[sidr] minutes from interim meeting
"Murphy, Sandra" <Sandra.Murphy@sparta.com> Thu, 11 October 2012 18:20 UTC
Return-Path: <Sandra.Murphy@sparta.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 105BD11E809A for <sidr@ietfa.amsl.com>; Thu, 11 Oct 2012 11:20:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.579
X-Spam-Level:
X-Spam-Status: No, score=-100.579 tagged_above=-999 required=5 tests=[AWL=-1.780, BAYES_50=0.001, J_CHICKENPOX_31=0.6, J_CHICKENPOX_63=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kwzgTOmKemkw for <sidr@ietfa.amsl.com>; Thu, 11 Oct 2012 11:20:09 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 0EA811F0381 for <sidr@ietf.org>; Thu, 11 Oct 2012 11:20:08 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id q9BIJwdS017647 for <sidr@ietf.org>; Thu, 11 Oct 2012 13:19:58 -0500
Received: from Hermes.columbia.ads.sparta.com ([157.185.80.107]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id q9BIJq9T016978 for <sidr@ietf.org>; Thu, 11 Oct 2012 13:19:58 -0500
Received: from HERMES.columbia.ads.sparta.com ([fe80::e4a8:a383:2128:c0e5]) by Hermes.columbia.ads.sparta.com ([fe80::e4a8:a383:2128:c0e5%21]) with mapi id 14.01.0379.000; Thu, 11 Oct 2012 14:20:01 -0400
From: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
To: "sidr@ietf.org" <sidr@ietf.org>
Thread-Topic: minutes from interim meeting
Thread-Index: Ac2n1NHSyyMYEvkySQqhd/dMu4zB4g==
Date: Thu, 11 Oct 2012 18:20:00 +0000
Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F62BF035DC@Hermes.columbia.ads.sparta.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.185.63.118]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [sidr] minutes from interim meeting
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Oct 2012 18:20:12 -0000
We had two minutes takers from the interim meeting on 29 Sep. They had different styles of taking minutes. One set of minutes was more summarization: noting topics and outcome of the discussion. One was more detailed: noting details of the discussion and who made what comment. I myself find that both styles have benefit. Luckily the two minutes are pretty synchronous with match points. I have melded the two, so there is a topic and summary followed by the detailed discussion. I have checked against the recording when the minute taker was uncertain. Aside from mis-spellings, anything I inserted is noted by <ed: xxxx >. The minutes are below and will be uploaded. Corrections should be sent to the list. --Sandy, speaking as co-chair Interim meeting, 29 Sep 2012, Amsterdam, NL. Link to recording of meeting: http://www.meetecho.com/ietf-interim/recordings <Editor note: in the below, I believe that the names used indicate: Matt: Matt Lepinski Randy: Randy Bush Chris: Chris Morrow Rudiger: Ruediger Volk Wilifred: Wilifred Rob: Rob Austein Steve: Steve Kent Sandy: Sandy Murphy Steffann: Sander Steffann Sriram: Sriram Kitakalapudi Eric: Eric Osterweil Russ: Russ Housley The meeting began with a discussion of draft-ietf-sdir-bgpsec-protocol-05.txt, with Matt Lepinski as presenter. bgpsec-protocol-05 - Open Issues Matt L: 5 reviews of the doc - discuss issues raised by those reviews -minor mistakes and improving of text he is fixing 1. What to call the AS path that is protected in BGPSEC? Call it simply AS path. (That is distinct enough from BGP-4 AS_PATH. Details of discussion: -We don't have an AS_Path attribute to reference in the docs, what do we call the sequences of ASes through which an update passes Randy: bgpsec path Matt: like to refer to those without referring to a set of attributes Chris/Randy: sequence of ASes through which an update passes is just fine 2. Transport security: Suggested wording: If you wish to protect the transport, then you must use a form of transport layer security. (The document does not recommend specific one.) Details of discussion: Matt: Do we want to specify a mechanism for transport security? eg tcp-ao -- if we don't specify there are residual things that bgpsec can't secure Does it make sense to do a SHOULD or MUST without specifing a specific mechanism. Randy: If you wish to protect against these vulns, then you must/should Chris: No one does AO and MD5 is somehow bad, so Randy's right - No objections 3. <ed: new topic re: Editor's notes> Matt: Planning to remove Editor's notes in next ver 4. Failure to negotiate BGPSEC successfully with a neighbor should result in falling back to negotiating BGP-4. Details of discussion: Matt: Negotiation errors - RFC5492 says if you fail to negotiate a capability you might send a bgp notification message and close the session. If I want bgpsec and my neighbor doesn't we fall back to regular bgp4 - my proposal is to reccomend falling back to bgp4 and not close the session Would like feedback if anyone would prefer to fail the session: Chris: it sounds like an implementation choice - ask for a knob from vendor - you don't want a situation where you can't have a bgpsec router talk to a non bgpsec router Matt: recommend adding a sentence that says fallback recommended, closing is fine Rudiger: I think we need to know when the session comes up, which policy to push - whether bgpsec came up or regular bgp4 Randy: It's not bidirectional - you should know whether you can send or receive etc Current doc does not document that