Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 25/August/2020
Nick Hilliard <nick@foobar.org> Tue, 11 August 2020 20:58 UTC
Return-Path: <nick@foobar.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 616BA3A0F4F for <sidrops@ietfa.amsl.com>; Tue, 11 Aug 2020 13:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.848
X-Spam-Level:
X-Spam-Status: No, score=-2.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFX7r3v-MvKX for <sidrops@ietfa.amsl.com>; Tue, 11 Aug 2020 13:57:59 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 357E33A0F52 for <sidrops@ietf.org>; Tue, 11 Aug 2020 13:57:47 -0700 (PDT)
X-Envelope-To: sidrops@ietf.org
Received: from crumpet.local (admin.ibn.ie [46.182.8.8]) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id 07BKveVN033973 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 11 Aug 2020 21:57:41 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host admin.ibn.ie [46.182.8.8] claimed to be crumpet.local
To: Keyur Patel <keyur@arrcus.com>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
References: <6A0CA35A-4BA3-4063-BDA8-B93B17636B4B@arrcus.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <b69340ac-d702-3ee2-00ec-948dc3184135@foobar.org>
Date: Tue, 11 Aug 2020 21:57:39 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:52.0) Gecko/20100101 PostboxApp/7.0.25
MIME-Version: 1.0
In-Reply-To: <6A0CA35A-4BA3-4063-BDA8-B93B17636B4B@arrcus.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/2cdMtdRwXV9K_-QpRTlz_TT5bG0>
Subject: Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 25/August/2020
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 20:58:07 -0000
Keyur Patel wrote on 11/08/2020 19:45: > A working group last call has been requested for > draft-sidrops-bgpsec-validation-signaling-03, “BGPsec Validation State > signaling”. Please reply to the list with your comments. The WGLC will end > on August 25, 2020. In general, replicating validation functionality using BGP communities is a poor idea and from an ops point of view, it seems wiser as a long term objective to push vendors to support bgpsec than to implement hacks like this. For this reason I don't support publication of the draft as an rfc. Major issues: 1. The draft lacks a problem statement and a sunset clause. 2. Previously there's been a good deal of discussion on sidrops about RPKI validation state signalling. Several problems were listed here: > https://mailarchive.ietf.org/arch/msg/sidrops/YV1WfoxQNiwfOjtKIY1d6YJjRxM/ Most of the problems associated with validation state signalling identified in that email also apply to bgpsec validation state signalling, namely: - crypto authentication is lost - different and incompatible set of signalling hooks In particular all the problems associated with RPKI validation state signalling over eBGP also apply to bgpsec state signalling over eBGP. Defining this as non-transitive is a good start, but the language needs to change to ensure that it cannot escape an ASN. Can I suggest the following text changes: change: > If the router supports the extension as defined in this document, it > SHOULD attach the BGPsec path validation state extended community to > BGPsec UPDATE messages sent to BGP peers by mapping the locally > computed validation state into the last octet of the extended > community. This SHOULD be done automatically for iBGP peers and > configurable for eBGP peers (see below). to: > If the router supports the extension as defined in this document, it > SHOULD attach the BGPsec path validation state extended community to > BGPsec UPDATE messages sent to iBGP peers by mapping the locally > computed validation state into the last octet of the extended > community. and change: > By default, routers SHOULD enable use of this > community on all iBGP sessions and routers SHOULD disable the use of > this community on all eBGP sessions. Implementations MUST NOT send > more than one instance of the origin validation state extended > community and MUST drop (without processing) the BGPsec path > validation state extended community if received over an External BGP > (eBGP) peering session that has not be explicitly configured to > enable processing. to: > By default, routers SHOULD enable use of this > community on all iBGP sessions. Implementations MUST NOT send > more than one instance of the origin validation state extended > community, MUST NOT attach the BGPsec path validation state extended > community to BGPsec UPDATE messages sent to eBGP peers and MUST drop > (without processing) the BGPsec path validation state extended community > if received over an eBGP peering session. Nick
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Montgomery, Douglas C. (Fed)
- [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-… Keyur Patel
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Nick Hilliard
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Borchert, Oliver (Fed)
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Montgomery, Douglas C. (Fed)
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Borchert, Oliver (Fed)
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Mehmet Adalier
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Nick Hilliard
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Nick Hilliard
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Randy Bush
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Christopher Morrow
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Randy Bush
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Christopher Morrow