Re: [sidr] [Idr] No BGPSEC intradomain ?
Christopher Morrow <morrowc.lists@gmail.com> Tue, 10 April 2012 17:47 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9119D21F860D; Tue, 10 Apr 2012 10:47:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.299
X-Spam-Level:
X-Spam-Status: No, score=-103.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2n-IBLSlahd; Tue, 10 Apr 2012 10:47:42 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id E510E21F85D4; Tue, 10 Apr 2012 10:47:41 -0700 (PDT)
Received: by yhkk25 with SMTP id k25so42186yhk.31 for <multiple recipients>; Tue, 10 Apr 2012 10:47:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=cBnrA/Wo6JIm9UjLbxhntEM57Seu6uN3YCHKKGUGkp8=; b=Ry+2fyXX3i3NghZTpncbbFLRHWHV/6nggINkRezL/EKShs7Fhkxx1cm8Ng+U3w8kGm V5oa6o4lwckyV3/HLRwGQ/nG3cMnnUuAQWLHdKG47Wr3bxc3V0j+220FOEjY3NNXemoE ZjXsqdZ/14WQZNZdwTtuCcSr6Ol3vVELYSgt7rwablWyQRUsB6YwLe1dfL5r5peDtleC Y8rM2lI0UzpPTPPAKgFRVLoRipaumgzsrFs+2pmOkwHKOVJqKWm2dcP7C6boVGXeHQix EoTiiG9C5a9wupfxsqqqChPT3zsAUFN4TKqLlFvVDZBuTmAxXzvUaIWKGvPnSyV1pSrL Bplw==
MIME-Version: 1.0
Received: by 10.60.24.201 with SMTP id w9mr17022206oef.49.1334080061340; Tue, 10 Apr 2012 10:47:41 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.182.153.34 with HTTP; Tue, 10 Apr 2012 10:47:41 -0700 (PDT)
In-Reply-To: <4F846736.2060604@raszuk.net>
References: <D7A0423E5E193F40BE6E94126930C4930B96182E71@MBCLUSTER.xchange.nist.gov> <4F828D6D.10907@raszuk.net> <D7A0423E5E193F40BE6E94126930C4930B96C507DA@MBCLUSTER.xchange.nist.gov> <4F830E75.70606@raszuk.net> <24B20D14B2CD29478C8D5D6E9CBB29F60F6F1533@Hermes.columbia.ads.sparta.com> <4F832F5E.9030903@raszuk.net> <0BD03B75-CA3A-4CBA-BBF4-E2100AFA64E4@kumari.net> <4F846121.2050408@raszuk.net> <CAL9jLaYF-MW1cJ2n28BiV1mi+tpPS2ECKB2UxhFMQ=NXxbihCg@mail.gmail.com> <4F846736.2060604@raszuk.net>
Date: Tue, 10 Apr 2012 13:47:41 -0400
X-Google-Sender-Auth: 07VGFi-0uDlgB4aozWUDOSBeoh8
Message-ID: <CAL9jLaa4d+teV0xwgtMVfVfAKK89AwWkk3OQxGaT_sw6psuDiQ@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: robert@raszuk.net
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "idr@ietf.org List" <idr@ietf.org>, sidr@ietf.org
Subject: Re: [sidr] [Idr] No BGPSEC intradomain ?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2012 17:47:42 -0000
On Tue, Apr 10, 2012 at 1:00 PM, Robert Raszuk <robert@raszuk.net> wrote: > >> So... we can send the data along, but in the case of BGPSEC speakers >> the data isn't used (it's replicated in the BGPSEC_SIGNED_PATH). > > So far I have always heard that BGPSEC is just providing the hint to the > operator and does not change how BGP works. ok. > Here you are saying that now AS_PATH length should be calculated from > completely different (and optional) attribute. to the operator (and the implementation) there's not a difference.... > You are also saying that now multipath code which computes which path are > eligible to be multipath needs to look/parse/decrypt totally different > attribute. I didn't say anything about multipath. I presume it'd do the right thing with the meta-attribute it knows about way deep inside bgp processing on platforms that do bgp processing. > All BGP monitoring tools need to be upgraded to now understand BGPSEC > attribute too. And surprise .. here BMP will not convert it like it will to > "legacy" speakers. sure, they'd have to do that anyway, or they just are 'non-bgpsec-speakers' (an e|ibgp neighbour without security foo). In other words, tomorrow for them is the same as today, the world keeps on going round. > You may think that if we stuff all "data" in the new attribute and drop the > other one everything else will work. This may be so in theory, but it is > clearly not a case in practice. maybe? so far you've not convinced me... you can feel free to keep trying though? email is cheap. > > Regards, > R. > > > >> On Tue, Apr 10, 2012 at 12:34 PM, Robert Raszuk<robert@raszuk.net> wrote: >>> >>> Anyhow my doubt has been answered and I stay by my opinion that not >>> sending >>> AS_PATH and AS4_PATH is a terrible idea. >> >> >> So... we can send the data along, but in the case of BGPSEC speakers >> the data isn't used (it's replicated in the BGPSEC_SIGNED_PATH). >> Carrying extra bits isn't actually helpful is it? (the implementers >> drove the design decision here I believe) >> >>> Perhaps one could depreciate it in 20 years when world is upgraded to >>> BGPSEC, but recommending this in BGPSEC protocol draft now is IMHO not >>> helpful for any even potential BGPSEC deployment model. >> >> >> is it helpful for the folks that write bgp code though? "Hey, you will >> need to re-synthesize the as-path at sec->non-sec boundaries. you need >> to also create sec-path at none->sec boundaries." >> >> -chris >> >> >
- [sidr] draft-ietf-sidr-bgpsec-threats-02: Path sh… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Stephen Kent
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Jakob Heitz
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Shane Amante
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Murphy, Sandra
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Andrew Chi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Sriram, Kotikalapudi
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Robert Raszuk
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Jakob Heitz
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Sriram, Kotikalapudi
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Murphy, Sandra
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Montgomery, Douglas
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Murphy, Sandra
- [sidr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-0… Stephen Kent
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Stephen Kent
- Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Pat… Stephen Kent
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] No BGPSEC intradomain ? Warren Kumari
- Re: [sidr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Warren Kumari
- Re: [sidr] [Idr] No BGPSEC intradomain ? Montgomery, Douglas
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jakob Heitz
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jakob Heitz
- Re: [sidr] [Idr] No BGPSEC intradomain ? Randy Bush
- Re: [sidr] [Idr] No BGPSEC intradomain ? Randy Bush
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Paul Jakma
- [sidr] iBGP, BGPSEC and incremental deployment (w… Jeffrey Haas
- Re: [sidr] [Idr] No BGPSEC intradomain ? Christopher Morrow
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jakob Heitz
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? Brian Dickson
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Christopher Morrow
- Re: [sidr] [Idr] No BGPSEC intradomain ? George, Wes
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… George, Wes
- Re: [sidr] [Idr] No BGPSEC intradomain ? George, Wes
- Re: [sidr] [Idr] No BGPSEC intradomain ? Robert Raszuk
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Christopher Morrow
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jeffrey Haas
- Re: [sidr] [Idr] No BGPSEC intradomain ? George, Wes
- Re: [sidr] [Idr] No BGPSEC intradomain ? Jeffrey Haas
- Re: [sidr] [Idr] No BGPSEC intradomain ? Paul Jakma
- Re: [sidr] iBGP, BGPSEC and incremental deploymen… Jakob Heitz
- Re: [sidr] [Idr] iBGP, BGPSEC and incremental dep… Brian Dickson