IETF Logo Mail Archive

Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Thu, 29 December 2016 17:15 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F0E71296AC; Thu, 29 Dec 2016 09:15:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m834OZyWzFW7; Thu, 29 Dec 2016 09:14:59 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0107.outbound.protection.outlook.com [23.103.200.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37B7B129868; Thu, 29 Dec 2016 09:14:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hS2eRsM0Q/YMdS08xQbXdSRaV13iI0If0+LKNu/a9zw=; b=U2SEsGutuy/wCm2jkrG1nJuu2sMzFCzV+ey0gqhUX81DzJ8Y2+RJm8P89oKv6CO3AoNH/yICV/JW/9f/VGwVmBfXHvd8vtEXxKd3zm2sy2zNhK2qKDsm/zgJxEwhqI/UJPVmzEv+NSDZnNR3ONBqzc8Ibi+6SgTsSFqtxeq91iE=
Received: from CY1PR09MB0444.namprd09.prod.outlook.com (10.160.150.25) by CY1PR09MB0443.namprd09.prod.outlook.com (10.160.150.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.803.11; Thu, 29 Dec 2016 17:14:57 +0000
Received: from CY1PR09MB0444.namprd09.prod.outlook.com ([10.160.150.25]) by CY1PR09MB0444.namprd09.prod.outlook.com ([10.160.150.25]) with mapi id 15.01.0803.021; Thu, 29 Dec 2016 17:14:57 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "Alvaro Retana (aretana)" <aretana@cisco.com>, "draft-ietf-sidr-bgpsec-protocol@ietf.org" <draft-ietf-sidr-bgpsec-protocol@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>
Thread-Topic: Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
Thread-Index: AQHSUmenE2EHhTbiU0q7IXrD4ZYx2aEfNZ3Q
Date: Thu, 29 Dec 2016 17:14:56 +0000
Message-ID: <CY1PR09MB0444EAC40C875F576A451F8F846B0@CY1PR09MB0444.namprd09.prod.outlook.com>
References: <7055D209-5BF7-4B5D-A675-356CD2CBFF4D@cisco.com>
In-Reply-To: <7055D209-5BF7-4B5D-A675-356CD2CBFF4D@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.140.122]
x-ms-office365-filtering-correlation-id: efd1aea0-086f-4fd8-8adc-08d4300e36b0
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY1PR09MB0443;
x-microsoft-exchange-diagnostics: 1; CY1PR09MB0443; 7:DYSeRUQnzW+BiNyloXeNFsPc/gsjgadkoYemyzK0+1W7lA5SeQ9n8BvC0sg/SuSTmvGaeXwciss0E3w6bHthtN+2sShuSSA0GjqURuLE/6NoXtmbrd+EDvk9N5RFKgArfokgRWwjZmWsEnKLVHbsURv4NQy1jjK80+UYefiI/fNozuifR/wJ+4cbvSjvG1f7dPhPmmhqaZ6sZEY7e7DFkvDEKDPWMFuCnb/qfGsAl5Izl8oF2F1FfIMG9CrEpl3Z72EwOygb9Cbypd24paJQqfaq5TqGcRXfdtIGM3Pj7rHFm0t0ympqzBpA2SgGzyE7u5VukcpzWpR6LlKJrvBcl2OT26N4YpPQKD+EQJqa/10QDkFxCnl7cbV7quFTSwNNEjGaPoSVb2yiuuU1q+dwIJXPmgcbPhXfPrG/6nrgSkqRWIqLKwkatxhP12LgyPSoJLFELJ+xUpdkue9eQ8Ju4Q==
x-microsoft-antispam-prvs: <CY1PR09MB044303F4B06F5262E6D0C4FF846B0@CY1PR09MB0443.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(95692535739014)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123562025)(20161123555025)(20161123558021)(20161123560025)(6072148); SRVR:CY1PR09MB0443; BCL:0; PCL:0; RULEID:; SRVR:CY1PR09MB0443;
x-forefront-prvs: 01713B2841
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39840400002)(39410400002)(39860400002)(39450400003)(39850400002)(377454003)(199003)(189002)(92566002)(54356999)(38730400001)(6506006)(230783001)(6436002)(2900100001)(66066001)(25786008)(2501003)(229853002)(77096006)(33656002)(68736007)(2201001)(81166006)(9686002)(2950100002)(101416001)(74316002)(81156014)(50986999)(6116002)(3660700001)(8676002)(86362001)(102836003)(7736002)(97736004)(122556002)(2906002)(4326007)(106116001)(189998001)(76176999)(7696004)(3846002)(99286002)(105586002)(55016002)(106356001)(5660300001)(5001770100001)(8936002)(305945005)(3280700002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR09MB0443; H:CY1PR09MB0444.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Dec 2016 17:14:56.3797 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR09MB0443
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/iIBqPdLmGNvi2ZSarmvAGwG3euw>
Cc: Matthias Waehlisch <m.waehlisch@fu-berlin.de>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Confederations and Private ASNs (WAS: AD Review of draft-ietf-sidr-bgpsec-protocol-18)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2016 17:15:02 -0000

