Re: [sidr] New Version: draft-ietf-sidr-bgpsec-protocol-12
David Mandelberg <david@mandelberg.org> Mon, 06 July 2015 23:54 UTC
Return-Path: <david@mandelberg.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D50161A1BBE for <sidr@ietfa.amsl.com>; Mon, 6 Jul 2015 16:54:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x6jbLdRr7D3Y for <sidr@ietfa.amsl.com>; Mon, 6 Jul 2015 16:54:49 -0700 (PDT)
Received: from nm22-vm1.access.bullet.mail.bf1.yahoo.com (nm22-vm1.access.bullet.mail.bf1.yahoo.com [216.109.115.144]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2928C1A1BDA for <sidr@ietf.org>; Mon, 6 Jul 2015 16:54:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1436226888; bh=33mVvRT0brwcd24DoSHeAUt5v5+iESf19auieA69xLA=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From:Subject; b=e37Wi48e48QNIUqCb64+R732Lu4te/pvNqDwlMXcar2SWLZAGeuQ716U2dC4TkbwTsR2eXx6Pnq15UmdzKXYJsWF/JNEM6tu4EfMa9I1dEpx+uHE32/TeFd1LHLN8pLat2aMag7qxiL8czJ/9kKgGIbw5nG2qTz23n3WBJQwb/+jgfXfOvG6Y+jBIy96hmpnkxnGQL8qezG0/MR0AmvY234RDTgJa039ZQ2fvRiIAND0+fo1+3PgIt0tDMLDYepGs8vmR7MqKTeSugKQEqH1pRRIydIB7fHPa3ccww7DJxtr/JKa/EYTsdGe2BdAMDTaV93fPomYxoYqDrYrusmllg==
Received: from [66.196.81.156] by nm22.access.bullet.mail.bf1.yahoo.com with NNFMP; 06 Jul 2015 23:54:48 -0000
Received: from [98.138.226.243] by tm2.access.bullet.mail.bf1.yahoo.com with NNFMP; 06 Jul 2015 23:54:48 -0000
Received: from [127.0.0.1] by smtp114.sbc.mail.ne1.yahoo.com with NNFMP; 06 Jul 2015 23:54:48 -0000
X-Yahoo-Newman-Id: 277611.85077.bm@smtp114.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: zWf4Tu4VM1kt.r7iSdb6CxCZEVDPUSMHjF_pKnuL91wgx4p A6x3cfVIT3F4CR5kU9S5q_rhUVS7i02b7ZaE5Rlbj5RVjsOc.r1kYcGJbrjD DrHSCT8OL9vogUEiiLLu81dnEI9O1fUzNawPB3QbDJUwhLYvz5igHqCouJ7B fnbPiSu4VCNKUWwUhvgnJ2ulOGP0m8RTQ9sZVnSIRzq1Q1CVyPIAIP5e08e8 3Na53D1zfuXsi0yqt2e72jwofTCoG3Z8_mm_1cn7ngRT31psDxjNRS1eZht8 IiMkIJ0gtEXadu9JfcGTUQbEGnF56CJk.9UtgRBmThca3y73QMl1k3fhRmDb K2w_B0ycrbLRMgOMD1tmxKmcL0lOKL03Jm8o3OmuRhHubqTMJdOBd2voYACc tPVuTKdYx_b5O7O7NmOlb3drvzAcPbadc9Mp7287IS.AL7Nk6YERov.lDKBC VuRydtx9VZh90G92XtrU__zOSTmSGe9dSDKe2YHNeFmLyHQWF.wpofBZikbM bOh8g16gVHi4tl_NieD775ZtCnUg-
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from secure.mandelberg.org (c-76-24-31-176.hsd1.ma.comcast.net [76.24.31.176]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 506081C6095; Mon, 6 Jul 2015 19:54:46 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Date: Mon, 06 Jul 2015 19:54:46 -0400
From: David Mandelberg <david@mandelberg.org>
To: Matthew Lepinski <mlepinski.ietf@gmail.com>
In-Reply-To: <CANTg3aDr+-f9g-giMJfJY9z8EhC=i-9xgqYJufpMn-pJk+Z3OQ@mail.gmail.com>
References: <CANTg3aBO=jb01DYcT3YPU305-nUpSmdSzF3GiG4ia1FP7r9H1w@mail.gmail.com> <CAL9jLaagZAsYJ5h+wiwpPYZmjiuWpk06wBFuXrNfvzhyjBDsbw@mail.gmail.com> <37419C49-1FAC-44CD-A650-924BBF43A5C4@tislabs.com> <478403baff907c873e474e5e9b447fac@mail.mandelberg.org> <CANTg3aDr+-f9g-giMJfJY9z8EhC=i-9xgqYJufpMn-pJk+Z3OQ@mail.gmail.com>
Message-ID: <c6343467652721664b63357ff6494eeb@mail.mandelberg.org>
X-Sender: david@mandelberg.org
User-Agent: Roundcube Webmail/0.7.2
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/jHCoaZJKw6VM33Ewngru_HX32K0>
Cc: sidr@ietf.org
Subject: Re: [sidr] New Version: draft-ietf-sidr-bgpsec-protocol-12
