Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope?
"t.petch" <ietfc@btconnect.com> Mon, 01 August 2011 16:45 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 893F821F8D3B for <sidr@ietfa.amsl.com>; Mon, 1 Aug 2011 09:45:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uZs5ojgqQwGg for <sidr@ietfa.amsl.com>; Mon, 1 Aug 2011 09:45:40 -0700 (PDT)
Received: from mail.btconnect.com (c2bthomr09.btconnect.com [213.123.20.127]) by ietfa.amsl.com (Postfix) with ESMTP id 58BB321F8D3A for <sidr@ietf.org>; Mon, 1 Aug 2011 09:45:39 -0700 (PDT)
Received: from host109-153-78-164.range109-153.btcentralplus.com (HELO pc6) ([109.153.78.164]) by c2bthomr09.btconnect.com with SMTP id DXL93210; Mon, 01 Aug 2011 17:45:16 +0100 (BST)
Message-ID: <04fe01cc5061$90fdbe60$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Shane Amante <shane@castlepoint.net>, "Montgomery, Douglas" <dougm@nist.gov>
References: <19BD9B69-B1EE-495E-8795-38DDE3BF6D4A@castlepoint.net><D7A0423E5E193F40BE6E94126930C493087C7907B3@MBCLUSTER.xchange.nist.gov> <2C3246E7-A4AD-4335-BCDA-73D98DDB0274@castlepoint.net>
Date: Mon, 01 Aug 2011 17:42:01 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=tid=0001.0A0B0301.4E36D81A.00C7, actions=tag
X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2011.8.1.153314:17:7.586, ip=109.153.78.164, rules=__HAS_MSGID, __OUTLOOK_MSGID_1, __SANE_MSGID, __TO_MALFORMED_2, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __MIME_VERSION, __CT, CT_TP_8859_1, __CT_TEXT_PLAIN, __CTE, __HAS_X_PRIORITY, __HAS_MSMAIL_PRI, __HAS_X_MAILER, USER_AGENT_OE, __OUTLOOK_MUA_1, __USER_AGENT_MS_GENERIC, __ANY_URI, __CP_URI_IN_BODY, BODY_SIZE_5000_5999, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, RDNS_SUSP_GENERIC, __OUTLOOK_MUA, RDNS_SUSP, BODY_SIZE_7000_LESS
X-Junkmail-Status: score=10/50, host=c2bthomr09.btconnect.com
X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B0209.4E36D81F.00F9, ss=1, fgs=0, ip=0.0.0.0, so=2010-07-22 22:03:31, dmn=2009-09-10 00:05:08, mode=multiengine
X-Junkmail-IWF: false
Cc: sidr@ietf.org
Subject: Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2011 16:45:41 -0000
----- Original Message ----- From: "Shane Amante" <shane@castlepoint.net> To: "Montgomery, Douglas" <dougm@nist.gov> Cc: <sidr@ietf.org> Sent: Thursday, July 28, 2011 11:18 PM > > On Jul 28, 2011, at 1:43 PM, Montgomery, Douglas wrote: > > > The discussion so far has not been protecting/validating if prepending *should have* occurred. BGPSEC protects the AS_PATH. Prepending occurs in the AS_PATH. Today's strawman presented one approach to protect the fact that prepending *did* occur (without comment as if it should have occurred). > > Right. But, if BGPSEC is not "commenting" whether AS_PATH prepending should, or should not, have occurred, then wouldn't it be more straightforward to avoid representing AS_PATH prepending in BGPSEC's AS_PATH Attr? IOW, isn't the intent of the BGPSEC AS_PATH signature to "simply" represent the ASN's over which the BGP UPDATE has travelled? Why does AS_PATH prepending *need* representation in the BGPSEC AS_PATH Attr, (or, what does it help with wrt BGPSEC)? > > The SIDR WG instigated the deprecation of AS_SET's for reasons of simplification. If WG really believes in simplification, then why does that not apply here wrt AS_PATH prepending? I do not think that it was simplification that led to the deprecation of AS-SET, rather the difficulty or impossibility of securing it to the same extent as a single AS; which led to the discovery that AS_SET were rare and that their loss would not affect almost all of the Internet. Question is; how common is prepending? I thought that it was widespread and 'normal' but there would have to be hard data first, before deprecation could be contemplated. Tom Petch > > With that interpretation, I don't think today's proposal violates the requirement about presuming intent. > > > > This too is good discussion as to what the requirement is. > > > > If we want to protect the common encoding of prepending in the AS_PATH today's strawman provides a simple approach. > > > > I don't know if your example is primarily pointing out another situation where prepending occurs on