Re: [sidr] [Idr] No BGPSEC intradomain ?

Jeffrey Haas <jhaas@pfrc.org> Thu, 12 April 2012 18:21 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FAAB21F8610; Thu, 12 Apr 2012 11:21:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.87
X-Spam-Level:
X-Spam-Status: No, score=-101.87 tagged_above=-999 required=5 tests=[AWL=0.395, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KEF9GY0Rkr0U; Thu, 12 Apr 2012 11:21:25 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id CBB9F21F8625; Thu, 12 Apr 2012 11:21:23 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 776501703EA; Thu, 12 Apr 2012 14:21:23 -0400 (EDT)
Date: Thu, 12 Apr 2012 14:21:23 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: "George, Wes" <wesley.george@twcable.com>
Message-ID: <20120412182123.GE9700@slice>
References: <0BD03B75-CA3A-4CBA-BBF4-E2100AFA64E4@kumari.net> <4F846121.2050408@raszuk.net> <CAL9jLaYF-MW1cJ2n28BiV1mi+tpPS2ECKB2UxhFMQ=NXxbihCg@mail.gmail.com> <7309FCBCAE981B43ABBE69B31C8D21391B3EE03F77@EUSAACMS0701.eamcs.ericsson.se> <alpine.LFD.2.02.1204111507190.22591@jamaica.dcs.gla.ac.uk> <CAL9jLaZDwpje4NtHHMUpzJaHDJLMY-f8gzDUVe3pEKwSqvsm_w@mail.gmail.com> <DCC302FAA9FE5F4BBA4DCAD465693779173DCB5AAB@PRVPEXVS03.corp.twcable.com> <4F86DE1D.4020505@raszuk.net> <20120412145033.GA9700@slice> <DCC302FAA9FE5F4BBA4DCAD465693779173DCB5F1E@PRVPEXVS03.corp.twcable.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DCC302FAA9FE5F4BBA4DCAD465693779173DCB5F1E@PRVPEXVS03.corp.twcable.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: "idr@ietf.org List" <idr@ietf.org>, Paul Jakma <paul@jakma.org>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] [Idr] No BGPSEC intradomain ?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2012 18:21:35 -0000

On Thu, Apr 12, 2012 at 01:07:38PM -0400, George, Wes wrote:
> [WEG] I'm not totally sure which message you're referring to, but I think that may be a red herring. I'm not seeing how incrementing the BGP version automatically means that all routers in an ASN must upgrade to it.

Fish aside, given prior statements that once you leave a BGPSEC domain that
you stop doing BGPSEC, then it seems reasonable that you can't have bgp-4
inside of bgpsec.

I suspect that's not what some people are meaning by BGPSEC domains or
versions or what have you.  But this is all fall-out of what does it mean to
do BGPSEC in an AS that won't have some number of routers that can do it.

The original model discussed was BGPSEC signature operations at eBGP
borders.  In that model, iBGP considerations are largely irrelevant to the
signatures.  Where they become important is the edge cases where iBGP may
alter AS_PATH data. 

If iBGP speakers are expected to participate in signature operations, we
need to figure out what that means.  Chris M. suggests signing at
origination - signing to what exactly?  When there's confederations, is
there signing?  What do those certs look like in the RPKI especially when AS
numbers are re-used (private ASes)?  How do you handle confederation AS
stripping signature-wise?

If you don't believe each router in an AS needs an upgrade, you obviously
have protocol behavior in mind.  Write it down, please.  Keep in mind the
answer will change based on whether BGPSEC operations are done in iBGP or
not.

> This isn't exactly the same flag day sort of driver as the move between v3 and v4. BGP speakers that support BGPv5 also SHOULD support BGPv4, and would determine which they should use on initial capability negotiation.

If you can do the work via capability negotiation, I'd argue you don't
really need a new version number.

-- Jeff