you can be send only Matt: I'll fix that 5. Non-null SAFI: Matt will take it to the mailing list to see if anyone wants its inclusion. Rob: All rpki implementations are affected if you change the specification to include non-null SAFI. Details of discussion: Matt: SAFI - Do we need a safi present flag? Rob: The actual question is do we need a safi field at all? You are only allowed to use v4/v6 unicast with null safi. If we decide we want safi, then in order to express what's in 3779(?) we need a flag Matt: is there is a use case for non-null safi in bgpsec ver0 Some guy <ed: the name is unclear in the recording and I do not recognize the voice>: Suppose I have non-complement ... from the same AS (mcast?) Matt: This version does not handle mcast - you have to send without protection your mcast Rudiger: The origin validation is only for unicast -- protecting the ASpath perse could be of value for people doing strange address families Matt: Take to list - unless someone on list comes up with use case, then we will take it out 6. 4-byte ASN: Does negotiating bgpsec mean negotiating 4-byte asn also. No, you may negotiate 4-byte asn but not bgpsec. So have separate negotiations for the two capabilities. Details of discussion: Matt: Negotiation of 4byte AS You need to support 4byte AS's - doesn't support 3byte hack What happens when a speaker does not support 4byte AS? Do we close the session? Some guy <ed: the name is unclear in the recording and I do not recognize the voice>: If I say bgpsec, and my neighbor says AS4 - then we do really want to negotiate AS4 Matt: seemed to get it 7. BGPSEC capability negotiation: Have 2 separate messages, one for send and another for receive. Rob: Do 2unless you are short of capabilities. But don’t do subtyping, i.e. put one under another. Details of discussion: BGPsec has 2 options - I want to send you bgpsec and I'm willing to receive bgpsec I may not want to do sig valid, but do want to generate sigs I might trust my upstream to do this hard validation stuff and just generate my sigs Is this an ok situation or a fail to negotiate Randy: why don't we send 2 different capability messages, instead of 1 message with 2 bit flags for send/receive Wilifred <ed: the name is unclear in the recording and I do not recognize the voice>: you should allow this situation Matt: Currently you send 2 capability msgs (v4/v6) so now you would send <ed: two> Heather: What is the harm of sending both Rob: Don't add another one Matt: proposal is to keep it separate 8. BGPSEC_PATH_SIGNATURES attribute name: Simplify to BGPSEC_PATH. Details of discussion: Name of the attribute: anyone have a prob renaming - No 9. Router ID inclusion in the update: Final decision was not to include it in the BGPSEC update. Discussion: Steve Kent: SKI which is a hash of public key is extraordinarily likely to be unique. Router ID has significance between immediate neighbors; irrelevant two hops way. It is not relevant from a correctness point of view (in BGPSEC updates). Rob agrees with Steve. Consensus in the room for not including. Details of discussion: Router ID's reccomends that routers have a subject name that includes a router-id identifying a router do we add router-id as an unsiugned field right next to ski in bgpsec attr? if we don't a large number od certs matching a given as must be sifted through Does it make the validation code simpler/faster? Rudiger: router id is a phrase that is used Sandy: you can put whatever you want in the router id field if you want to identify a set of routers Steve: which fits in the field. There is a subject name which is a character string --- My argument is no we don't need it because the hash of the public key is likely to be unique to begin with if at one end the knob says every router gets a different cert with a different pub k -- or different keys. On either end there is no problem. It's very likely to not be a big deal. I think the likelyhood of collisions is small. Matt: current text suggests when you talk to cache you should filter by ASN then by ski. Someone suggested that there was potentional of DoS attack if someone generates millions Steve: described ways to forge Randy: problem occurs when you are in the middle. (One key in America, one key in aspac) A router key is compromised in one region - idea is to restrict compromise to one continent, and you can't know unless the router id is in the update Sriram: ... Matt: Do I have information in my bgpsession that I can check my router id against so that I know which one the peer is using Randy: It's not the peer, because it can be several hops away Matt: if we put in routerid in the update msg, I can't check to make sure everyone in path was using the right router id Randy: If you glom that up you don't have that assurance Matt: is that a useful assurance - is it useful to be able to check which key the peer is using Randy: I would use artificial routerids - in bgp they are only unique to an AS -- Chris: whether you are at the 1 key per router, or 1 key per AS, the peer only knows you signed a msg with a key, this is a troubleshooting and later validation issue It's misleading to call this router id. Its an identifier for this key and everything that was signed by it. Rob: from the cert side, I'm with steve Steve: idea