IETF Logo Mail Archive

Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope?

"Montgomery, Douglas" <dougm@nist.gov> Thu, 28 July 2011 19:43 UTC

Return-Path: <dougm@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C03A511E8121 for <sidr@ietfa.amsl.com>; Thu, 28 Jul 2011 12:43:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.282
X-Spam-Level:
X-Spam-Status: No, score=-2.282 tagged_above=-999 required=5 tests=[AWL=0.317, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qm1KRNotB9Hs for <sidr@ietfa.amsl.com>; Thu, 28 Jul 2011 12:43:52 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 5141711E80F0 for <sidr@ietf.org>; Thu, 28 Jul 2011 12:43:52 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.323.0; Thu, 28 Jul 2011 15:43:57 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Thu, 28 Jul 2011 15:43:48 -0400
From: "Montgomery, Douglas" <dougm@nist.gov>
To: Shane Amante <shane@castlepoint.net>, "sidr@ietf.org" <sidr@ietf.org>
Date: Thu, 28 Jul 2011 15:43:18 -0400
Thread-Topic: [sidr] pCNT & (AS_PATH) prepending: Is it in scope?
Thread-Index: AcxNWMvXAWgAjGIMQFCYGDxRLTLcowAA8L60
Message-ID: <D7A0423E5E193F40BE6E94126930C493087C7907B3@MBCLUSTER.xchange.nist.gov>
References: <19BD9B69-B1EE-495E-8795-38DDE3BF6D4A@castlepoint.net>
In-Reply-To: <19BD9B69-B1EE-495E-8795-38DDE3BF6D4A@castlepoint.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Subject: Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2011 19:43:53 -0000

The discussion so far has not been protecting/validating if prepending *should have* occurred.    BGPSEC protects the AS_PATH.  Prepending occurs in the AS_PATH.  Today's strawman presented one approach to protect the fact that prepending *did* occur (without comment as if it should have occurred).

With that interpretation, I don't think today's proposal violates the requirement about presuming intent.

This too is good discussion as to what the requirement is.    

If we want to protect the common encoding of prepending in the AS_PATH today's strawman provides a simple approach.   

I don't know if your example is primarily pointing out another situation where prepending occurs on ingress .... or if we you are proposing that we discuss protecting the intent to prepend.

If it is the latter - that is a significant expansion of requirements - and there are no obvious simple enhancements of bgpsec-00 mechanisms that would get us there.

dougm




Doug Montgomery - Manager Internet and Scalable Systems Research Group / Information Technology Laboratory / NIST
________________________________________
From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Shane Amante [shane@castlepoint.net]
Sent: Thursday, July 28, 2011 3:00 PM
To: sidr@ietf.org
Subject: [sidr] pCNT & (AS_PATH) prepending: Is it in scope?

Hi,

I have a question for the WG.  In a series of e-mail exchanges earlier this year, I had thought it was concluded that BGPSEC was merely being used as a means to express that a BGP UPDATE had passed through a series of ASN's, i.e.: it's an expression of a "breadcrumbs", if you will, that can [later] be validated by receiver that are further downstream.  IOW, it's not a validation of the TE policies (e.g.: AS_PATH prepending) applied by ASN's.

I went back to the BGPSEC requirements:
http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs-00
... and, if I look at Req #3.19:
   3.19  A BGPsec design SHOULD NOT presume to know the intent of the
         originator of a NLRI, nor that of any AS on the AS Path.

What was the intended meaning of the word "intent"?  I thought that word was meant to say that BGPsec was not intended to validate TE policies that may, or may not, be applied to the NLRI.  If that is correct, then why is the WG looking at signing an BGP attribute that expresses the the number of times an ASN may be prepended?  Or, has the WG had a change of direction and I haven't kept up to speed?

I would note that the reason I'm asking the above is that it may not be the originator that is performing AS_PATH prepending.  Specifically, a customer may use a provider's BGP TE communities to ask the provider to perform AS_PATH prepending (selectively) on their behalf.  But, since these BGP TE communities are not signed, then how would a receiver of the NLRI know that an AS_PATH should or should not have been prepended by an intermediate/transit ASN?

Thanks,

-shane
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email