Re: [sidr] Presentations on non-working group documents
XIANG Yang <xiangy08@csnet1.cs.tsinghua.edu.cn> Thu, 28 July 2011 20:29 UTC
Return-Path: <sharangxy@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5C9911E8083 for <sidr@ietfa.amsl.com>; Thu, 28 Jul 2011 13:29:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.82
X-Spam-Level:
X-Spam-Status: No, score=-1.82 tagged_above=-999 required=5 tests=[AWL=-0.510, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OyaN+0wETd9x for <sidr@ietfa.amsl.com>; Thu, 28 Jul 2011 13:29:50 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9B1E511E8081 for <sidr@ietf.org>; Thu, 28 Jul 2011 13:29:50 -0700 (PDT)
Received: by vxi40 with SMTP id 40so2787198vxi.31 for <sidr@ietf.org>; Thu, 28 Jul 2011 13:29:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=4KlMZBxVz0kRM8cVrCjQ4xoj9/I9yNJw2T8hguoR9Cw=; b=Gs5S150bIKNcrD/gjDiWTXEKfCXZssFppF9Zz59ii0PWQJow2VxTUXCmrw4Z0H5Dn0 3ZGwUw7v21mKjeSpNttqfuwumRv2nP1xXQIz90kxAs+KcqpIbyh/ADD9ag+N8MDgLLP1 dPfWCN4H9YfxdEagwjkc1yb9djo3yF9d3po3M=
Received: by 10.220.8.193 with SMTP id i1mr137231vci.108.1311884990074; Thu, 28 Jul 2011 13:29:50 -0700 (PDT)
MIME-Version: 1.0
Sender: sharangxy@gmail.com
Received: by 10.220.190.199 with HTTP; Thu, 28 Jul 2011 13:29:10 -0700 (PDT)
In-Reply-To: <4E31BA6E.9000400@bbn.com>
References: <4E31BA6E.9000400@bbn.com>
From: XIANG Yang <xiangy08@csnet1.cs.tsinghua.edu.cn>
Date: Fri, 29 Jul 2011 04:29:10 +0800
X-Google-Sender-Auth: mPLRegganMHpnWhmPMN73RunAnk
Message-ID: <CA+rW-LAe1mBBEbAZUa2siGgxwBzc-+DHZgu3=brVp2AaJ72P_g@mail.gmail.com>
To: Matt Lepinski <mlepinsk@bbn.com>
Content-Type: multipart/alternative; boundary="bcaec54ee99ed1d05d04a92706af"
Cc: sidr@ietf.org
Subject: Re: [sidr] Presentations on non-working group documents
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2011 20:29:51 -0000
Hi Matt, and others, I agree with you that we should concentrate to the charter of SIDR. However, I also have some different opinions. 1. Firstly, expiration-date almost can not restrict replay attack, since route failures are frequently occurred. And the expiration-date can not be very short. >From this aspect, I think BGPSEC is also a "feasible path authentication" method. Actually, I just proposed a method to restrict the replay attack. That is the Suppressed Path Padding (or we can call it Non-optimal path padding). With SPP we can grantee that all non-optimal path will no shorter than optimal path. Since optimal path usually has an obvious longer use-time, SPP actually protect the most important optimal path. 2. Secondly, if guys think that BGPSEC has no need to cover AS Path Pre-pending, It means that BGPSEC also can not defend many "AS removal“ attacks, since ASPP is widely used. >From this aspect, even if BGPSEC grantees that the AS-Path represented in the route is the same as the path through, it has no significance since it can not defend very simple attacks. If guys think these simple attacks are acceptable, then we also should be able to adopt the tiny security loss in FS-BGP. Actually the full version of FS-BGP (armed with SPP) is more security than S-BGP. 3. Thirdly, the cost of S-BGP is unbearable. I remembered that Sandy said, "if the router can not bear, then we can choose only signs some of k path suffix from the entire n path suffixes." So guys, if we think selectively signing path suffixes is acceptable, I think we also can accept signing the adjacent AS triples using FS-BGP. Because --- neighbor based routing, this is indeed how BGP works. -- OK, I just a new guy here, and hope can make some contribution to the SIDR WG. Regards. _____________________________________________________ Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang 2011/7/29 Matt Lepinski <mlepinsk@bbn.com> > At the end of the SIDR session there were a couple of presentations on > drafts that were not working group documents. I just wanted to agree with > something that Wes had said at the microphone near the end of the meeting. > > SIDR has a lot of work on its plate right now, and the area directors have > indicated that presently they are not willing to expand the charter to take > on additional work. Therefore, if folks have ideas about improving routing > security, I believe it is most helpful to the working group if these > suggestions can be cast in terms of improvements/enhancements/**extensions/optimizations > to existing SIDR work items (either RPKI origin validation or BGPSEC path > validation). > > > ______________________________**_________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/**listinfo/sidr<https://www.ietf.org/mailman/listinfo/sidr> >
- [sidr] Presentations on non-working group documen… Matt Lepinski
- Re: [sidr] Presentations on non-working group doc… XIANG Yang