was when we open a connection between a pair of routers, immediate peer can check the guy who he thinks is configured, once you are more than 1 hop away this is irrelevant you are checking for consistency to the AS, not to a specific router. Immediate neighbor stops being interesting when you don't have a 1-to-1 Matt: signing over routerid isn't useful if.... Steve: you don't have to have routerid in there - its not relevant more than 1 hop away. Once you revoke a key, well you've killed the key and it can't be used anymore Chris: thinking about this as routerid is a problem - think about it as random number that is 32 bits long Randy: in the update that I outbound sign, my key in rpki is bound to that nonce, that allows me to protect a compromise on router A from compromise on router B Matt: there is a compromised router and a good one. the compromised router can use his comp'd key to sign on behalf of your AS, your concern is that if my comp in NA you don't want asia to be signing <break> Matt: what I have heard is that no one can provide a concrete security benefit for putting the router id in this doc - I will make this assertion on the mailing list - if anyone finds a usecase on the list, we'll sort it on the list 10. Reserved field in the Update: Historically it is there because it was originally meant to be used for Expire Time (a method of replay protection). Its usability is good for protocol extension (expire time or other use) at the origin only. Jari Arko: You can add one TLV mechanism for one purpose using this. Randy: “If you design an extension carefully, it would have a 25% chance of designing for future. Since this was thought of for a specific purpose, it has much smaller chance.” Sriram: “I am neutral but we may like to wait a few months before removing it until the replay protection mechanism gets fully finalized. Periodic Key Rollover is something to be considered for its merits, and it is similar to Expire Time method. He said he and Doug wrote a document (announced it on the SIDR list on September 21) which discusses all the pros and cons in detail about different replay protection method.” Matt: Room seems to be leaning towards removing it; we will take it to the mailing list. Details of discussion: Additional info - is it useful? add'l info - signed origin added blob of bits when we took out expire_time. Some folks though we may in the future want to add expire_time or signing_time or something to support better protection against replay or other issues Allows origin to assert something under sig, and allows us to support possible extension mechanism is this still useful, is the current spec good enough if we go from ver 0 to ver 1 we lose backward compatibility - Rob: I don't know if we need ext mechanism - I'm not convinced this is useful. This is only good for originator only, as opposed to a long path. This is taylor made for 1 ext we may never make. I won't stand in the way but not seeing a strong argument in favor Guy w/ pink dot on badge (Jari? Jani?)<ed note: I believe that this is a reference to Jari Arkko>: It's useful that you can add exactly one TLE Matt: I'm all for making this better if anyone has suggestions Randy: be honest, this is restrictive extension mechanism not really designed as such - it's a vestigal organ, it's dead. If you want an ext mechanism, design one Rob: If you actually want an ext mech, look at the ipv4 header Matt: 2 things proposed - make it more general or kill it -- Rob and Randy that says kill it. Chris: are we sure we never want to add anything more at the origin end. Randy: ...that's compatible with this Matt: anything added needs to be able to be ignored by someone who doesn't understand this - so if its a security thing we don't want them to ignore Sriram: not in favor or against - expire_time in origin made the update expire at a certain time- key rollover replaced this. Periodic key rollover mimics this. If someone thinks expire_time is better because it doesn't create churn (key rollover has churn) so maybe we keep it and see if someone is concerned about the churn. I'm neutral on this Matt: No other comments? To the list.. the room is leaning toward kill it 11. <Ed: new topic> Non-bgpsec stuff in your AS Details of discussion: Matt: Attr is currently non-transitive - if you send to a speaker that doesn't understand, they drop it. Will RR strip? Rudiger: no Randy: bgpsec ops doc says.. rr must have bgpsec enabled if/oif there are bgpsec speakers in their client cone Matt: should this doc need to have a pointer to ops discussion of those considerations. It was suggested that this might be a prob Chris: monitoring comes up - If an rr doesn't accept bgpsec I wouldn't send them bgpsec data (wouldn't have negotiated) path constructed based on bgpsec and fwd'd Matt: if I have a mixture of bgpsec and non-bgpsec speakers in my AS, is that a problem Chris: 2 routers hear same prefix - one may choose it, one may not -- i might say, I trust my bgpsec speaking routers more than those that dont Matt: I don't think there is a problem here - Sandy agree (you made the comment) Sandy: Yes 12. Length field: Rob: Traditionally the header in included in the length field; keep it that way. Decision: Length field value will include the overhead bytes used for the