Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview ENDING: 10/21/2015)
"George, Wes" <wesley.george@twcable.com> Wed, 14 October 2015 21:25 UTC
Return-Path: <wesley.george@twcable.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 502EE1A8969; Wed, 14 Oct 2015 14:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.664
X-Spam-Level: *
X-Spam-Status: No, score=1.664 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, HELO_EQ_MODEMCABLE=0.768, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMw4GFaHQs_W; Wed, 14 Oct 2015 14:25:37 -0700 (PDT)
Received: from cdcipgw01.twcable.com (unknown [165.237.91.110]) by ietfa.amsl.com (Postfix) with ESMTP id 7FA501A8961; Wed, 14 Oct 2015 14:25:36 -0700 (PDT)
X-SENDER-IP: 10.64.163.149
X-SENDER-REPUTATION: None
X-IronPort-AV: E=Sophos;i="5.17,682,1437451200"; d="scan'208";a="418476397"
Received: from unknown (HELO exchpapp08.corp.twcable.com) ([10.64.163.149]) by cdcipgw01.twcable.com with ESMTP/TLS/AES256-SHA; 14 Oct 2015 17:18:32 -0400
Received: from EXCHPAPP06.corp.twcable.com (10.64.163.147) by exchpapp08.corp.twcable.com (10.64.163.149) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 14 Oct 2015 17:25:34 -0400
Received: from EXCHPAPP06.corp.twcable.com ([10.64.163.147]) by exchpapp06.corp.twcable.com ([10.64.163.147]) with mapi id 15.00.1104.000; Wed, 14 Oct 2015 17:25:34 -0400
From: "George, Wes" <wesley.george@twcable.com>
To: Chris Morrow <morrowc@ops-netman.net>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>
Thread-Topic: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview ENDING: 10/21/2015)
Thread-Index: AQHRBsbcSHTgZniRgUuZ9gXNgaBt3g==
Date: Wed, 14 Oct 2015 21:25:34 +0000
Message-ID: <D2442A8C.6CE45%wesley.george@twcable.com>
References: <yj9osi5mae4p.wl%morrowc@ops-netman.net>
In-Reply-To: <yj9osi5mae4p.wl%morrowc@ops-netman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.7.151005
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.64.163.240]
x-tm-as-product-ver: SMEX-11.0.0.1191-8.000.1202-21880.001
x-tm-as-result: No--46.741800-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="utf-8"
Content-ID: <F503DE8AFDC0574390264BCF8E0BFB7D@twcable.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/q3b5eL1pEjQQBzj6xgiMyZMA1GM>
Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview ENDING: 10/21/2015)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2015 21:25:39 -0000
Gave this a review, and stumbled across an issue that may not necessarily be gating to this draft, but should probably be addressed in some other drafts. Regarding this text in 4.2: "Additionally, BGPsec requires that all BGPsec speakers will support 4-byte AS Numbers [RFC6793]. This is because the co-existence strategy for 4-byte AS numbers and legacy 2-byte AS speakers that gives special meaning to AS 23456 is incompatible with the security the security properties that BGPsec seeks to provide." Nit: "the security" appears to be duplicated. Substantive: I had to think through this for a bit to make sure I understood why this is true beyond the obvious problem of AS23456 not being unique. I think we need some additional words explaining why, though I am not sure if it belongs here, in the protocol draft, or in sriram's design-choices doc (7.6 is very thin on explanation). I think that this is a specific corner case for the more generic case of incremental deployment, where a given path has some routers/ASNs that support BGPSec and some that do not, and as far as I can tell, incremental deployment isn't really discussed as a concept beyond the [non]negotiation of support between peers. When a BGPSec-capable router sends updates to a non-capable peer, it strips the BGPSEC_Path attribute from any BGPSec-protected routes it is propagating and announces a regular AS_PATH, and therefore any protection beyond that point is lost. Section 4.2 of the protocol doc says that if a BGPSec-capable router receives updates from a non-BGPSec peer, it will not sign those updates when propagating them to other BGPSec-capable peers. As a result, that route's path will not be protected at all. However, I couldn't find that particular set of interactions discussed in any of the documents in the context of incremental deployment, and what it can and cannot do to protect different route announcements. In other words, BGPSec supports securing the path when: - All routers end to end support BGPSec, which results in the entire path being protected. - The originating router and one or more contiguous routers (ASNs) in the downstream path support BGPSec, but one or more routers before the route's final destination do not support it. This results in the BGPSec signatures being stripped and falling back to insecure mode beyond the last contiguous BGPSec-capable router, but still provides partial protection through the portion of the path that is BGPSec-capable. This is true even when a gap of one or more BGPSec-incapable routers exists in the middle, followed by additional BGPSec-capable routers, as only the first part will be secured. BGPSec does *not* support securing the path even partially when: - The originating router and one or more routers in the downstream path do not support BGPSec, but send the update to router(s) that do support BGPSec. I.e. There is no model in BGPSec for updates that have [unsigned AS_PATH of one or more ASNs] + [Signed BGPSec_Path] of one or more additional ASNs to at least secure the part of the path where BGPSec is supported. So you can grow BGPSec's chain of protection from origin to "middle" and gain some incremental benefit across the part of the path that supports BGPSec, but you cannot grow BGPSec's chain of protection from "middle" to end and gain the same incremental benefit, even in the case where only the originating router doesn't support BGPSec but the rest of the path does. I think I understand the reasons why we chose not to allow this case, but I don't know that this is discussed anywhere in these terms. There is a discussion in 6.4 of Sriram's design-choices doc, but I think it's incomplete since it only discusses it in terms of it being unacceptable to sign updates that it can't verify. IMO there's a difference between signing an unsigned update and carrying unsigned updates alongside signed ones so that it is clear which part of the path is rigorously protected vs not. Put differently: "I have no idea whether the people before Randy were telling the truth, but I can assert that Randy, Sandy, Chris, Matt, and Rob all verifiably told the truth about their part of the path when they sent the route to me." I think maybe that has some value in an incremental model, but if it doesn't (or is sufficiently difficult to implement as to negate the potential benefit), we should explain why. Thanks, Wes On 10/7/15, 11:32 AM, "sidr on behalf of Chris Morrow" <sidr-bounces@ietf.org on behalf of morrowc@ops-netman.net> wrote: > >Howdy WG folks, >Please consider this your warning/notice that the WGLC has been started >for: > > draft-ietf-sidr-bgpsec-overview > >Abstract: > "This document provides an overview of a security extension to the > Border Gateway Protocol (BGP) referred to as BGPsec. BGPsec improves > security for BGP routing." > >Please give this a read, send comments if there are any, and let us >know if this is prepared for publication request. > >Thanks! > >-chris >co-chair > >_______________________________________________ >sidr mailing list >sidr@ietf.org >https://www.ietf.org/mailman/listinfo/sidr ________________________________ This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
- [sidr] WGLC: draft-ietf-sidr-bgpsec-overview ENDI… Chris Morrow
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … Sean Turner
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … Sandra Murphy
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … Sandra Murphy
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … Sandra Murphy
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … George, Wes
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … Samuel Weiler
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … Sean Turner
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … George, Wes
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … Sriram, Kotikalapudi
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … Sandra Murphy
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … George, Wes
- Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-overview … George, Wes