Re: [sidr] Route Leak fix: V free routing
"Montgomery, Douglas" <dougm@nist.gov> Tue, 22 November 2011 15:37 UTC
Return-Path: <dougm@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D24821F8C95 for <sidr@ietfa.amsl.com>; Tue, 22 Nov 2011 07:37:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.949
X-Spam-Level:
X-Spam-Status: No, score=-5.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTIjdmpPMFUm for <sidr@ietfa.amsl.com>; Tue, 22 Nov 2011 07:37:53 -0800 (PST)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 742D321F85AE for <sidr@ietf.org>; Tue, 22 Nov 2011 07:37:53 -0800 (PST)
Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.339.1; Tue, 22 Nov 2011 10:37:49 -0500
Received: from MBCLUSTER.xchange.nist.gov ([fe80::41df:f63f:c718:e08]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Tue, 22 Nov 2011 10:37:18 -0500
From: "Montgomery, Douglas" <dougm@nist.gov>
To: Randy Bush <randy@psg.com>
Date: Tue, 22 Nov 2011 10:37:49 -0500
Thread-Topic: [sidr] Route Leak fix: V free routing
Thread-Index: AcypLJ2felfbWIe0TdOcUxssLiD84g==
Message-ID: <CAF12307.707A1%dougm@nist.gov>
In-Reply-To: <m2aa7onudn.wl%randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.10.0.110310
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Route Leak fix: V free routing
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2011 15:37:55 -0000
On 11/22/11 8:45 AM, "Randy Bush" <randy@psg.com> wrote: >> These ideas have floated around for 20+ years. They have even appeared >>in >> early BGP specs ... See "LINK TYPE" in >>http://www.ietf.org/rfc/rfc1105.txt. >> >> I actually think this is a useful idea, but the discussion always rat >> holes in the supposition of absolute filtering rules and proof by >>counter >> examples. >> >> I think it would be simple for transmitters to indicate and sign their >> view of the peering relationship they are sending an update over. >> Customer, provider, peer, or unspecified. >> >> (where/how you encode this is a detail, I would suggest in the PATH SIG >> unless we decide to take on the more general approach below). >> >> What receivers do with that information ... Just like validation state, >> would be a matter of local policy. >> >> Worse case is everyone chooses unspecified and we waste two bits under >>the >> signature. >> >> Best case for those who don't care about declaring who their >> customers/providers are to their customers/providers .... Then receivers >> can choose to filter "V" routes if they wish. > >[ thanks for the only actual constructive hint i have seen on this list > for a while. being still on travel and very time constrained, i have > started just hitting delete to the repeat blather from the failed > rpsec wg. ] > >do you expect it to be covered by the signature? if so, then the >business relationship is published globally. do you see a way to assure >veracity and non-repudiation while not exposing globally? > >Randy I think the exposure thing is a red herring. Yes I expect it to be covered by a signature. It will travel by BGP as far as the update travels, to exactly the same set of players. So that set of folks already know you have a peering relationship, I suspect they can figure out what the effective relationship is, if they care, with a little analysis already. Of course collectors might capture the update ... Just as they do now revealing the peering existence. Concerned about that? I would like to understand how the exposure is any greater than just sending the update today? Still if you are concerned, set the relationship to "unspecified". It is just a low cost tool. I think one of our great mistakes is trying to engineering what the end use cases will be for some of these mechanisms. I contend we have little idea exactly how all of this will play out. Providing a low cost mechanism that would allow interested communities to address these forms of "leaks" .... especially if we don't mandate that everyone has to either (a) reveal the relationship (I.e., unspecified) or (B) enforce any policy relative to it (e.g., drop "V") ... Seems pretty harmless. If 20 years for now 99% of the peering hops in AS_PATHS are "unspecified" ... We hashed and extra byte for nothing ... A risk I would be willing to take. I will note that all previous attempts at this (there was another interim BGP spec years later that proposed a partial ordering among confederations that imposed similar no-"V" properties, I could not find a stable reference to that idea) suggested that it was an fixed property of the peering relationship. I will note that, so far, BGPSEC is 1 NLRI per update. While I am not suggesting sane reasons to do so, one might envision that some prefixes I might transmit with "unspecified" while others I might not. As far as veracity and non-repudiation .... I am setting a flag in an update, not attesting to a contract. The main (only?) use of which is to suggest that you don't want your customers to transit the Internet through you ... Nothing about that needs to be proved other than I set it. Maybe I see an emotional issue here ... What if the bits were call "no export to providers", "no export to peers", "unspecified", "free distribution"... i.e., this is not a declaration of a contractual status, it is a request by a transmitter to limit the distribution of an update potentially multi-hops down stream. I set this if I care, or think it would be a public service, to constrain the flow of this update. Mind you this naming conveys that it is the transmitter who is trying to effect policy, not the receiver. The difference in having this under the PATH SIG is my preferences remain with the update, unless someone strips the whole sig. Once again, if receivers care about any of this, they would write policies to implement their concerns ... Just as they will have to to react to the validation state itself. dougm >
- [sidr] BGPsec - proposal for threat model, protoc… Brian Dickson
- Re: [sidr] BGPsec - proposal for threat model, pr… Brian Dickson
- [sidr] Route Leak fix: V free routing Jakob Heitz
- Re: [sidr] Route Leak fix: V free routing michael.meulle
- Re: [sidr] Route Leak fix: V free routing Montgomery, Douglas
- Re: [sidr] Route Leak fix: V free routing Randy Bush
- Re: [sidr] Route Leak fix: V free routing Montgomery, Douglas
- Re: [sidr] Route Leak fix: V free routing Brian Dickson
- Re: [sidr] Route Leak fix: V free routing Jakob Heitz
- Re: [sidr] Route Leak fix: V free routing Brian Dickson
- Re: [sidr] Route Leak fix: V free routing Jakob Heitz