IETF Logo Mail Archive

Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 25/August/2020

Nick Hilliard <nick@foobar.org> Wed, 26 August 2020 15:32 UTC

Return-Path: <nick@foobar.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE61B3A159B; Wed, 26 Aug 2020 08:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.847
X-Spam-Level:
X-Spam-Status: No, score=-2.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.948, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sAbrXU46NbRi; Wed, 26 Aug 2020 08:32:38 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BBE83A0ECA; Wed, 26 Aug 2020 08:32:34 -0700 (PDT)
X-Envelope-To: sidrops@ietf.org
Received: from cupcake.local (089-101-195156.ntlworld.ie [89.101.195.156] (may be forged)) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id 07QFWUu1009115 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Aug 2020 16:32:31 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host 089-101-195156.ntlworld.ie [89.101.195.156] (may be forged) claimed to be cupcake.local
To: "Montgomery, Douglas C. (Fed)" <dougm=40nist.gov@dmarc.ietf.org>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
References: <6A0CA35A-4BA3-4063-BDA8-B93B17636B4B@arrcus.com> <b69340ac-d702-3ee2-00ec-948dc3184135@foobar.org> <F2528495-035E-4810-B865-F02A735CBE02@nist.gov> <d536bb69-d977-baf7-64e7-a7833b351e50@foobar.org> <4546E616-2B93-4612-AC8E-F9039FEB7F60@nist.gov>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <a7a0ac58-cd09-dd23-e2c8-3fcf6465c72f@foobar.org>
Date: Wed, 26 Aug 2020 16:32:29 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:52.0) Gecko/20100101 PostboxApp/7.0.27
MIME-Version: 1.0
In-Reply-To: <4546E616-2B93-4612-AC8E-F9039FEB7F60@nist.gov>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/BTC7q-lN9wsKknnoxBWy74NBRUg>
Subject: Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 25/August/2020
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 15:32:41 -0000

Montgomery, Douglas C. (Fed) wrote on 26/08/2020 15:06:
> I think that can and should be addressed in the security
> considerations section.
>
> The spec mandates that the signal be non-transitive - it only
> provides insight as to the validation result of your immediate  peer.

This doesn't really work from an IETF standards track point of view 
because it's an actively harmful proposal at the point that tagged 
routes cross from one ASN to another, i.e. including immediate peers.

It's not appropriate to publish an RFC which makes a recommendation 
about a security mechanism in the text and then makes a statement in the 
security section that effectively nullifies the recommendation.

I get the other use cases that you're describing - these are all 
applicable to iBGP use, and I'm not arguing against them:  just against 
ever seeing this mechanism on an EBGP session.

