IETF Logo Mail Archive

Re: [sidr] Levels of BGPsec/RPKI validation, was: Re: [Idr] wglc for draft-ietf-sidr-bgpsec-protocol-11

Iljitsch van Beijnum <iljitsch@muada.com> Fri, 01 May 2015 19:58 UTC

Return-Path: <iljitsch@muada.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D7861A8A39; Fri, 1 May 2015 12:58:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5LVMjegdjFrX; Fri, 1 May 2015 12:58:44 -0700 (PDT)
Received: from sequoia.muada.com (sequoia.muada.com [IPv6:2001:1af8:3100:a006:1::]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E00921A8858; Fri, 1 May 2015 12:58:43 -0700 (PDT)
Received: from [192.168.178.25] (5356AD6E.cm-6-7c.dynamic.ziggo.nl [83.86.173.110]) (authenticated bits=0) by sequoia.muada.com (8.13.3/8.13.3) with ESMTP id t41JwLu8035331 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 1 May 2015 21:58:22 +0200 (CEST) (envelope-from iljitsch@muada.com)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: <CANTg3aDwkSEEGN_7TotJUu-d8eZS8eBaE-J4XbT+QpGxjPR60Q@mail.gmail.com>
Date: Fri, 01 May 2015 21:58:34 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA587941-7279-44A0-B447-0E307C3D52D3@muada.com>
References: <4C184296-F426-40EF-9DB6-3AE87C42B516@tislabs.com> <91148102-DADB-42E8-96A0-E89120642894@tislabs.com> <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com> <CANTg3aC4EurFpEP9S+5v4L5mz4zO2TLf9jOn+biCv0knms=8=Q@mail.gmail.com> <3637DF28-CFC8-46FF-8929-DF88BB91D3AB@muada.com> <CANTg3aDwkSEEGN_7TotJUu-d8eZS8eBaE-J4XbT+QpGxjPR60Q@mail.gmail.com>
To: Matthew Lepinski <mlepinski.ietf@gmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/tIyObrF82SPUUdLVJAxQXkl0jmE>
Cc: "idr@ietf.org wg" <idr@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Levels of BGPsec/RPKI validation, was: Re: [Idr] wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2015 19:58:45 -0000

On 01 May 2015, at 21:24, Matthew Lepinski <mlepinski.ietf@gmail.com> wrote:

> You are certainly correct that there are Nine possible states (and Randy's table is correct).

Randy's table? I must have missed that one.

> That being said, I have some concern about treating "Path Unsigned" differently than "Path Not Valid", since it is trivial for a malicious adversary to transform "Path Not Valid" into "Path Unsigned" if doing so will yield better treatment for some bad route.

That's a good point. But then, how do you treat those? By filtering the affected prefixes? You can only do that once _all_ paths are signed.

So basically, we're stuck with our AS path filters until BGPsec deployment hits 100%.

It would have been better if BGPsec would have had provisions for partial deployment, so that you can have a path that is partially BGPsec protected even if it can't be fully be BGPsec-protected. That way, the filtering issue shrinks in scope as the BGPsec-enabled core grows and non-BGPsec branches turn into leaves and finally go away.

v2.23.0 | Report a Bug | By Email