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 23:54:51 -0000
The -13 revision addresses all of my questions, thanks. On 2015-07-06 19:26, Matthew Lepinski wrote: > David, > > Thanks a lot for raising this issue. > > Based on the discussion in Dallas, I was hoping that we could just go > with the clean approach of including the MP_REACH_NLRI attribute in > the signature. > > As you correctly point out, we cant sign MP_REACH_NLRI, because the > "Network Address of Next Hop" field within MP_REACH_NLRI changes as > an > update message propagates through network. (I.e., if we sign what the > -12 draft says we should sign, verification will often fail.) > > I have just submitted a -13 version of the document that pulls out > the > fields from MP_REACH_NRLI which arent changed in transit (and thus > can > be safely signed). > > - Matt Lepinski > > On Mon, Jun 22, 2015 at 9:21 PM, David Mandelberg > <david@mandelberg.org [4]> wrote: > >> On 2015-06-19 14:00, Sandra Murphy wrote: >> >>> Anyone who commented on draft-ietf-sidr-bgpsec-protocol-11.txt >>> is >>> encouraged to review this version and report if your comments >>> have or >>> have not been addressed. >> >> My comments have been addressed, but I have some questions about >> the way one of them was addressed: >> >> Is the MP_REACH_NLRI encoded with or without the attribute flags >> and type code? >> >> Dont the values of MP_REACH_NLRIs "Length of Next Hop Network >> Address" and "Network Address of Next Hop" change with each hop, >> making it infeasible for remote ASes to verify the origins >> signature? >> >> MP_REACH_NLRI has a reserved field that "MUST be set to 0, and >> SHOULD be ignored upon receipt". If a BGPsec speaker receives an >> update where reserved is non-zero, what should it do? With the >> current text, I could interpret "SHOULD be ignored upon receipt" as >> meaning either "calculate the signature using the reserved field as >> received" or "calculate the signature using all zeroes in place of >> the reserved field". >> >> -- >> David Eric Mandelberg / dseomn >> http://david.mandelberg.org/ [1] >> >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org [2] >> https://www.ietf.org/mailman/listinfo/sidr [3] > > > > Links: > ------ > [1] http://david.mandelberg.org/ > [2] mailto:sidr@ietf.org > [3] https://www.ietf.org/mailman/listinfo/sidr > [4] mailto:david@mandelberg.org -- David Eric Mandelberg / dseomn http://david.mandelberg.org/
- [sidr] New Version: draft-ietf-sidr-bgpsec-protoc… Matthew Lepinski
- Re: [sidr] New Version: draft-ietf-sidr-bgpsec-pr… Christopher Morrow
- Re: [sidr] New Version: draft-ietf-sidr-bgpsec-pr… Sandra Murphy
- Re: [sidr] New Version: draft-ietf-sidr-bgpsec-pr… David Mandelberg
- Re: [sidr] New Version: draft-ietf-sidr-bgpsec-pr… Matthew Lepinski
- Re: [sidr] New Version: draft-ietf-sidr-bgpsec-pr… David Mandelberg
- Re: [sidr] New Version: draft-ietf-sidr-bgpsec-pr… George, Wes
- Re: [sidr] New Version: draft-ietf-sidr-bgpsec-pr… Randy Bush
- Re: [sidr] New Version: draft-ietf-sidr-bgpsec-pr… Randy Bush
- Re: [sidr] New Version: draft-ietf-sidr-bgpsec-pr… Matthew Lepinski
- Re: [sidr] New Version: draft-ietf-sidr-bgpsec-pr… George, Wes