Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 17/September/2020
"Borchert, Oliver (Fed)" <oliver.borchert@nist.gov> Fri, 25 September 2020 18:15 UTC
Return-Path: <oliver.borchert@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 623953A1141 for <sidrops@ietfa.amsl.com>; Fri, 25 Sep 2020 11:15:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.243
X-Spam-Level:
X-Spam-Status: No, score=-4.243 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.448, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QC4psqu5gSB5 for <sidrops@ietfa.amsl.com>; Fri, 25 Sep 2020 11:15:22 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2111.outbound.protection.outlook.com [40.107.91.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 084BC3A0AF3 for <sidrops@ietf.org>; Fri, 25 Sep 2020 11:15:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c8FVTfhQtIp9Zu/zPisHKiV9b2BnQ1E5qk+bSPnmPkJkqWS1YA6g2iAsUWF0ict0o7em2y9LzKSde/3GXYN8Y+lXEZH215BDarJVlwXLzhCympe0TYKukdlVlWLr6FJDsDQ0tff1w6pf53RAOfh2aXEJarKnlLpRfQqP8EM7hVO3uVwC5jIlwKJJ4/MgP2zIfHnOuIKLCR2B8TiqLjZAJpgUmje2hcc4PqmufeU4zyX96IW8sYQQkpb7E6qaCTxSfnn89V/NpnZlo97koYEHm0z3uvWskkSFRjGEep2axllpf+R9LP7pm+0JKLd8N0T61eTh83EhaOteX8sqnZFDtg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EEckLcL+UaL1fgtOnRLC3KEhtNejhPhAG/H88jB3iuY=; b=Jp69wIfkbKWhbLFfR1FHXCt8GZajJe3XPSdT2mt4Tb7gHbCCgIT6UjJ+YPsYbqKEmqvGCahSn37O53xGEkEJ2USMOi1WFJEW3BCIUTN/B5dLUXcFNuRLUHmqinBoPmgdJbNQihm1Osz0IreocDqDiZTJDyzjNPiGpqxm68W9J3x08JZyG9JeX+ddWbcLVwVqGdOpeCQDJGjI61uE7CiCFP3gCpulb6uakVBUNsVJjTQUEbCow8hc8pTl18zU+PuGWl/m9gVZRoPF8hOMWSgusZ/fm11Z5bUnDLKodUxsw66Cf+YQvj9Ni69GY/lxyCjVQ62s3XppNKJ9GTVq6OI+WA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EEckLcL+UaL1fgtOnRLC3KEhtNejhPhAG/H88jB3iuY=; b=BDgEBr1DWhOIfWHfE6bFIOt/bi7b0ObrDdcYC6ChnNHGQQsakrWcnv9RR4TyZBKaVtSfpX8f0rBihhkZ0upBf+ZM/hrCD95mdu2HDT0CxvgT3Jjtwtjo2R+Ns8TioZ3rwued64ogShvBKvCidMDqJpdoQv7AGU7STcQT3IXngW4=
Received: from DM8PR09MB6967.namprd09.prod.outlook.com (2603:10b6:5:2e1::23) by DM6PR09MB5704.namprd09.prod.outlook.com (2603:10b6:5:266::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.13; Fri, 25 Sep 2020 18:15:20 +0000
Received: from DM8PR09MB6967.namprd09.prod.outlook.com ([fe80::453b:8416:ceed:8f5f]) by DM8PR09MB6967.namprd09.prod.outlook.com ([fe80::453b:8416:ceed:8f5f%6]) with mapi id 15.20.3412.022; Fri, 25 Sep 2020 18:15:20 +0000
From: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
To: Nick Hilliard <nick@foobar.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, Keyur Patel <keyur@arrcus.com>, "Montgomery, Douglas C. (Fed)" <dougm@nist.gov>, "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
Thread-Topic: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 17/September/2020
Thread-Index: AQHWh5erY0vKUlmkVU+BIiVo9bZtualzoEwA///QC4CABekhgIAAI/GA
Date: Fri, 25 Sep 2020 18:15:19 +0000
Message-ID: <B231A599-A04F-4650-B8BB-AFAA383B1055@nist.gov>
References: <08ACF86D-6B13-4D7C-ADD9-08227931C107@arrcus.com> <b5038fc3-a25c-5b7a-63ff-c57c05355098@foobar.org> <65695FF6-52DD-44A8-9EED-206821D74596@nist.gov> <d79049a8-ff87-a5ab-9aff-31b1477893f6@foobar.org>
In-Reply-To: <d79049a8-ff87-a5ab-9aff-31b1477893f6@foobar.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.41.20091302
