Re: [sidr] Prefix Origin Validation & AS_SET
Sandra Murphy <Sandra.Murphy@sparta.com> Mon, 27 June 2011 16:18 UTC
Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41C0D11E80E7 for <sidr@ietfa.amsl.com>; Mon, 27 Jun 2011 09:18:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bx5nOAHmTOGK for <sidr@ietfa.amsl.com>; Mon, 27 Jun 2011 09:18:25 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 8C02021F85F2 for <sidr@ietf.org>; Mon, 27 Jun 2011 09:18:21 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p5RGIHeR032521; Mon, 27 Jun 2011 11:18:17 -0500
Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p5RGIGqd028891; Mon, 27 Jun 2011 11:18:17 -0500
Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.117]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Mon, 27 Jun 2011 12:18:15 -0400
Date: Mon, 27 Jun 2011 12:18:15 -0400
From: Sandra Murphy <Sandra.Murphy@sparta.com>
To: Hannes Gredler <hannes@juniper.net>
In-Reply-To: <20110627143625.GA2251@juniper.net>
Message-ID: <Pine.WNT.4.64.1106271148340.936@SMURPHY-LT.columbia.ads.sparta.com>
References: <Pine.WNT.4.64.1106271606140.3352@mw-PC> <20110627143625.GA2251@juniper.net>
X-X-Sender: sandy@mailbin.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 27 Jun 2011 16:18:15.0859 (UTC) FILETIME=[D1C7D030:01CC34E5]
Cc: Matthias Waehlisch <m.waehlisch@fu-berlin.de>, sidr@ietf.org
Subject: Re: [sidr] Prefix Origin Validation & AS_SET
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2011 16:18:26 -0000
On Mon, 27 Jun 2011, Hannes Gredler wrote:
> On Mon, Jun 27, 2011 at 04:06:22PM +0200, Matthias Waehlisch wrote:
> | Hi,
> |
> | this question addresses the scenario, in which a BGP update contains
> | an AS_SET. According to draft-ietf-sidr-pfx-validate-01, the variable
> | origin_as would be defined as "NONE". In case of a valid certificate for
> | the prefix, the prefix validation function would return "INVALID".
> |
> | BGP updates including an AS_SET with a valid certificate would never
> | be valid. Correct? This seems a bit rough. Can you clarify the reason
> | behind? I would expect that if a valid record for at least one origin AS
> | within the AS_SET exists, the funcion will return "VALID".
>
> depends ... - my understanding of the logic for extracting the
> "to-be-validated" AS is something alike:
>
> If aggregator is present and right-most AS segment type is AS-Set,
> then use aggregator AS for validating,
That rule was proposed at one point but discarded.
The current rule is that a route containing an AS_SET is not to be
considered "valid".
The text in draft-ietf-sidr-roa-validation-10
A route's "origin AS" is defined as follows: If the final path
segment of the AS_PATH is of type AS_SEQUENCE, the "origin AS" is the
first element of the sequence (i.e. the AS in the rightmost position
with respect to the position of octets in the protocol message). If
the AS_PATH contains a path segment of type AS_SET, indicating that
the route is an aggregate, then the "origin AS" cannot be determined.
(Note that this is even harsher than judging just the
/right-most/final/least recently added/whatever/ path segment - it says if
the AS_PATH *contains* an AS_SET, then the origin AS "cannot be
determined.")
The subsequent table and steps on page 5 can lead to a decision of "not
found" or "invalid" but not a decision of "valid":
3. If the route's origin AS can be determined and ...
...
.......................................... then the procedure
halts with an outcome of "valid".
Since the origin AS can not be determined, this step can not produce an
outcome of "valid".
--Sandy
> else if if right-most AS segment type is AS-set -> result: not found
> else use right-most AS for validating
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
>
- [sidr] Prefix Origin Validation & AS_SET Matthias Waehlisch
- Re: [sidr] Prefix Origin Validation & AS_SET Ruediger Volk
- Re: [sidr] Prefix Origin Validation & AS_SET Hannes Gredler
- Re: [sidr] Prefix Origin Validation & AS_SET Sandra Murphy
- Re: [sidr] Prefix Origin Validation & AS_SET Sandra Murphy