Re: [sidr] Question about draft-ietf-sidr-pfx-validate-03

Brian Dickson <brian.peter.dickson@gmail.com> Sun, 13 November 2011 20:38 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B17FE21F8801 for <sidr@ietfa.amsl.com>; Sun, 13 Nov 2011 12:38:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.551
X-Spam-Level:
X-Spam-Status: No, score=-3.551 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FrjGSilhKS98 for <sidr@ietfa.amsl.com>; Sun, 13 Nov 2011 12:38:35 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id BA27B21F87E2 for <sidr@ietf.org>; Sun, 13 Nov 2011 12:38:34 -0800 (PST)
Received: by bkbzv15 with SMTP id zv15so6376220bkb.31 for <sidr@ietf.org>; Sun, 13 Nov 2011 12:38:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=7IAuIAOwdo/OuPT8eBjfMGAPipTm5HZWCsytSLjYQi8=; b=JNjgRWJXW4OrOSXc3tVoYT2247dxzbOQUtVe+sCepWhgQX4vC+1DM9h/sGOsW+Mvy9 MBD7wZ0ENXBh83CAjhlyxft/n03fIFPBPxJuwut8a32mjuDutGgHAz3jTNHofhL8yR7L iKVzReOub7LW0M4HpJGebesvvsHFMXvQFApuo=
MIME-Version: 1.0
Received: by 10.204.130.90 with SMTP id r26mr4489985bks.46.1321216712422; Sun, 13 Nov 2011 12:38:32 -0800 (PST)
Received: by 10.223.54.15 with HTTP; Sun, 13 Nov 2011 12:38:32 -0800 (PST)
In-Reply-To: <50D11ABB-8AFB-48EB-B0CE-753EEA39D539@juniper.net>
References: <E3CAD10A-758F-435F-B79F-62171DD373CC@tcb.net> <CAH1iCiru4JarSgi7D88faFZgzmnVJoGDm9C0COAmtjqgsCXPzA@mail.gmail.com> <50D11ABB-8AFB-48EB-B0CE-753EEA39D539@juniper.net>
Date: Sun, 13 Nov 2011 15:38:32 -0500
Message-ID: <CAH1iCio8SFXMW4msCq-cGnQ8m50jEPgPR072nigZC_ZYWboLrw@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: John Scudder <jgs@juniper.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Question about draft-ietf-sidr-pfx-validate-03
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2011 20:38:36 -0000

Correct, yes, I understand.

My point is, that because of the inter-relatedness of the various SIDR
documents, and because presumably the bgpsec-protocol document is not
set in stone, the issues raised in other documents (in SIDR) can be
considered as creating requirements to the protocol document.

As in, by making changes to the protocol (and necessarily the protocol
draft), the issues elsewhere can be designed away and made moot.

It is taking a holistic approach to the set of SIDR documents rather
than documenting around an existing pre-standards bgpsec
implementation.

I humbly suggest that the authors of the other documents take a closer
look at things I suggest, and perhaps voice them as concerns in the
-protocol discussion, as relates to the overall design and in
particular their own documents.

Some see the glass as half-full, some as half-empty. I see the glass
as too big. :-)

Brian

On Sun, Nov 13, 2011 at 3:12 AM, John Scudder <jgs@juniper.net> wrote:
> Brian,
>
> Danny is talking about pfx-validate, which is not the same as BGPSEC.
>
> --John
>
> On Nov 13, 2011, at 1:48 AM, Brian Dickson wrote:
>
>> I think the current design of BGPsec as memorialized (love that word) in the
>> draft-ietf-sidr-bgpsec-protocol would need to be tweaked to handle this.
>>
>> I also believe that the result of the proposed tweak, will be a cleaner design
>> which is easier to implement and verify, as well as not incurring significant
>> operational cost in terms of signatures.
>>
>> Local origination SHOULD occur within an AS on a permanent
>> basis, and only the announcements from the actual originating router need
>> to have unique signatures, regardless of whether they are iBGP or eBGP.
>>
>> (Crypto geeks might suggest adding a random "nonce" to make the signature
>> a little harder to crack, since very little on the signature material
>> will change
>> over time - but that is another discussion.)
>>
>> Here is the tweak:
>>
>>                      Sequence of Octets to be Signed
>>                 +---------------------------------------+
>>                 | Expire Time (8 octets)                |
>>                 +---------------------------------------+
>>                 | Origin AS Number (4 octets)           |
>>                 +---------------------------------------+
>>                 | Algorithm Suite Identifier  (1 octet) |
>>                 +---------------------------------------+
>>                 | NLRI Length  (1 octet)                |
>>                 +---------------------------------------+
>>                 | NLRI Prefix  (variable)               |
>>                 +---------------------------------------+
>>
>> The "Target AS" and "pCount" need to be added, meaning the minimum
>> number of signatures
>> changes to "one origin" and "one propagation" signature.
>>
>> For iBGP within the originating AS, the signature would be "Target AS
>> == origin AS", and "pCount == 0".
>>
>> For eBGP, it would be what you expect, "Target AS == neighbor", "pCount > 0".
>>
>> I think that's all that is needed, and the rest of the validation
>> logic in the -protocol doc remain good,
>> the -ops-reqs doc allows validation for local AS, and pfx-validate also works.
>>
>> Any detail or logic errors in the above can be attributed to not
>> enough caffeine... The gist of the above
>> should be solid enough, though.
>>
>> Brian
>>
>> On Sat, Nov 12, 2011 at 11:54 AM, Danny McPherson <danny@tcb.net> wrote:
>>>
>>> My read of the current draft suggests that if there's a route generated by
>>> the
>>> local AS in BGP it could never have a "Valid" state, and by definition
>>> would
>>> either posses a "Not found" or "Invalid" state -- even though the local
>>> AS may well have a "ROA" and reside in the mapping table as well(!).
>>> I do not believe the current text is Section 5 is sufficient to address this
>>> case,
>>> specifically with either this:
>>> "Considering invalid routes for BGP decision process is
>>> a pure local policy matter and should be done with utmost care."
>>> or this:
>>> "In some cases (particularly when the selection algorithm is
>>> influenced by the adjustment of a route property that is not
>>> propagated into IBGP) it could be necessary for routing
>>> correctness to propagate the validation state to the IBGP
>>> peer. This can be accomplished on the sending side by setting
>>> a community or extended community based on the validation
>>> state, and on the receiving side by matching the (extended)
>>> community and setting the validation state."
>>> I could think of a number of way to address this, but for there to exist
>>> the
>>> possibility that an internally generated prefix (for which a ROA may well
>>> exists)
>>> could NEVER have a "Valid" state needs to be corrected.
>>> Also, S 4:  s/to rest of the network/to the rest of the network/
>>> Thanks,
>>> -danny
>>>
>>> _______________________________________________
>>> sidr mailing list
>>> sidr@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sidr
>>>
>>>
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>
>