Re: [sidr] Implementer inputs requested (Fw: SecDir Review of draft-ietf-sidr-bgpsec-protocol-20)
"Borchert, Oliver (Fed)" <oliver.borchert@nist.gov> Thu, 22 December 2016 21:54 UTC
Return-Path: <oliver.borchert@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDE951295FB; Thu, 22 Dec 2016 13:54:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMuyUpo2qBqv; Thu, 22 Dec 2016 13:54:11 -0800 (PST)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0126.outbound.protection.outlook.com [23.103.201.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 340641279EB; Thu, 22 Dec 2016 13:54:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=OYgFhPVG57dgYSzV2NUreqIeYvYIEAKxsyTZNxzEUfg=; b=2hIyzFf5ud0w1b2cNmjP7ObK4413PQNWxeq1yoKGJFXslaxBU48Y5M6HYIJcxL8rvsLfvS/NPcXe5rNIcwWeGnotqnPYGnZQrJZ86anGm9O7ioB329ZTYOU7w5H89y3F8+pT/HnUz133FvKpk3n6LkNax5Nb/hQnOFzvJAg1OBc=
Received: from BL2PR09MB0996.namprd09.prod.outlook.com (10.167.102.15) by DM2PR09MB0445.namprd09.prod.outlook.com (10.161.252.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.789.14; Thu, 22 Dec 2016 21:54:08 +0000
Received: from BL2PR09MB0996.namprd09.prod.outlook.com ([10.167.102.15]) by BL2PR09MB0996.namprd09.prod.outlook.com ([10.167.102.15]) with mapi id 15.01.0789.018; Thu, 22 Dec 2016 21:54:07 +0000
From: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, sidr wg list <sidr@ietf.org>
Thread-Topic: Implementer inputs requested (Fw: SecDir Review of draft-ietf-sidr-bgpsec-protocol-20)
Thread-Index: AQHSXHqyAyzM0B3CfkavQnhoYfx3Q6EULw0A
Date: Thu, 22 Dec 2016 21:54:07 +0000
Message-ID: <71F0A322-DB63-4BD2-A07E-B162BE83AF34@nist.gov>
References: <D915BDA3-A15D-4445-8C18-DA155A73E0D0@vigilsec.com> <DM2PR09MB04464E3468A02A51130A89D684920@DM2PR09MB0446.namprd09.prod.outlook.com> <DM2PR09MB0446A2C482C53D6602E2E3D784920@DM2PR09MB0446.namprd09.prod.outlook.com>
In-Reply-To: <DM2PR09MB0446A2C482C53D6602E2E3D784920@DM2PR09MB0446.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1d.0.161209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=oliver.borchert@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.140.59]
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0445; 7:dnVJYUqf4UVWmpcU8TwcqNWxdmHVP5nUZEmnef4gfr9NuFgIsNKWH417HASeQYhDfXdPBmxAieFb/pvB0u98LIo9x81L08orBozQ2uSBOinh4hesj/eS609s0m3oaPM9m4pmpECBWJmzwW3o13DLGuAZkuxinn5OGawalwtaDi9YZuoj8A+zYb13ZmBHxhf8giyjuzVLSjgKVXrCi4h70oS+fnMwgu5Nsv6M++LRvuqyGIExtqXyRQfcIHflyEaw23kC7p5PoaQk6+0c9w6KBXKowytgN8hvdTF6y8ne5bvMq4HngSQdF2U6zy8kOODlVmJeuspaT62QHAsBaJwwTSgcGu4B6rs91nfhVmhgi6TFBuMsXvtV4KksYS6bf9gOywucUm6F52es+8GWRuVI0oFly8yWkKZdC+EHAugfjRvZNLc1Wdud2ybWLiDvZ2AQ09uu+NbWT2m5iVW8tm8Beg==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39840400002)(39860400002)(39850400002)(39450400003)(39410400002)(377454003)(189002)(199003)(5001770100001)(8936002)(33656002)(25786008)(77096006)(4001350100001)(5660300001)(81156014)(6506006)(6512006)(81166006)(6436002)(3280700002)(97736004)(2906002)(82746002)(83716003)(4326007)(92566002)(2900100001)(86362001)(83506001)(7736002)(99286002)(122556002)(189998001)(230783001)(229853002)(6116002)(3846002)(102836003)(38730400001)(101416001)(8676002)(54356999)(66066001)(6486002)(36756003)(3660700001)(2950100002)(106116001)(106356001)(105586002)(68736007)(76176999)(50986999)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0445; H:BL2PR09MB0996.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
x-ms-office365-filtering-correlation-id: ac0d9459-8eeb-4575-22f5-08d42ab50e00
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM2PR09MB0445;
x-microsoft-antispam-prvs: <DM2PR09MB0445DE248095A6763F2AB8FB98920@DM2PR09MB0445.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123564025)(20161123560025)(20161123555025)(20161123562025)(6072148); SRVR:DM2PR09MB0445; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0445;
x-forefront-prvs: 01644DCF4A
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_71F0A322DB634BD2A07EB162BE83AF34nistgov_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Dec 2016 21:54:07.5357 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0445
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/oz1WW8gJfH3YYLg0UmlcABPVmik>
Cc: "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, Michael Baer <baerm@tislabs.com>
