Re: [sidr] Route Leak fix: V free routing

"Montgomery, Douglas" <dougm@nist.gov> Tue, 22 November 2011 15:37 UTC

Return-Path: <dougm@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D24821F8C95 for <sidr@ietfa.amsl.com>; Tue, 22 Nov 2011 07:37:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.949
X-Spam-Level:
X-Spam-Status: No, score=-5.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTIjdmpPMFUm for <sidr@ietfa.amsl.com>; Tue, 22 Nov 2011 07:37:53 -0800 (PST)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 742D321F85AE for <sidr@ietf.org>; Tue, 22 Nov 2011 07:37:53 -0800 (PST)
Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.339.1; Tue, 22 Nov 2011 10:37:49 -0500
Received: from MBCLUSTER.xchange.nist.gov ([fe80::41df:f63f:c718:e08]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Tue, 22 Nov 2011 10:37:18 -0500
From: "Montgomery, Douglas" <dougm@nist.gov>
To: Randy Bush <randy@psg.com>
Date: Tue, 22 Nov 2011 10:37:49 -0500
Thread-Topic: [sidr] Route Leak fix: V free routing
Thread-Index: AcypLJ2felfbWIe0TdOcUxssLiD84g==
Message-ID: <CAF12307.707A1%dougm@nist.gov>
In-Reply-To: <m2aa7onudn.wl%randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.10.0.110310
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Route Leak fix: V free routing
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2011 15:37:55 -0000

On 11/22/11 8:45 AM, "Randy Bush" <randy@psg.com> wrote:

>> These ideas have floated around for 20+ years.  They have even appeared
>>in
>> early BGP specs ... See "LINK TYPE" in
>>http://www.ietf.org/rfc/rfc1105.txt.
>> 
>> I actually think this is a useful idea, but the discussion always rat
>> holes in the supposition of absolute filtering rules and proof by
>>counter
>> examples.
>> 
>> I think it would be simple for transmitters to indicate and sign their
>> view of the peering relationship they are sending an update over.
>> Customer, provider, peer, or unspecified.
>> 
>> (where/how you encode this is a detail, I would suggest in the PATH SIG
>> unless we decide to take on the more general approach below).
>> 
>> What receivers do with that information ... Just like validation state,
>> would be a matter of local policy.
>> 
>> Worse case is everyone chooses unspecified and we waste two bits under
>>the
>> signature.
>> 
>> Best case for those who don't care about declaring who their
>> customers/providers are to their customers/providers .... Then receivers
>> can choose to filter "V" routes if they wish.
>
>[ thanks for the only actual constructive hint i have seen on this list
>  for a while.  being still on travel and very time constrained, i have
>  started just hitting delete to the repeat blather from the failed
>  rpsec wg. ]
>
>do you expect it to be covered by the signature?  if so, then the
>business relationship is published globally.  do you see a way to assure
>veracity and non-repudiation while not exposing globally?
>
>Randy

I think the exposure thing is a red herring.

Yes I expect it to be covered by a signature.

It will travel by BGP as far as the update travels, to exactly the same
set of players.   So that set of folks already know you have a peering
relationship, I suspect they can figure out what the effective
relationship is, if they care, with a little analysis already.

Of course collectors might capture the update ... Just as they do now
revealing the peering existence.

Concerned about that?   I would like to understand how the exposure is any
greater than just sending the update today?

Still if you are concerned, set the relationship to "unspecified".

It is just a low cost tool.    I think one of our great mistakes is trying
to engineering what the end use cases will be for some of these
mechanisms.   I contend we have little idea exactly how all of this will
play out.   Providing a low cost mechanism that would allow interested
communities to address these forms of "leaks" .... especially if we don't
mandate that everyone has to either (a) reveal the relationship (I.e.,
unspecified) or (B) enforce any policy relative to it (e.g., drop "V") ...
Seems pretty harmless.

If 20 years for now 99% of the peering hops in AS_PATHS are "unspecified"
... We hashed and extra byte for nothing ... A risk I would be willing to
take.

I will note that all previous attempts at this (there was another interim
BGP spec years later that proposed a partial ordering among confederations
that imposed similar no-"V" properties, I could not find a stable
reference to that idea) suggested that it was an fixed property of the
peering relationship.

I will note that, so far, BGPSEC is 1 NLRI per update.  While I am not
suggesting sane reasons to do so, one might envision that some prefixes I
might transmit with "unspecified" while others I might not.


As far as veracity and non-repudiation .... I am setting a flag in an
update, not attesting to a contract.   The main (only?) use of which is to
suggest that you don't want your customers to transit the Internet through
you ... Nothing about that needs to be proved other than I set it.

Maybe I see an emotional issue here ... What if the bits were call "no
export to providers", "no export to peers", "unspecified", "free
distribution"... i.e., this is not a declaration of a contractual status,
it is a request by a transmitter to limit the distribution of an update
potentially multi-hops down stream.   I set this if I care, or think it
would be a public service, to constrain the flow of this update.  Mind you
this naming conveys that it is the transmitter who is trying to effect
policy, not the receiver.

The difference in having this under the PATH SIG is my preferences remain
with the update, unless someone strips the whole sig.

Once again, if receivers care about any of this, they would write policies
to implement their concerns ... Just as they will have to to react to the
validation state itself.

dougm



>