Hi Alvaro,

Please see my comments inline below.

>From: Alvaro Retana (aretana) [mailto:aretana@cisco.com] 
>Sent: Friday, December 09, 2016 5:00 PM
….

>Hi!  I think the only item left is the Confederations one…
….

>Yes, I agree that the collusion problem is one that (as you mentioned below) 

>is out of the scope of BGPsec.  You are right that pCount=0 (as proposed below) 

>doesn’t solve the collusion problem – but it does address the following 

>security guarantee that is currently not met in the Confederations case (from 8.1):
….

In the latest version-21 of the draft that I uploaded last Friday, 
I have incorporated the solution that you have proposed, 
namely, adding a signature with pCount = 0, 
at the border of the confederation (see 2nd, 3rd, and 4th paragraphs 
added newly in Section 4.3, page 18).

As I see it, this solution offers the following three benefits:

1. It eliminates the discontinuity issue at the confederation boundary and 
hence facilitates maintaining the security guarantee within confederations as well.

2. It allows for tolerance to lack of proper configuration in a BGPsec speaker
in an interior AS in a confederation, i.e. when such a BGPsec speaker
is not configured to know its confederation’s public AS number.

So it addresses the following comment you made earlier:
“In this network AS65003 (for example) only needs to know (i.e. be configured) 
that AS65001 and AS65004 as confederation peers, 
and not the specific knowledge of which is the confederation ID.”
https://www.ietf.org/mail-archive/web/sidr/current/msg08126.html 

(Randy’s post also seemed to hint that this tolerance would be useful:
https://www.ietf.org/mail-archive/web/sidr/current/msg08127.html )

3. A common description of the validation algorithm (Section 5.2) applies to
all BGPsec speakers. That is, no exceptions need to be stated for 
BGPsec  speakers inside a confederation.
(Previously we had described such exceptions in Section 4.3,
but now they are not needed any more and hence deleted.)

>Related to the above, is the support for private ASNs --- 
this topic also came up in the review of draft-ietf-sidr-bgpsec-ops, 
and the GenArt/SecDir reviews.  There are two related points:

> 1. It is common to use private ASNs in Confederations, 
but the global RPKI can’t support that.  draft-ietf-sidr-slurm seems to address 
the issue of local management of private resources in the RPKI.  
…

> 2. Private ASNs (as pointed out in the SecDir review) are commonly used for stubs.  
This document should include something (I’m thinking in the Ops Section) 
about the protocol considerations: there must be a ROA from 
the resource owner for the ISP to properly re-originate the Update, etc..

There are two new paragraphs in the ops and mgmt. section (Section 7, page 30)
that discuss proper handling of private ASNs that may be used for stub ASes 
or inside confederations.

Please let me know if I missed anything or if you would like to suggest 
any wording improvements.

Thank you.

Sriram

v2.23.0 | Report a Bug | By Email