IETF Logo Mail Archive

Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 17/September/2020

Keyur Patel <keyur@arrcus.com> Mon, 21 September 2020 20:56 UTC

Return-Path: <keyur@arrcus.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6C273A09C4 for <sidrops@ietfa.amsl.com>; Mon, 21 Sep 2020 13:56:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D47pA27inekp for <sidrops@ietfa.amsl.com>; Mon, 21 Sep 2020 13:56:57 -0700 (PDT)
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-co1nam04on0624.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe4d::624]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 043B63A003F for <sidrops@ietf.org>; Mon, 21 Sep 2020 13:56:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YFTsB1S1sjwCare/2NtCkGm1YlEhPK/uiKJ/nQvoe+aUL2oB4s1eVhrxWyR22ztO+R2WmWTFMZGZeRQTGFEpKmQYn/DIeEhC+oAOaWNz/zp99CldzH/UZni404Z5hDJj5EtKQA+HYcnB8/likAmImYRH9QK/nQ9K5KeTGwSdksKNIQT38WB4IYOFfHiiW8oTMkl9doX2mxIu+IspCbZZ61RECyb85fZI5PGpCjaVHQMtnradKmRqcZkjjatiUC4COcj4D7BPW5bbdsRz6bnl7ukJvCqbUo+re0kbHDRnBZfi4ZeHPsJV854W8WMWbmYYhjwooFWsybQoPzAYGKdoxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fDPivKR81vER+tLhjT/y0Smwx3Ct1cqdZZWzh3gOW4w=; b=dQg2DivQQY3P8ueC5eXwz7IPsWYJSMPgNS64riGyxFXjvtxlvcrMJEDlxIwGm6MTqppzwXe+SXFS585a3cN4WdwKyxycuwnL7qy/LutS9h+MMu+SaJIQ5PhXrEmlAC+XlFcGqdBLJ7q8l3wTU3jBT/CiSTnktJUdwNeaZC32MoyL2Iy5/FKRFwZpKtloC8CuOj1nS1wa/AUEXC0NDN0g4Ka8XmVPg5hQM3Aka2a8P9VFNRcPQTcLxMdAgtIZV5N0I2EYs30j/uj2fyCDu3pzjoSs6OzstNmUdFKkOujMfqD+708X+0h41OjU5eLV9CGNzfJky/1rY9atyQFttYWi7g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arrcus.com; dmarc=pass action=none header.from=arrcus.com; dkim=pass header.d=arrcus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector2-NETORGFT1331857-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fDPivKR81vER+tLhjT/y0Smwx3Ct1cqdZZWzh3gOW4w=; b=E21L0d6Cvac0VJ6tj5SxeAa+fCFaTXfA89wsQ+6abu2WPCaxRTdIFEI8PsVF8voBoigqef0Cv86AtZ5vlcQHR/2gl9AVj2QbTkl95IlMoG18gHXLEm6VAS4jxYEifYKVwOZ15unkadyqJF12v1auQGQoknDbagymTvH2A72zszM=
Received: from BYAPR18MB2696.namprd18.prod.outlook.com (2603:10b6:a03:10b::26) by BY5PR18MB3299.namprd18.prod.outlook.com (2603:10b6:a03:1ac::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.11; Mon, 21 Sep 2020 20:56:55 +0000
Received: from BYAPR18MB2696.namprd18.prod.outlook.com ([fe80::8d49:9af8:4eb:4e2d]) by BYAPR18MB2696.namprd18.prod.outlook.com ([fe80::8d49:9af8:4eb:4e2d%7]) with mapi id 15.20.3391.011; Mon, 21 Sep 2020 20:56:55 +0000
From: Keyur Patel <keyur@arrcus.com>
To: Nick Hilliard <nick@foobar.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 17/September/2020
Thread-Index: AQHWh5erY0vKUlmkVU+BIiVo9bZtualzoEwA//+OpAA=
Date: Mon, 21 Sep 2020 20:56:55 +0000
Message-ID: <9D08DEE0-F651-49C1-8BAA-82ACDFC932BD@arrcus.com>
References: <08ACF86D-6B13-4D7C-ADD9-08227931C107@arrcus.com> <b5038fc3-a25c-5b7a-63ff-c57c05355098@foobar.org>
In-Reply-To: <b5038fc3-a25c-5b7a-63ff-c57c05355098@foobar.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: foobar.org; dkim=none (message not signed) header.d=none;foobar.org; dmarc=none action=none header.from=arrcus.com;
x-originating-ip: [70.234.233.187]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 53b4af09-f574-46b3-5a87-08d85e70df89
x-ms-traffictypediagnostic: BY5PR18MB3299:
x-microsoft-antispam-prvs: <BY5PR18MB3299000C6AFDB699BF656504C13A0@BY5PR18MB3299.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WUWJwSCoO63/18uVRKoDpQlYIqrQAKBULoVwM3xdAsLRkv8d55vUmTbnktTJg0Q1nAw5LYvRQUIOMDOe87l9iCp6TNKc+BTh5zGl5Yj2oLkWjrw6ECHxdVmPQXHyX4qEbwPQxY7YWYp0tFLcfbZ0VeDSaggmtxz6LfjD46iXPS3wvq9nExF9V/4dD7urP4JEHNT9kLTvPhfeRHcuXkFI5jKbGyohNBF4AqI5QSPLRq1SXWzTNwNVrYPrtnGR0A058xOzZkGzf0m80rVjDiSKWmpXxkHC4Ya4rdTeW/f+T2VM0RqMwiX4osKCowMzQXbCgJ6MsJBZYwdzMPCMHUJMuVzo6qwZKdFAv+h9+++eb4MHcdJOmlaj/KSIhU3v5RqY
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR18MB2696.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(366004)(346002)(376002)(136003)(39830400003)(110136005)(71200400001)(2906002)(36756003)(2616005)(26005)(316002)(66446008)(5660300002)(86362001)(8936002)(186003)(8676002)(66476007)(478600001)(6486002)(83380400001)(66574015)(33656002)(66946007)(6506007)(76116006)(64756008)(66556008)(6512007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 2tCflDjqadAnATgd8OIPwwY/2XKd0DTX+DIpOucI/cjChkHatA63IMs3SrPvHaDDyzsjmld8Me/qeteleh7ynNzew2dfRDlHWSf2GoYJrx2MTGxkZH1fD+issi0+cZF1TTzysBbA/AOO28Ar/Il+hCA6bPqHLILHjI0B8gLoJ4TrUGdFDIDmyEExnwtfoZk3bTSi0k/pOWDIKlkkEojQ4hTsha+/7WvA5LB32711rrN2NG7SsHhKsTSFC83jLMMfMY56P8gAAau0h/FN/htlPCK08drGT21JvxbbuP8/1P5PvfVd5qM6dFxhgofJOrnfqdTjjEuC3SCgU+kGjtgIlsHuqGxpFdThGlgcY0F8XzHYe7j6VrEaazabA2M2LaIefLlGW+bPZMzzOXmjfc764IFNw19ivw//Jg3gQ95BnhTBYfi8Ub9BWQFH7Q1rV0hSTvoq32S68gzHKxMGjbpK6r1pL/sUVmqfXuUkJmOtwh9hhhBno7H7cYtXyOOpfSymvaGI8PGpqLRYjHyQ+QWa8Kknpog7YfXP6Bf5sx9MSjU5zLrO7yIHiH0Y1U5P4aLzSPHsapcQnWEJQ6ZD/EVCy5fehn6krQoKdJyq7loKJk0sFKOswpMw1Zjh4FyWzPNN+TVx2Ha8rDpYoEn3X8ATIQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <34F6A5EB760D1C4BB9BD71C91AB2BA8E@namprd18.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR18MB2696.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 53b4af09-f574-46b3-5a87-08d85e70df89
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Sep 2020 20:56:55.1564 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YJEXLeQoDJ2DHmS670WjpNRSiGR3Pk/OeFWEi7G45TdXi1utW95V9HWdKAjuZkgTMxkUnhRXPmsIjLwhf2m9TA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR18MB3299
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/UOBu33CIGgjK5iKwuLVUnTVG2A4>
Subject: Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 17/September/2020
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 20:56:59 -0000