length field itself. Details of discussion: Does the value of length field inc octets used to express length field Matt: I want to make them all the same Rob: 2 obvious right answers - historically these include the length of header, wrong decision 30 years ago, but we kept going with it -- not worth changing Matt: I will go through and make sure this is consistent in the way rob suggested 9 (see slide) include length octets in length calculation 13. Null BGP-4 AS_PATH or Null BGPSEC_PATH from originating router to egress router: Randy : “If originating router is BGP-4, then it will send Null BGP-4 AS_PATH. If it is BGPSEC and knows the egress is BGPSEC, it will send Null BGPSEC_PATH.” Question (note taker): How does the originating router know if the egress router does BGPSEC or BGP-4 only? Details of discussion: Originating an update: Matt: Inside my AS a router originates a prefix, currently it creates an empty AS path, when it hits the edge it creates a aspath --- When bgpsec speakers are talkign to each other using signed update msg. ..... do I want my bgpsec speaker in the middle talking to the edge producing an unsigned msg ... reasonable approach: inside my AS I send empty aspath until it gets to the edge where it gets added Randy: I know who I'm talking to Chris: Are you sure you are getting the update from them? Isn't the genesis the discussion I should be able to know that my AS originated the route. Matt: seems silly to sign to yourself Chris: proxying Danny's question Sriram: does the msg received by the edge router, is it different if empty bgpsec path Matt: semantics aren't different, bits on the wire are diff Sandy: in one case aspath length = 0 and in other case you have bgpsec path =0 Randy: gives example - Sandy: what does something send the edge Randy: if I am originating and speaking to if a null aspath reaches the edge and the edge speaks bgpsec, it becomes bgpsec Rudiger: as long as the optional field is not around Randy: no it will be done by the edge Rudiger: in case you are actually putting the time in, if some unknown ext is put there it might make a difference Matt: I'll take all to the list. the sense of the room is leaning toward empty bgpsec attrib 14. Valid-Invalid vs. Good-Not Good: The room leaned towards Valid and Not Valid. Randy: “Someone on the SIDR list suggested a not unreasonable third state for bgpsec validation. Details of discussion: Validation state names Matt: I would like to call the states valid and invalid. Any probs with that? Randy: Is it verifiably invalid, or couldn't validate Matt: Couldn't validate is long Randy: sure, not validated Sandy: if the origin validation comes up with unknown or invalid, bgpsec comes up as not good. If you translate not good to invalid. I think you need separate terms so you aren't overloading Rob: Valid and not valid works for me --- invalid means something different in this space Matt: I will change to Valid and not Valid Rob: you may actually need to explain binaries (kidding) Sandy: someone will ask origin has 3 states, this has 2, what happened? Matt: I could, but doc is already long Randy: that msg suggested symantics for the 3rd state in bgpsec validation that wasn't unreasonable Matt: we can do it there is a good use case 15. Error Handling: General consensus was not to drop the bgpsec session if the parsing failed (i.e. syntax errors). There was difference of opinion whether the prefix should be treated as withdrawn or ignore the update (i.e. simply consider it never occurred). Sriram: If bit flipped in the NLRI, you would be withdrawing the wrong prefix. Ruediger: That is alright. Rob: Yes, the protocol document has normative dependency on the error handling draft in IDR. Details of discussion: Error Handling Matt: current text log error and drop update -- maybe not the right text. what can I reference for the right way to handle errors -- 4271 will tell us to close the session, which we probably don't want Randy: draft-idr-handling - a little sarcastic Chris: there are some errors you can handle because it doesn't affect routing, if bgpsec content is unparsable do I still accept the route or throw it away Randy: you are going to have to classify in terms of that document Jari: if you ever have to deal with both sec and non-sec info - if something fails you treat the info as insecure and up to policy on whether you accept it or not Chris: update is formatted properly but a bit gets flipped - in the bgp world you would notify and restart (bounce) - this is discussion idr is having - when does it matter and when does it not Rudger: drop update or treat as withdrawl? matt/randy: thats the prob Rob: we dont constantly monitor logs - I saw nothing about mib counters in the idr doc - Sriram: problem is we have one bgpsec path which includes path info and signatures, if there is an error the whole thing is invalid. We dont have seperation. there are only 3 choices, withdrawl, close session or drop update. No option for saying just a security error. Is there a case for seperating path information in case there is an error and then you atleast still have the path for bgp4 Chris: if the bgpsec attrib is bad - if you believe they are half crazy.. you can't get the aspath and have to treat as a withdrawl.. then they are all crazy