authentication-results: foobar.org; dkim=none (message not signed) header.d=none;foobar.org; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [2610:20:6005:152::a3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: e41caaa9-ca9a-4aa8-80bc-08d8617ef66d
x-ms-traffictypediagnostic: DM6PR09MB5704:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR09MB570409D1F68E6EE19BFD422A98360@DM6PR09MB5704.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: q7ITnJb62Pjr9EZ0XFs2uWf20BH0mnpxAhoLtzOexHG6CDiQQdo4bgduNW5+vlPQEuOEmuOTexk8xjP4FKsML82bZfApQIIJotLhYlDKpnapoyli7XmDMR4v5lQTgToyHWY2XopYkGtf0JsTcZFlDpetZoVf/WGXAPnlD0+woaVK78bEKQ6cCYuDRKw1mWy1+YQrcAzL5ScdAgn7pI5N7ziysIFB+8YErvnlhCu+e5h7Rgv3nhU5I9qj8rI2GLiSuzR8AsE11VtXVmTBCvVBVTwAxqcIUAfrOyTRmDl3sLkd1Crb6A0xKlWl9yb5fNqFTMh/ihhdL7PYxs7pb7J+Kg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM8PR09MB6967.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(396003)(366004)(39860400002)(136003)(2616005)(71200400001)(86362001)(478600001)(66574015)(6486002)(33656002)(186003)(83380400001)(54906003)(6512007)(5660300002)(36756003)(64756008)(107886003)(66476007)(66556008)(76116006)(4326008)(66946007)(6506007)(8936002)(316002)(91956017)(8676002)(66446008)(53546011)(2906002)(6916009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: E+2W8OMutvmDuY3MCyUwMEtiiRyzeTVXACG4zHFIesXdhO0niAi+pI25US3N0Dn7qnFQhsX9yCusnolDrh/+7bTrRpGQehtJQ7VyNdDC+twEp7FMlOwZ73feuZ2m0jUHOZoVhcDn29atEv0OwjjvxVcnDkZvMWW/8tTOeM6d5Umzt4UM3iQTMAnkIuku67E/wTti4qNeO2ZYrxFODla+hJjdxb34E8XuUhVt/8091B9PC7RBKnzIon6It9lxQ2NNWB4r7Fzp0LaMC99kI6SO6QkWW5lwSoh//nuSwHN7n3NSRykhkLP7X1Q52hyL1a2nrpiu5kh/tckWPYR5rNfve2RnDc4fxeArVcaCXC0d/HX2rJ8w8ArqWGol6QbUFB1WoqYp3d3If3RWKwItET1AFH73eLh+j/jNEuWwhDZynUFLCc2C02n4UWqcZ7XXO6Rj5y7deLhB/erI4l2qvY2OZ96rQM1KfQj77PFBqVTjzY9DX42KB1rYrYeB39usHIpa6U3dBTxv1cHpU2fuTfDpYF+RktTLZ3keCqmC8qfIt2e4ktka0U62WYPfKRje6hjJ6pVwMW6+38f1CKTTI69czkvOOXIPgKs0e2DLkIE6ZUtnQoWuK680Og9z9uwzNsirI0DF1/fKChwgKpo2FAUkNH2uIAItLpMAC6u4cI5EM6A=
Content-Type: text/plain; charset="utf-8"
Content-ID: <85514D4E1088764D9BDEC30F58740C33@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM8PR09MB6967.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e41caaa9-ca9a-4aa8-80bc-08d8617ef66d
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Sep 2020 18:15:19.9765 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rDZbNcDohGQHE9AwT8u33XdURpFGOHVgpTesvp1Gu+67hsrA7CEQtb0PJNappwxB/7mRcqPt6cZ3raa2jwHyIQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB5704
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/JELa-e-cr8qZUIsfcaeC7-p5LJQ>
Subject: Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 17/September/2020
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 18:15:23 -0000
Hi Nick, I'll go inline again, I'll post an update later today, Oliver ----------------------------------------------- Oliver Borchert, Computer Scientist National Institute of Standards and Technology (Office) +1.301.975.4856 (GVoice) +1.240.668.4117 On 9/25/20, 8:07 AM, "Nick Hilliard" <nick@foobar.org> wrote: Borchert, Oliver (Fed) wrote on 21/09/2020 22:51: > Hi Nick, > Please see inline, I added an [ob] in front of my answers. > > On 9/21/20, 4:43 PM, "Sidrops on behalf of Nick Hilliard" <sidrops-bounces@ietf.org on behalf of nick@foobar.org> wrote: > > A receiving BGPsec enabled router SHOULD use the received BGPsec path > > validation state in situations