Nick

> Having said that, here are those that feel this functionality,
> especially in the case of BGPsec, provides useful functionality, that
> increases the resilience of the entire system, and provides a
> much-needed diagnostic capability (for operations and monitoring
> infrastructures).
> 
> I suspect concerns of brittleness and lack of diagnostics are more of
> an impediment to adoption than concerns about distributed trust
> models.
> 
> The other choice is that operators will still do this in non-standard
> ways and we will lose the opportunity to leverage the potential
> robustness and diagnostic benefits.
> 
> In general, I think the supposition that we will somehow influence /
> constrain implementation and deployment architectures by not
> specifying simple mechanisms such as this, is already proven to be
> false.
> 
> dougm -- DougM @ NIST
> 
> On 8/26/20, 5:55 AM, "Nick Hilliard" <nick@foobar.org> wrote:
> 
> Oliver,
> 
> the difficulty here is not that operators might be using this, it's 
> whether these signals cross administrative boundaries.  It's one
> thing to use this on your own network, and even though it's not
> something that I'd view as being a very good idea, there are two
> mitigating factors: 1. your network, your rules and 2. it's ibgp only
> which means that your interior routing infrastructure will get a full
> view of all routes and will be able to make informed routing
> decisions, where bgpsec signaled routes can be evaluated in context
> alongside other candidate routes.
> 
> The difficulty here is applying this to EBGP.  If this draft ends up
> as a standards track document, this is giving the process the IETF
> stamp of approval that this is a good idea and recommended practice.
> This is a very poor idea for the reasons which I've detailed
> previously.
> 
> Nick
> 
> Borchert, Oliver (Fed) wrote on 26/08/2020 01:11:
>> Nick,
>> 
>> This point has been made in the past (about origin validation
>> signaling) and I think it is a bit of a red herring.
>> 
>> Operators can and are signaling validation state today with ad-hoc
>> use of communities.  Operators do this for multiple reasons,
>> including providing some resilience to the system should a router
>> lose access to validating caches, to detect and diagnose RPKI state
>> skew among routers in the same network etc.   Not having a
>> standardized encoding of this practice won't be the determining
>> factor of how this kind of signaling is used.
>> 
>> In the case of BGPsec, the need for diagnostics and resilience will
>> be even higher.  Remember there is no "not found" in BGPsec to fall
>> back to loss of contact with RPKI data.  If such signaling also
>> facilitated performance optimizations or implementation of
>> consistent policy decisions on routers that have deferred their own
>> validation procedures, it actually might encourage more deployment
>> than discourage it as you suggest.
>> 
>> In short, I see such mechanisms as supporting and encouraging
>> deployment of these technologies - or at worse being a non-factor
>> to the adoption question - as those who want to do this in
>> non-standard ways will just continue to do so.
>> 
>> Oliver
>> 
>> ----------------------------------------------- Oliver Borchert,
>> Computer Scientist National Institute of Standards and Technology 
>> (Office) +1.301.975.4856 (GVoice) +1.240.668.4117
>> 
>> 
>> On 8/11/20, 4:59 PM, "Sidrops on behalf of Nick Hilliard"
>> <sidrops-bounces@ietf.org on behalf of nick@foobar.org> wrote:
>> 
>> Keyur Patel wrote on 11/08/2020 19:45:
>>> A working group last call has been requested for 
>>> draft-sidrops-bgpsec-validation-signaling-03, “BGPsec Validation
>>> State signaling”. Please reply to the list with your comments.
>>> The WGLC will end on August 25, 2020.
>> 
>> In general, replicating validation functionality using BGP
>> communities is a poor idea and from an ops point of view, it seems
>> wiser as a long term objective to push vendors to support bgpsec
>> than to implement hacks like this.  For this reason I don't support
>> publication of the draft as an rfc.
>> 
>> Major issues:
>> 
>> 1. The draft lacks a problem statement and a sunset clause.
>> 
>> 2. Previously there's been a good deal of discussion on sidrops
>> about RPKI validation state signalling.  Several problems were
>> listed here:
>> 
>>> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fsidrops%2FYV1WfoxQNiwfOjtKIY1d6YJjRxM%2F&amp;data=02%7C01%7Cdougm%40nist.gov%7Ccdccd3e4feac413e5edd08d849a61c95%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637340325111492030&amp;sdata=JH6g44hs2umnzmrIpUEwH0sN4h%2BpvtvqMFg%2FiyGkfkg%3D&amp;reserved=0
>
>>> 
> 
>> Most of the problems associated with validation state signalling 
>> identified in that email also apply to bgpsec validation state 
>> signalling, namely:
>> 
>> - crypto authentication is lost - different and incompatible set of
>> signalling hooks
>> 
>> In particular all the problems associated with RPKI validation
>> state signalling over eBGP also apply to bgpsec state signalling
>> over eBGP.
>> 
>> Defining this as non-transitive is a good start, but the language
>> needs to change to ensure that it cannot escape an ASN.  Can I
>> suggest the following text changes:
>> 
>> change:
>>> If the router supports the extension as defined in this document,
>>> it SHOULD attach the BGPsec path validation state extended
>>> community to BGPsec UPDATE messages sent to BGP peers by mapping
>>> the locally computed validation state into the last octet of the
>>> extended community.  This SHOULD be done automatically for iBGP
>>> peers and configurable for eBGP peers (see below).
>> 
>> to:
>>> If the router supports the extension as defined in this document,
>>> it SHOULD attach the BGPsec path validation state extended
>>> community to BGPsec UPDATE messages sent to iBGP peers by mapping
>>> the locally computed validation state into the last octet of the
>>> extended community.
>> 
>> and change:
>>> By default, routers SHOULD enable use of this community on all
>>> iBGP sessions and routers SHOULD disable the use of this
>>> community on all eBGP sessions.  Implementations MUST NOT send 
>>> more than one instance of the origin validation state extended 
>>> community and MUST drop (without processing) the BGPsec path 
>>> validation state extended community if received over an External
>>> BGP (eBGP) peering session that has not be explicitly configured
>>> to enable processing.
>> 
>> to:
>>> By default, routers SHOULD enable use of this community on all
>>> iBGP sessions.  Implementations MUST NOT send more than one
>>> instance of the origin validation state extended community, MUST
>>> NOT attach the BGPsec path validation state extended community to
>>> BGPsec UPDATE messages sent to eBGP peers and MUST drop (without
>>> processing) the BGPsec path validation state extended community 
>>> if received over an eBGP peering session.
>> Nick
>> 
>> 
>> _______________________________________________ Sidrops mailing
>> list Sidrops@ietf.org 
>> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&amp;data=02%7C01%7Cdougm%40nist.gov%7Ccdccd3e4feac413e5edd08d849a61c95%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637340325111492030&amp;sdata=xZhWjlOCk7rDY3huLZoIDGdjo3D1JionK6dZ%2FqYF4EA%3D&amp;reserved=0
>
>> 
> 
>> _______________________________________________ Sidrops mailing
>> list Sidrops@ietf.org 
>> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&amp;data=02%7C01%7Cdougm%40nist.gov%7Ccdccd3e4feac413e5edd08d849a61c95%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637340325111492030&amp;sdata=xZhWjlOCk7rDY3huLZoIDGdjo3D1JionK6dZ%2FqYF4EA%3D&amp;reserved=0
>
>> 
> 
> 
> _______________________________________________ Sidrops mailing list 
> Sidrops@ietf.org https://www.ietf.org/mailman/listinfo/sidrops
>

v2.14.0 | Report a Bug | By Email