Jari: if there is insecure data you don't want to override any secure data - Chris: I may choose to take the settlement free path over the secure path If we fall back to the neighbor is crazy thats what we should worry about Jen: I don't think we want to drop bgp -- I don't want to flap, but I don't trust the update, withdraw Matt: inform the operator (not notify, not log..) Eric: how do you know? Chris: you pack an update Randy: the flipped bit was in the nlri - treat as withdraw - this is going on in idr Rudiger - hopefully they will come up with good language Matt: 06 ver will say you should inform and treat as withdrawl Sriram: you can't tell anything about the prefix so how can you treat as withdrawl? Matt: in the early years it will be more likely that we stumbled into something untested rather than random bit flip via solar flare Are you arguing to treat as if update occurred or shut session Sriram: as if it never happened Eric: leave this to idr - hate to end up with 2 different results Rudiger: if we get garbage from idr then we have problems - what kind of errors are we covering here - solar flare bit flips should have no impact Chris: if you put transport security ON then you have to address it Rudiger: we are looking at format errors in the bgpsec attribute, treat as withdraw Rob: we do have a normative dependency on idr Matt: suggest saying handle as you would any syntax error in bgp -- take it to the list 16. Deferring Validation: Question: Router MUST or SHOULD validate later and reevaluate best path? The consensus seemed to be that router MUST reevaluate. Ruediger: Change in RIB entry will automatically trigger best path re-computation. Details of discussion: Deferring validation Matt: I got multiple comments on this text: "During exception conditions (eg the BGPsec speaker receives.....).." suggestion that there should be text that says you may defer validation if you have to more text that says "implementation that support such deferment of validation..." Are these reasonable texts on deferring validation state? Are these reasonable MUSTS? To Rob - I got that you flagged a problem but am not sure what it should say. Eric: I get the principle that you might need to do this, but this seems to open an attack vector - so we should describe the requirement to do this Rob: must perform validation as soon as possible you could end up with a lot of side cases and reasons why it takes to long Randy: the whole thing is a rat hole Rob: operators wanted to be able to defer Rudiger: we can deal with unvalidated stuff, the provision for dealing with that is a requirement for implementers - going into details is a rat hole, just stay out Chris: The original reason was to maintain speed of convergence - if you back up and say we should just validate and run best path and move on - ops will ask vendors for a knob to defer and rerun. You can unpack and get path info, then validate later. Matt: its the crypto that could be a problem later Randy: I just got bgpsec updates and don't have a path to rpki Rob: ask implementers. add text that says, be aware you may want to rerun Rudiger: rerun policy and that implies rerunning best path Sriram: have we made it clear somewhere that we have to check syntax error first. Matt: if your length fields are wrong in your tlv's then you arne't going to parse this Matt: we really need to get implementers opinion on this and what you would like it to be Heather: don't see what is wrong with the text Sriram: if you have path info and signatures seperate - if you decide to defer validation and it is simple to pick path validation Rob: lets not reopen that issue again Rudiger: I think it irrelevent - i feel the language is bad, when we take a deferred object we run policy and insert result in rib which triggers best path -- wehn we do validation we have to rerun policy, this may change rib entry, which triggers best path 17. Validation at Edge Only: Sandy: How does the text relate to RR. Matt: RR should not need to do crypto validation. Chris: “You can do crypto everywhere; you need no do crypto everywhere. Randy: “There are no bits in iBGP to convey validation state. Operator has to devise a way.” Heather: “That’s covered if you combine the two sentences in the middle on Matt’s slide.” Details of discussion: Matt: Edge Validation (see slide for text) "Bgpsec validation needs only be performed at ebgp edge...." we really needed to say something about how you only need to validate at the edge. This text might say to much? Do I need to say the first sentence? Can I yank the entire paragraph. There were multiple people who read this, who didn't like the message. Sandy: how does this relate to route reflectors Matt: no one has suggested that rr's can't - no one is trying to take anything away Randy: objected to "may be conveyed via ibgp" so give a hint that its conveyed by some mechanism --it's a nit on the language Matt: Combine the middle 2 sentences -- conveyed via some mechanism 18. Choosing Valid over Unsigned: Randy suggested leaving that to the bgpsec-ops document. Details of discussion: Use of Validation state Matt: Do we want to mandate that you cannot pick a non-bgpsec best path if you have bgpsec valid. (everyone agrees?) Do we want some text that says SHOULD Randy: its in the