where a locally computed BGPsec > > validation result is not currently available. In the absence of the > > extended community, the receiving BGPsec enabled router MUST NOT make > > any assumption about the validation sate of the UPDATE. > > The second sentence is a no-op, so it would probably be better to remove it. > > [ob] We added that exact wording because during 108, concerns were voiced that > [ob] implementations could interpret the absence of the community string as a > [ob] particular validation result. To prevent this from happening this addition > [ob] was specifically requested. right, noted. I missed the discussion about this in the ietf 108 sidrops session. > [ob] RFC 8205 clearly states that a router can differ local validation. A good > [ob] reason for that could be a temporary resource shortage. In both cases #1 and > [ob] #2, I would assume that the implementation follows RFC 8205. > > [ob] My understanding was always that local validation takes precedence over > [ob] the community value. Ben Maddison brought up implementation differences at the ietf108 session. You're right that it's probably obvious to anyone on the SIDROPS WG that native BGPsec evaluation should take precedence, but developers or other people reading the specs may make different decisions because they're going to approach the document from a different point of view. It would be clearer to make this explicit, e.g. to add a single sentence in the Deployment Considerations section to say: "If the received validation state of a route differs from a BGPsec validation state locally computed according to [RFC8205], then the locally computed BGPsec validation state MUST be used and the received validation state MUST be ignored". [ob] [ob] Sounds good, I'll add that to the end of the "deployment consideration" [ob] On a separate thing, getting back to ebgp stuff, the Deployment Considerations section says: > Furthermore, one can envision that the operator of a BGPsec router > decides to defer local BGPsec validation when a validation state > value is learned via iBGP or a trusted eBGP peer. This needs to be reworded because there is no concept of "trusted eBGP" in rfc4360. Maybe reword as "... when a validation state value is learned via BGP", and just revert to the default behaviour from 4360? [ob] [ob] Agreed. It now will read: [ob] [ob] Furthermore, one can envision that the operator of a BGPsec router decides [ob] to defer local BGPsec validation when a validation state value is learned [pb] via BGP. [ob] also nit: > Implementations MUST drop (without processing) the BGPsec path > validation state extended community if received over a peering > session where either the usage is not enabled or it is not part of a > BGPsec UPDATE. s/peering session/BGP session/ [ob] [ob] Agreed. [ob] Nick
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Keyur Patel
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Nick Hilliard
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Keyur Patel
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Borchert, Oliver (Fed)
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Borchert, Oliver (Fed)
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Nick Hilliard
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Borchert, Oliver (Fed)