218]) (authenticated-user smtp) (TLSv1/SSLv3 AES128-SHA 128/128) by dog.tcb.net with SMTP; Thu, 28 Jul 2011 15:18:04 -0600 (MDT) (envelope-from shane@castlepoint.net)
X-Avenger: version=0.7.8; receiver=dog.tcb.net; client-ip=64.78.235.218; client-port=56838; data-bytes=0
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Shane Amante <shane@castlepoint.net>
In-Reply-To: <D7A0423E5E193F40BE6E94126930C493087C7907B3@MBCLUSTER.xchange.nist.gov>
Date: Thu, 28 Jul 2011 15:18:02 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <2C3246E7-A4AD-4335-BCDA-73D98DDB0274@castlepoint.net>
References: <19BD9B69-B1EE-495E-8795-38DDE3BF6D4A@castlepoint.net> <D7A0423E5E193F40BE6E94126930C493087C7907B3@MBCLUSTER.xchange.nist.gov>
To: "Montgomery, Douglas" <dougm@nist.gov>
X-Mailer: Apple Mail (2.1084)
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2011 21:18:05 -0000

On Jul 28, 2011, at 1:43 PM, Montgomery, Douglas wrote:

> The discussion so far has not been protecting/validating if prepending *should have* occurred.    BGPSEC protects the AS_PATH.  Prepending occurs in the AS_PATH.  Today's strawman presented one approach to protect the fact that prepending *did* occur (without comment as if it should have occurred).

Right.  But, if BGPSEC is not "commenting" whether AS_PATH prepending should, or should not, have occurred, then wouldn't it be more straightforward to avoid representing AS_PATH prepending in BGPSEC's AS_PATH Attr?  IOW, isn't the intent of the BGPSEC AS_PATH signature to "simply" represent the ASN's over which the BGP UPDATE has travelled?  Why does AS_PATH prepending *need* representation in the BGPSEC AS_PATH Attr, (or, what does it help with wrt BGPSEC)?

The SIDR WG instigated the deprecation of AS_SET's for reasons of simplification.  If WG really believes in simplification, then why does that not apply here wrt AS_PATH prepending?


> With that interpretation, I don't think today's proposal violates the requirement about presuming intent.
> 
> This too is good discussion as to what the requirement is.    
> 
> If we want to protect the common encoding of prepending in the AS_PATH today's strawman provides a simple approach.   
> 
> I don't know if your example is primarily pointing out another situation where prepending occurs on ingress .... or if we you are proposing that we discuss protecting the intent to prepend.
> 
> If it is the latter - that is a significant expansion of requirements - and there are no obvious simple enhancements of bgpsec-00 mechanisms that would get us there.

So, I grudgingly agree with the requirement, as written, that a BGPSEC AS_PATH signature should not describe/express intent.  (I'd feel better if the requirement were changed to say "does not" describe/express intent, but I'm not sure there is consensus to do so ...).

Ultimately, my concern is the more "faithfully" the AS_PATH appears to be represented in the BGPSEC AS_PATH Attr (i.e.: it does include AS_PATH prepending), then:
a)  The more potential confusion there might be with operators who aren't well versed in SIDR incorrectly /assuming/ that it does describe intent[1]; and/or,
b)  The more potential/temptation there may be for vendors to use the BGPSEC AS_PATH Attr in BGP path selection (i.e.: as the AS_PATH length tie-breaker) in place of the legacy AS_PATH Attribute.  This has implications wrt control plane scaling w/out any appreciable benefit.

-shane

[1] Yeah, yeah, they should RTFM ...


> 
> dougm
> 
> 
> 
> 
> Doug Montgomery - Manager Internet and Scalable Systems Research Group / Information Technology Laboratory / NIST
> ________________________________________
> From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Shane Amante [shane@castlepoint.net]
> Sent: Thursday, July 28, 2011 3:00 PM
> To: sidr@ietf.org
> Subject: [sidr] pCNT & (AS_PATH) prepending: Is it in scope?
> 
> Hi,
> 
> I have a question for the WG.  In a series of e-mail exchanges earlier this year, I had thought it was concluded that BGPSEC was merely being used as a means to express that a BGP UPDATE had passed through a series of ASN's, i.e.: it's an expression of a "breadcrumbs", if you will, that can [later] be validated by receiver that are further downstream.  IOW, it's not a validation of the TE policies (e.g.: AS_PATH prepending) applied by ASN's.
> 
> I went back to the BGPSEC requirements:
> http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs-00
> ... and, if I look at Req #3.19:
>   3.19  A BGPsec design SHOULD NOT presume to know the intent of the
>         originator of a NLRI, nor that of any AS on the AS Path.
> 
> What was the intended meaning of the word "intent"?  I thought that word was meant to say that BGPsec was not intended to validate TE policies that may, or may not, be applied to the NLRI.  If that is correct, then why is the WG looking at signing an BGP attribute that expresses the the number of times an ASN may be prepended?  Or, has the WG had a change of direction and I haven't kept up to speed?
> 
> I would note that the reason I'm asking the above is that it may not be the originator that is performing AS_PATH prepending.  Specifically, a customer may use a provider's BGP TE communities to ask the provider to perform AS_PATH prepending (selectively) on their behalf.  But, since these BGP TE communities are not signed, then how would a receiver of the NLRI know that an AS_PATH should or should not have been prepended by an intermediate/transit ASN?
> 
> Thanks,
> 
> -shane
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email