ops doc Matt: remove 1-2 sentences and leave it to the ops doc 19. Re-run Validation: Upon receipt of RPKI state update, router will re-run those bgpsec updates that the RPKI updates may affect. Sandy: 4271 mandated re-evaluations if there are any. Rob: Careful about using the word “immediately”. Matt: References to rpki-rtr doc are informative. Details of discussion: ReRunning validation Matt: RPKI state might change, do we need text that says to rerun validation algorithm Randy: you will receive the withdrawal. periodically is not the term that applies Chris: I have a whole rib built and I go out and revalidate and the rpki cache does not have an entry for something that I had before. Now Ive gone to not found and start sending updates Matt: when I get a msg from rpki router saying there are certain keys that are no longer good, I look through rib and see if I am using ski's - you are moving from valid to not valid, so you don't want to treat it as a withdrawl Randy: we are quibbling about when --- periodic or when you get the update Chris: what if rpki update is no data? Randy: Then it all gets marked not-valid Chris: For all the changes I would go see how they affect me. Check at batch of updates? Sandy: Concentrating on rpki <ed: rpki-rtr> protocol, -- others not running it would notice a change Matt: currently we don't have a normative reference on rpki router Randy: the interesting case is the router itself being a validating cache Matt: no one has a problem with everytime I learn of update I immediately revaluate those announcements which the update may affect Sandy: rfc4271 language which tell you to rerun best path algorithm can't recall whats mandated there. If they say you must do it, then its okay for us to say it. If they have ifier language then we probably shouldn't have stronger language Rob: "at earliest convenience" vs "immediately" 20. <ed: new topic – getting keys to the router> RPKI-rtr-keys Details of discussion: Matt: include informative reference to ymbk-rpki-rtr-keys or says rtr or similar to? Sandy: origin is mandated so we don't have to wait, it already applies as it currently exists - any future decisions don't impact <ed: origin validation is required for bgpsec, rpki-rtr is already useful for origin validation and should be mentioned for that purpose, whether or not it is eventually used for getting needed router keys> Matt: That's it.. to the list 21. Confederations: Randy: Confederation has to have its own trust anchor. Matt: “Someone from outside confed signs to the public ASN. The first AS of the confed does not have a technical problem with that; it is configured to know that the public ASN is. The second AS in the confed sequence along the update path should know it is an acceptable mismatch. Details of discussion: Randy: New Item - I am an incoming edge of a confed - I am not the canonic as of the confed - I am going to pass the received prefix internally observe that the confed will have to have a local trust anchor and its own data for the ases in the confed on the left I'm as2, ont he right I'm as65000 I sign forward with as65000 to another confed member who goes to validate, they find the announcement to me is as 2 Matt: ..... Randy: you will allow the mismatched AS? Matt: there needs to be an exception where the confed flag is set, the first person needs to permit a mismatch. If I'm in your AS I know what the public AS is for the whole confed. I'll reread it to make sure it's actually clear The receiver should have everything to verify the mismatch <Lunch Break> 22. Not obsoleting RF 4271. If you do not negotiate bgpsec with neighbor, behave exactly as a 4271 router. 23. Comparison with IDR WG: Sandy: Conformance with IDR-like requirement that there must be a working implementation before publishing as an RFC. If you know implementers of bgpsec, please tell them that they let themselves be known to the SIDR WG. Details of discussion: Sandy: Comments on IDR stuff the relationship of this draft to 4271 we're adding on a new feature to bgp but also doing something about aspath those ppl taking an existing implementation and adding bgpsec attr need guidance on what to do in code where code refers to aspath. It's obsoleting 4271, there has to be some language that is good enough that tells implementers what to do when dealing with.. when the implementation refers to the aspath. suggesting something like references to aspath are to be understood that the aspath is extracted from bgpsec attr. If you do not negotiate bgpsec w/ neighbor you should behave as current Rudiger: appears to me designing compatibility with existing thing. One should assume that for reg bgp processing one assumes out of bgpsec path, aspath info needs to be extracted and handled - which is a little different wording where we haev said "when we are talking to someone else who doesn't know the new attribute or symantics - atleast have to virtually do the extraction and may have to be done physically." Sandy: Do we want mandate that they do it or not Rudiger: we don't want to specific detailed implementation - treat as though you had Matt: agreeing with Rudiger -- your implementation should behave as though you ran the extraction algorithm Sandy: where aspath modified I think those are cases where you would