IETF Logo Mail Archive

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Tue, 14 January 2014 23:38 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4E2C1ADFCD for <sidr@ietfa.amsl.com>; Tue, 14 Jan 2014 15:38:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HdAwQFpgbAiU for <sidr@ietfa.amsl.com>; Tue, 14 Jan 2014 15:38:34 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id 243701ADBE5 for <sidr@ietf.org>; Tue, 14 Jan 2014 15:38:34 -0800 (PST)
Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB054.namprd09.prod.outlook.com (10.255.211.148) with Microsoft SMTP Server (TLS) id 15.0.847.13; Tue, 14 Jan 2014 23:38:21 +0000
Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) with mapi id 15.00.0847.008; Tue, 14 Jan 2014 23:38:20 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Chris Morrow <morrowc@ops-netman.net>, sidr wg list <sidr@ietf.org>, "sidr-ads@tools.ietf.org" <sidr-ads@tools.ietf.org>, "Randy Bush (randy@psg.com)" <randy@psg.com>
Thread-Topic: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs
Thread-Index: AQHPDm3wnSnUj8c+U0aEK9MFBqOGz5qE4now
Date: Tue, 14 Jan 2014 23:38:20 +0000
Message-ID: <ce126281f8d14573a1b26db064792fc8@BLUPR09MB053.namprd09.prod.outlook.com>
References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net>
In-Reply-To: <52D0A0AC.5040903@ops-netman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.6.140.100]
x-forefront-prvs: 0091C8F1EB
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(679001)(689001)(779001)(189002)(199002)(87936001)(56816005)(85852003)(81542001)(50986001)(47976001)(85306002)(80976001)(65816001)(66066001)(2656002)(74706001)(54316002)(81342001)(93516001)(92566001)(56776001)(33646001)(83072002)(49866001)(4396001)(90146001)(74876001)(80022001)(47736001)(79102001)(69226001)(81816001)(76796001)(76576001)(81686001)(51856001)(63696002)(74662001)(74502001)(47446002)(31966008)(76786001)(59766001)(83322001)(77982001)(74316001)(74366001)(77096001)(46102001)(87266001)(93136001)(76482001)(53806001)(54356001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB054; H:BLUPR09MB053.namprd09.prod.outlook.com; CLIP:129.6.140.100; FPR:; MLV:nspm; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 23:38:37 -0000

I support publication of this document as an RFC.
I have some comments listed below that are meant to help improve clarity.

3.2 (current) A BGPsec design must allow the receiver of a BGP announcement  to determine, to a strong level of certainty, that the received PATH attribute accurately represents the sequence of eBGP exchanges that propagated the prefix from the origin AS to the receiver, particularly if an AS has added or deleted any AS number other than its own in the path attribute.  This includes  modification to the number of AS prepends.

3.2 (suggested rewording) A BGPsec design must allow the receiver of a BGP announcement  to determine, to a strong level of certainty, that the received PATH attribute accurately represents the sequence of eBGP exchanges that propagated the prefix from the origin AS to the receiver. Specifically, if an AS has deleted any ASN from the AS PATH it received or added an ASN other than its own then the verification of the update (if propagated) MUST fail at its neighboring  BGPsec routers.  This includes modification to the number of AS prepends, i.e. an AS in the path MUST NOT be able to modify the AS prepends (if any) of preceding ASs in the AS PATH.

3.4 (current) A BGPsec design MUST be amenable to incremental deployment. This implies that incompatible protocol capabilities MUST be negotiated.  

"Negotiating incompatible protocol" -- the phrase doesn't sound right to me.

3.4 (suggested rewording) A BGPsec design MUST be amenable to incremental deployment. This implies that a BGPsec capable router MUST be backward compatible and MUST negotiate BGP-4 protocol with a BGP-4 only neighbor,  and MUST interoperate with the BGP-4 only neighbor.
  
3.4 and 3.13 are related (overlapping). You may consider combining them.

In 3.14, this statement "Such mechanisms  SHOULD conform with [I-D.ietf-sidr-ltamgmt]" seems a bit abrupt. You should state what in [I-D.ietf-sidr-ltamgmt] is relevant here to "best path and other routing decisions."  Note: You do speak about [I-D.ietf-sidr-ltamgmt] more specifically again in 3.17.

Sriram

v2.23.0 | Report a Bug | By Email