Subject: Re: [sidr] Implementer inputs requested (Fw: SecDir Review of draft-ietf-sidr-bgpsec-protocol-20)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2016 21:54:15 -0000
Sriram, regarding the implementer input, here are my thoughts: To comment 1: ============== It is not uncommon to have a length field not include its own size. An example is the length field of the capabilities which does specify the length (size) of the following capability (payload). In our case the length field specifies the length (size) of the signature itself (payload) and not the total length of all the signature fields (ski, length, signature) as do the other length fields. In addition, adding the 2 bytes for the field itself, will add more complexity to the processing regarding the crypto. Currently we can use the value “as is” without any additional math applying to it which will change once we include the 2 bytes for the field itself. So, I prefer to keep it as is. To comment 2: ============== I do not believe that by sending 2 separate capabilities we really “waste” anything. The reason is that compared to the overall BGP traffic, a handful of bytes exchanged during the session establishment doesn’t do any harm. But on a more serious note, introducing a 2-bit encoding adds additional complexity. The proposed encoding 01 – 10 – 11 (or 1, 2, 3) is fine except that it leaves out two additional stages. (A) the encoding 00 and (B) no capability sent at all. Looking at other capabilities, the “non-existence” of a capability states no support. Now by adding an unused 00, what does this mean? Does it mean we don’t support the capability which means we have two forms of signaling no support? And if it does not mean that, is it an error in which we need to add error handling. I think this adds unnecessary complexity that the implementer must check for 00 and the non-existence and deal with them the same way or differently? To keep it simple, I prefer to keep it as it is, this way we do not add additional confusion: (I) Announce the proper capability if supported (II) and if not supported don’t announce the capability. This is straight forward and falls in line with other capabilities. (As Example MPNLRI, 4 Byte ASN, etc.) Thanks, Oliver From: Kotikalapudi Sriram <kotikalapudi.sriram@nist.gov> Date: Thursday, December 22, 2016 at 12:41 PM To: sidr list <sidr@ietf.org> Cc: Russ Housley <housley@vigilsec.com>, "baerm@tislabs.com" <baerm@tislabs.com>, Oliver Borchert <oliver.borchert@nist.gov>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org> Subject: Implementer inputs requested (Fw: SecDir Review of draft-ietf-sidr-bgpsec-protocol-20) Russ Housley had suggested these changes (#1 and #2 below) as part of his SecDir review. But he also suggested to me to put it out on the mailing list so that implementers in particular and anyone having an opinion can have a say. Russ's comment: Minor: #1 In Section 3.2, the Signature Length within the Signature Segment does not count the length field itself. It seems that all of the other length values in this specification count the size of the length too. Consistency will avoid implementation errors. Russ's comment: Minor: #2 Section 2.1 says: ... The BGP speaker sets this bit to 0 to indicate the capability to receive BGPsec update messages. The BGP speaker sets this bit to 1 to indicate the capability to send BGPsec update messages. It seems a bit wasteful to repeat the whole capability for each direction. Wouldn't it be better to follow the example used in other capability definitions (such as RFC 7911) by using one of the unassigned bits? The Send/Receive pair of bits would have these semantics: This field indicates whether the sender is (a) able to receive BGPsec update messages from its peer (value 1), (b) able to send BGPsec update messages to its peer (value 2), or (c) both (value 3) for the address family identified in the AFI. [Sriram] Observation: Two implementations exist and they were shown to interoperate at the IETF-97 in Seoul. The changes would cause those implementations to make code modifications. Sriram
- [sidr] Implementer inputs requested (Fw: SecDir R… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Implementer inputs requested (Fw: SecD… Borchert, Oliver (Fed)