be adding a bgpsec signature block (missed first part) If you do not negotiate bgpsec with a neighbor operate in accordance with 4271 --- Does that need to be said or is it understood? Matt: I understand that whenever you fail to negotiate you fail back to 4271 Sandy: IDR operates under rules stricter than other areas - they require implementations in order to advance a draft. We <ed: idr> haven't been faithful to that, but in this case we think they will be. So if you know of people doing implementations please make sure they make themselves known. Not sure what the IDR chairs will accept as evidence - Sandy: anything more about confeds Room: crickets Sandy: anything more about bgpsec protocol Room: crickets Sriram: is there a dependency of bgpsec doc on key rollover doc? Sandy: staleness and freshness - protocol draft does not rely on key rollover draft - any other opinions.. none ok 24. Router-ID in communication of router key to router: The consensus was to not include the router ID in the rpki-rtr-key pdu. 25. Should Router-ID also be removed from the router cert data: Rob: Probably. Steve Kent: If helpful in debugging cert data, it may worth keeping it (cost seems small). Details of discussion: Randy: From this am -- pdu to transport router info from pki to router should not have router id in it, Chris: signed you mean? Randy: rpki router pdu to carry the ecdsa public keys that will be handled by sig validation since this am we said they are not per router and router id has no meaning therefor do not transmit router in the pdu - looking for validation of that Matt: I don't know whether I agree/dis I don't think that is outcome of this am discussion. No security reason to put router id on the wire -- different from is it useful for some other reason Randy: why push if you won't use it Sandy: some suggested router id is useful in monitoring, debugging Randy: anyone want to speak for keeping routerid in transport Steve: When we regionally did cert design for routers, there was the notion that if you did different cert and key per router and were neighbor of bgpsec router and received signed update from it - you could check to see if sig applied by entity you thought you were talking to on the other side. Some say they wouldn't do it - still open question if you want that facility -- Sandy: do you need it for transport protection Steve: forget bgpsec - if I configure info about neighbors, then we would have the ability to do this in a secure fashion - with this -- go from secure to a more secure. Randy: routers don't do this today - routerid comes in the open msg today. Does anyone still want it there today Rob: I don't know. it could be useful for debugging in the certificate -- we have gone to lengths to make this difficult to debug by not having personal info it. I hope routerid is not considered personal info. I like steve's idea of putting in the serial field of the RDN. Sandy: anything else? anything else protocol related from this am 26. Linkages to other documents: Chris: Linkage with idr-error-handling for sure. What else? Rpki-rtr protocol? Details of discussion: Chris: the protocol doc perhaps can't go fwd w/o threats and reqs docs being finished Matt: potential linkage to subsequent pdu for rpki-rtr if that spec if later extended people will be able to find it Sandy: I think linkage to that exists without extension(?) of pdu 27. <ed: new topic, small comment on pre-lunch discussion> Details of discussion: Steve: 2nd rob's suggestion of avoiding putting meaningful names in certs. There is some benefit to putting in some info about what kind of cert it is. Spelling out router and the AS is worthwhile and should make it unique. Small cost. 28. Number of ASNs per cert: Rob: One cert can contain multiple ASNs. Sandy: Do we want single ASN per cert (like in the ROA)? Rob: Operator has a choice to put one ASN in the cert if they prefer. Matt: Will replace “the asn in cert” with “an asn in cert” in the doc. Details of discussion: Sandy: question about discussion between rob and steve about EE certs having ..language.. checking ee cert asn matching attrib field Matt: Many to one mapping between AS and certs. 1 cert can contain many AS numbers - you need to match a ASN. My mistake in the doc, I'll go back and fix it Sandy: ..something about revoking and having single AS numbers.. Rob: as far as protocol leave it to operator - they can shoot themselves in the foot Sandy: no protocol change for that needed 29. AS-Migration: See Sandy’s detailed slides – she presented them at the meeting. She presented how bgpsec with pCount=0 technique can try to hide (i.e. not contribute to path length) as the operator wishes under various AS migration scenarios. The discussion that followed was as follows. Randy: Wes George’s I-D is Cisco specific. Juniper doesn’t have all this. Ruediger: “Even if there is org boundary, if there is agreement with your neighbor, then “accept pCount=0” can be negotiated for the migration.” Sandy: In slide #7, CE-1 needs to be configured to accept ASN 200 in the AS path. Sandy: Can the trick used for the confederation be reused here in some form? Matt: This is different. As soon as update leaves, all the inconsistency info is expunged. Here it is not that.” Matt: Are the stuff with local AS