Thanks for the comments/clarifications Nick. __

On 9/21/20, 1:42 PM, "Nick Hilliard" <nick@foobar.org> wrote:

    Keyur Patel wrote on 10/09/2020 18:27:
    > The wg chairs extended the call for a week in hopes that we would have a 
    > consensus. Seems like more discussion is needed and so we plan extend 
    > the call for 1 more week. TheWGLCwill now end on September 17, 2020

    this comment is coming a bit late in the day, but I think it would be an 
    idea to clarify the behaviour of the receiving bgp side a little better.

    >    A receiving BGPsec enabled router SHOULD use the received BGPsec path
    >    validation state in situations where a locally computed BGPsec
    >    validation result is not currently available.  In the absence of the
    >    extended community, the receiving BGPsec enabled router MUST NOT make
    >    any assumption about the validation sate of the UPDATE.

    The second sentence is a no-op, so it would probably be better to remove it.

    The draft intends that the bgp receiver treats routes with this extcomm 
    as if they were locally validated by bgpsec.  The simplified state 
    outcome is:

    1. the receiving bgp implementation has bgpsec enabled, and has computed 
    a local validation result for the incoming prefix

    2. the receiving bgp implementation supports bgpsec, but has not 
    computed a local validation result for the incoming prefix

    3. the receiving bgp implementation does not support bgpsec.

    At the moment, the text deals with case #2.  Probably what you want to 
    do here is state that local validation takes preference over the 
    community value.

    Here's some suggested text as a replacement for the paragraph above, 
    which deals with #1 and #2:

    >    A receiving BGPsec enabled router SHOULD use the received BGPsec path
    >    validation state in situations where a locally computed BGPsec
    >    validation result is not currently available.  If a locally computed BGPsec
    >    validation result is available, then the received BGPsec path validation
    >    state MUST be ignored.
    I'm not sure what you intend with state #3. The choices here are: SHOULD 
    implement alternative policy handling mechanism, SHOULD NOT implement 
    alternative policy handling mechanism, or no advice.

    Some of this behaviour could be synthesised using normal policy hooks in 
    the bgp stack's configuration grammar, but that would need coding and 
    could be messy if there were ever future plans to support bgpsec because 
    then there would be two frameworks, probably incompatible with each 
    other.  It would certainly be easier for implementers to state that the 
    draft is not intended for bgp stacks which don't already implement 
    bgpsec.  Do the authors have any thoughts on this one?

    Nick

v2.23.0 | Report a Bug | By Email