Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-ops-12: (with COMMENT)
"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Mon, 02 January 2017 14:01 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9128F1295F3 for <sidr@ietfa.amsl.com>; Mon, 2 Jan 2017 06:01:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.002
X-Spam-Level:
X-Spam-Status: No, score=-5.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bBzkapj-OWit for <sidr@ietfa.amsl.com>; Mon, 2 Jan 2017 06:01:19 -0800 (PST)
Received: from kuehlewind.net (kuehlewind.net [83.169.45.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C97651295F6 for <sidr@ietf.org>; Mon, 2 Jan 2017 06:01:17 -0800 (PST)
Received: (qmail 18098 invoked from network); 2 Jan 2017 15:01:16 +0100
Received: from p5dec2761.dip0.t-ipconnect.de (HELO ?192.168.178.33?) (93.236.39.97) by kuehlewind.net with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 2 Jan 2017 15:01:16 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <m2vatxmv83.wl-randy@psg.com>
Date: Mon, 02 Jan 2017 15:01:14 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <563AAA29-82F7-4202-8A54-855CD7702595@kuehlewind.net>
References: <148336377615.21819.15119186800162780376.idtracker@ietfa.amsl.com> <m2vatxmv83.wl-randy@psg.com>
To: Randy Bush <randy@psg.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/l4Ffd9NB1kLU-lXjUrim0jkfAms>
Cc: draft-ietf-sidr-bgpsec-ops@ietf.org, Chris Morrow <morrowc@ops-netman.net>, sidr-chairs@ietf.org, The IESG <iesg@ietf.org>, sidr@ietf.org
Subject: Re: [sidr] Mirja Kühlewind's No Objection on draft-ietf-sidr-bgpsec-ops-12: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2017 14:01:19 -0000
Hi Randy, thanks for you quick reply. I actually might be mixing this up with some discussion about DNSsec a while ago, where the problem was that once enable others will remember that it was supported and will not accept non secured requests anymore. But as we are talking about this, could there be a similar case here, where a router is known to support BGPsec and others would ignore/drop non-signed announcements? (Sorry if that’s all discussed in the protocol doc; in this case just ignore my questions ;-); didn’t review the protocol spec yet but it’s the next doc on my list; probably should have read that one first…) Mirja > Am 02.01.2017 um 14:45 schrieb Randy Bush <randy@psg.com>: > >> Quick question: I'm by far not an expert here, but I remember that >> there used to be some concerns that it is practical not possible to >> disable BGPsec once enabled. If that's (still) true, should this be >> mentioned here? > > i am not sure what you mean, so let me guess. > > an established bgp session has negotiated simplex or duplex bgpsec via > bgp capability exchange. one can not change the agreement without > tearing down and restarting the session. > > a router which is bgpsec enabled, receives a signed path from the left, > but on the right it had a non-sec session, strips the bgpsec info from > the path. > > these are discussed in the bgpsec protocol document. section 6, > appended to save dumster diving, shows some of the operational uses of > this. do you have suggestions for other examples worth enumerating? > > randy > > 6. Considerations for Edge Sites > > An edge site which does not provide transit and trusts its > upstream(s) SHOULD only originate a signed prefix announcement and > need not validate received announcements. > > An Operator might need to use hardware with limited resources. In > such cases, BGPsec protocol capability negotiation allows for a > resource constrained edge router to hold only its own signing key(s) > and sign its announcements, but not receive signed announcements. > Therefore, the router would not have to deal with the majority of the > RPKI, potentially saving the need for additional hardware. > > As the vast majority (84%) of ASs are stubs, and they announce the > majority of prefixes, this allows for simpler and less expensive > incremental deployment. It may also mean that edge sites concerned > with routing security will be attracted to upstreams which support > BGPsec.
- [sidr] Mirja Kühlewind's No Objection on draft-ie… Mirja Kuehlewind
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Randy Bush
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Mirja Kuehlewind (IETF)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Randy Bush
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Chris Morrow
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Randy Bush
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Peter Hessler
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Chris Morrow
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Alvaro Retana (aretana)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Mirja Kuehlewind (IETF)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Randy Bush
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Randy Bush
- Re: [sidr] Mirja Kühlewind's No Objection on draf… Christopher Morrow