etc. well documented. Rob: No, it is a vendor hack.” Sandy: Is anything different needed in the protocol document? Stephen: “Don’t just focus on how Cisco implements the hack. Check with other vendors as well.” Ruediger: “One vendor may be liberal, another not so liberal.” Sandy: “They are all trying to eliminate the extra hop.” Russ Housley (on jabber): “Since pCount was invented for other reasons, this is useful to document.” (summarizing minute taker:) Details of discussion: The discussion that followed was as follows. Randy: Wes George’s I-D is Cisco specific. Juniper doesn’t have all this. Ruediger: “Even if there is org boundary, if there is agreement with your neighbor, then “accept pCount=0” can be negotiated for the migration.” Sandy: In slide #7, CE-1 needs to be configured to accept ASN 200 in the AS path. Sandy: Can the trick used for the confederation be reused here in some form? Matt: This is different. As soon as update leaves, all the inconsistency info is expunged. Here it is not that.” Matt: Are the stuff with local AS etc. well documented. Rob: No, it is a vendor hack.” Sandy: Is anything different needed in the protocol document? Stephen <ed: I believe this is Steffann>: “Don’t just focus on how Cisco implements the hack. Check with other vendors as well.” Ruediger: “One vendor may be liberal, another not so liberal.” Sandy: “They are all trying to eliminate the extra hop.” Russ Housley (on jabber): “Since pCount was invented for other reasons, this is useful to document.” (detailed minute taker:) Details of discussion: Sandy - on to discussion of AS aliasing, migration Sandy: (see slides) Provider changes AS - customers aren't so quick to update opt 1) Local_AS CE-1 doesn't needs to be upgraded but AS300 gets inserted into AS_Path -- you now have an extra as in the aspath Do away with side effect by doing no-prepend so then the old-origin drops off opt2) Local_as + no prepend gives the effect that ce-1 doesn't have to upgrade and 300 is inserted int as_path toward ce-1 opt3) Local_as + no prepend + replace-AS Notation sig(originprefix, target, as of signer, pcount)key adds 2 signatures as if there were 2 peers inside the router -- In this case the recipient is inside the provider edge - there is no problem with the authority, the as that is accepting pcount=0 is under the same authority as the other AS (since they are on the same router) Sandy describes/reads slides ...missed something.. Rudiger: plausible to say we are starting migration, we will be faking for a bit, if you are rigidly checking pcount 0 - then expect pcount 0 for migration Sandy: this case came from 1st draft - things outbound from pe1 is sending things to the customer with new ASN Randy: its going to puke on open Sandy: no pe1 and ce1 are using as300 for open Will you check the first AS. Default is supposed to be do the check, and that ce1 has to be configured to do this. Randy: neighbor as is checked in the open not the path Some guy <ed: from the recording, I believe this is Sander Steffann>: I think its checked in the path by default Rudiger: its different between vendors - some are liberal and some are strict. All migrations I came across, faking the AS was always used where the aspath issued and the neighbor AS were consistent, which is not the case here Sandy: when randy talked about the confed case where you are taking with your public as externally and your internal as internally Matt: here is the difference in confed -- in the confed case the only people who see the inconsistency are within the confed and when you leave the confed the inconsistency gets expunged. Sandy: is this technique useful to employ in the confed case Matt: no reason to add this complexity to confeds Sandy: Wes was going to try to work out how as aliasing impacts- came up with other useful stuff, but not how pcount=0 might be useful Matt: are local_as and replace_as well documented? Rob: vendor hack Matt: big question I'd like answered - the tools in the protocol doc are they sufficient to make this migration work or do we need to add some other lever to make this work Sandy: I was not supposing there would be any different protocol behaviour to occur that isn't in the protocol doc Matt: text going into 06 that says you really ought to check for pcount=0 and drop it if you aren't expecting it Russ: since we adopted pcount =0 for other reasons this is useful Sandy: this was not viewed as a change to the protocol Randy: let Wes continue to document Randy: Asked a question about delivering SKI Sandy: let suppose someone takes of rpki cache and starts sending out ski's that match different keys Rob: stop there you're toast. Offload ..Chris messed with the screen couldn't hear.. why are you giving me both and making me think about this. don't check for an error condition you don't know how to handle Matt: cache is just offloading processing, it mgiht as well handle ski. You absolutely need the key for sig ver. Do you offload the ski calculation to the other box or do it on your router? Just ship it over and save me from doing a few hashes Sandy: does your answer change if we haven't protected router to cache transport Rob: agrees with matt Sandy: any other items? room: crickets Meeting adjourned
- [sidr] minutes from interim meeting Murphy, Sandra