Re: [sidr] Ben Campbell's No Objection on draft-ietf-sidr-bgpsec-ops-12: (with COMMENT)

Randy Bush <randy@psg.com> Thu, 05 January 2017 22:14 UTC

Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23A451295FA; Thu, 5 Jan 2017 14:14:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.001
X-Spam-Level:
X-Spam-Status: No, score=-10.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FqRR3JNlBCj; Thu, 5 Jan 2017 14:14:20 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9B31129686; Thu, 5 Jan 2017 14:14:20 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from <randy@psg.com>) id 1cPGIa-00036N-Pb; Thu, 05 Jan 2017 22:14:17 +0000
Date: Fri, 06 Jan 2017 07:14:14 +0900
Message-ID: <m2k2a9f93d.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: "Ben Campbell" <ben@nostrum.com>
In-Reply-To: <39D04FC6-BD42-4474-BEF5-9A3C370D7A1A@nostrum.com>
References: <148348795694.28027.8646303758093237302.idtracker@ietfa.amsl.com> <m2d1g3mvo2.wl-randy@psg.com> <661F8C18-7B04-4E88-A97A-BBA8314C3FD4@nostrum.com> <m260lul2f8.wl-randy@psg.com> <39D04FC6-BD42-4474-BEF5-9A3C370D7A1A@nostrum.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.5 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/gqUYwi1Kr1TtCagnwhMQYTcwzg0>
Cc: The IESG <iesg@ietf.org>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Ben Campbell's No Objection on draft-ietf-sidr-bgpsec-ops-12: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 22:14:22 -0000

>> Sorry, I did not mean that stripping was suggested; the previous
>>> phrase (non-normatively) recommends against stripping. My question
>>> is, since the subject of the sentence is "signed paths" whether the
>>> "MUST be signed" language means "MUST NOT strip the signature"
>>> (which I suspect to be the case), or something else.
>> 
>> how about
>> 
>>    As the mildly stochastic timing of RPKI propagation may cause
>>    version skew across routers, an AS Path which does not validate at
>>    router R0 might validate at R1.  Therefore, signed paths that are
>>    Not Valid and yet propagated (because they are chosen as best
>>    path) MUST NOT have signatures stripped and MUST be signed if sent
>>    to external BGPsec speakers.
>> 
>> if not, use larger clue bat
> 
> It's likely I have this particular bat by the wrong end.
> 
> In the last sentence, does "MUST be signed" mean it must have a
> signature (which would seem to make "MUST NOT strip" and "MUST be
> signed" redundant), or does it mean the propagating router must add
> it's own signature in addition to the existing one(s)?

yes, it must preserve the signed path and add its own signature.

randy