ingress .... or if we you are proposing that we discuss protecting the intent to prepend. > > > > If it is the latter - that is a significant expansion of requirements - and there are no obvious simple enhancements of bgpsec-00 mechanisms that would get us there. > > So, I grudgingly agree with the requirement, as written, that a BGPSEC AS_PATH signature should not describe/express intent. (I'd feel better if the requirement were changed to say "does not" describe/express intent, but I'm not sure there is consensus to do so ...). > > Ultimately, my concern is the more "faithfully" the AS_PATH appears to be represented in the BGPSEC AS_PATH Attr (i.e.: it does include AS_PATH prepending), then: > a) The more potential confusion there might be with operators who aren't well versed in SIDR incorrectly /assuming/ that it does describe intent[1]; and/or, > b) The more potential/temptation there may be for vendors to use the BGPSEC AS_PATH Attr in BGP path selection (i.e.: as the AS_PATH length tie-breaker) in place of the legacy AS_PATH Attribute. This has implications wrt control plane scaling w/out any appreciable benefit. > > -shane > > [1] Yeah, yeah, they should RTFM ... > > > > > > dougm > > > > > > > > > > Doug Montgomery - Manager Internet and Scalable Systems Research Group / Information Technology Laboratory / NIST > > ________________________________________ > > From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Shane Amante [shane@castlepoint.net] > > Sent: Thursday, July 28, 2011 3:00 PM > > To: sidr@ietf.org > > Subject: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? > > > > Hi, > > > > I have a question for the WG. In a series of e-mail exchanges earlier this year, I had thought it was concluded that BGPSEC was merely being used as a means to express that a BGP UPDATE had passed through a series of ASN's, i.e.: it's an expression of a "breadcrumbs", if you will, that can [later] be validated by receiver that are further downstream. IOW, it's not a validation of the TE policies (e.g.: AS_PATH prepending) applied by ASN's. > > > > I went back to the BGPSEC requirements: > > http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs-00 > > ... and, if I look at Req #3.19: > > 3.19 A BGPsec design SHOULD NOT presume to know the intent of the > > originator of a NLRI, nor that of any AS on the AS Path. > > > > What was the intended meaning of the word "intent"? I thought that word was meant to say that BGPsec was not intended to validate TE policies that may, or may not, be applied to the NLRI. If that is correct, then why is the WG looking at signing an BGP attribute that expresses the the number of times an ASN may be prepended? Or, has the WG had a change of direction and I haven't kept up to speed? > > > > I would note that the reason I'm asking the above is that it may not be the originator that is performing AS_PATH prepending. Specifically, a customer may use a provider's BGP TE communities to ask the provider to perform AS_PATH prepending (selectively) on their behalf. But, since these BGP TE communities are not signed, then how would a receiver of the NLRI know that an AS_PATH should or should not have been prepended by an intermediate/transit ASN? > > > > Thanks, > > > > -shane > > _______________________________________________ > > sidr mailing list > > sidr@ietf.org > > https://www.ietf.org/mailman/listinfo/sidr > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr
- [sidr] pCNT & (AS_PATH) prepending: Is it in scop… Shane Amante
- Re: [sidr] pCNT & (AS_PATH) prepending: Is it in … Montgomery, Douglas
- Re: [sidr] pCNT & (AS_PATH) prepending: Is it in … Shane Amante
- Re: [sidr] pCNT & (AS_PATH) prepending: Is it in … Montgomery, Douglas
- Re: [sidr] pCNT & (AS_PATH) prepending: Is it in … Randy Bush
- Re: [sidr] pCNT & (AS_PATH) prepending: Is it in … t.petch
- Re: [sidr] pCNT & (AS_PATH) prepending: Is it in … Randy Bush
- Re: [sidr] pCNT & (AS_PATH) prepending: Is it in … Montgomery, Douglas
- Re: [sidr] pCNT & (AS_PATH) prepending: Is it in … Montgomery, Douglas
- Re: [sidr] pCNT & (AS_PATH) prepending: Is it in … Jakob Heitz
- Re: [sidr] pCNT & (AS_PATH) prepending: Is it in … Stephen Kent