Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 17/September/2020
"Borchert, Oliver (Fed)" <oliver.borchert@nist.gov> Tue, 22 September 2020 20:37 UTC
Return-Path: <oliver.borchert@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA0E13A1980 for <sidrops@ietfa.amsl.com>; Tue, 22 Sep 2020 13:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.243
X-Spam-Level:
X-Spam-Status: No, score=-4.243 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.448, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZZhqmPCIHUiD for <sidrops@ietfa.amsl.com>; Tue, 22 Sep 2020 13:37:16 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl2gcc02on2126.outbound.protection.outlook.com [40.107.89.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60A6F3A1985 for <sidrops@ietf.org>; Tue, 22 Sep 2020 13:37:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i32tLEUpf1O8za4csV8IBzQmxEfj9atHM1+VfftZjz7dGgIaxxfbPtfCeJkGevtYg3EASp/TBdZh/jM1E8NS9MhCepaUYyC3pXX9CGDysoruXLtWAzjE8tpN81YwSPBkZlEUX6CwsDQwUcz8eUqWu0Z7UCmpfqu/5bEfmYL08YxR6jFirVIXgvApIdYBKhjQ3NJSopfMc6/BI2hpCpbKqz0duEJwZ/NZQz297fhdqbEkhibrf183oNes2BEdgOBmdrVNKXGd9e6uM45KRw66MrVQnPXtV7E5gW4medBtAWEGVy+MDprv+A0UZpKZFqH4Dl5n5hV9zFugXpMM0Lwv/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6953dT+K/V7ET79kq++H51DtroidwUYyuKf09FOwJv4=; b=fuaoaU8SyxWwC1oyVwiWEamwcgKmqW2yHH772/nQg5babGL6jZ/CAdxmy8ctk03k1Q3R1418TwjDjkXeBiSFcPv289TTJTdWfqruiF7ZkQOw3mWC2/ddzer7HEuVBFRWDlgXAFy4kUtZsmRXyxtEbH5Jjo1kg6qkxi7YAwQik6p+BZpa3amWL2PBZdNNYHErKQllWyyEgTiDc/5BMEUgarf/lWtEVvnc6j5hKcFCyPwc3H5u6rU9RbMcsoU5f+WDvyZaSTk5yHgdy1h+waWBB2moasn/LTOAGwuI7adxW0Notu/TayNZSnctFWHqtPIUyhkuQojERhWrCJd7bhfF2A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6953dT+K/V7ET79kq++H51DtroidwUYyuKf09FOwJv4=; b=j4m8TyblIHc+c+ggOczyELercawZ7pw8KBRHYNqWhdFvDFvXpaKH/3siXigR7TwCc6ChTNPHsQ+D2AvW4FbXkSEafX+cLuuhRyuZsJLvapAs7jJ50mCyz/xGTMmDb6JSMttp4FcoFReP8imYR7bA6AvSNWjabVUZm8sQu4Hzh7I=
Received: from BLAPR09MB6963.namprd09.prod.outlook.com (2603:10b6:208:289::7) by MN2PR09MB5564.namprd09.prod.outlook.com (2603:10b6:208:217::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.20; Tue, 22 Sep 2020 20:37:13 +0000
Received: from BLAPR09MB6963.namprd09.prod.outlook.com ([fe80::558c:763b:a7d:1edc]) by BLAPR09MB6963.namprd09.prod.outlook.com ([fe80::558c:763b:a7d:1edc%6]) with mapi id 15.20.3412.020; Tue, 22 Sep 2020 20:37:12 +0000
From: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
To: Nick Hilliard <nick@foobar.org>, "sidrops@ietf.org" <sidrops@ietf.org>
CC: Keyur Patel <keyur@arrcus.com>, "Montgomery, Douglas C. (Fed)" <dougm@nist.gov>, "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
Thread-Topic: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 17/September/2020
Thread-Index: AQHWh5erY0vKUlmkVU+BIiVo9bZtualzoEwA///QC4CAAX23AA==
Date: Tue, 22 Sep 2020 20:37:12 +0000
Message-ID: <DA447AF8-AF1F-47D2-91DB-0D36738514C1@nist.gov>
References: <08ACF86D-6B13-4D7C-ADD9-08227931C107@arrcus.com> <b5038fc3-a25c-5b7a-63ff-c57c05355098@foobar.org> <65695FF6-52DD-44A8-9EED-206821D74596@nist.gov>
In-Reply-To: <65695FF6-52DD-44A8-9EED-206821D74596@nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.41.20091302
authentication-results: foobar.org; dkim=none (message not signed) header.d=none;foobar.org; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [2610:20:6005:218::58]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 9d9a7280-16bc-48af-c78c-08d85f37493f
x-ms-traffictypediagnostic: MN2PR09MB5564:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR09MB5564B0C657DBF17E28B4E4BE983B0@MN2PR09MB5564.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YDpXF/HFLdWxvHpyqt58JfEI4mID1+X3CXfEnH8g13oX9QG05On8UNWN86y+BdBeDUu0MkNDNDkbMXprrB7t7PeTyhxM/keUXKZzRNpJgkowmQ3DTonIVMNvSBKd2rEvBQ0Tsw+J5nz3B0xvGwrJdbTs61/BqGFRY5H6Bv9MW1YK/NZYteYMbbU/oArTNJvUTLUmmGGJHTBGk7bDXNUHxNGbup3JmzLumaoxR4x4Rtsq1bB8h+m0qtydv1f1WUgIy34mYC05gZFvm9R1R2PLTk+UMP8q5Ed73MiNZrFfYVm3UK1v60S7A6XPTeb2ocAS9qRnmH70SvKG7QPSDTLeb9bNpTnqgq4fK3JL8bh7T1BzLyCfc8Htnhin+nwbJ3EkyoAYFxVkFiZhBmLHckVmuw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BLAPR09MB6963.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(366004)(39850400004)(136003)(346002)(376002)(66574015)(6512007)(53546011)(33656002)(86362001)(2616005)(478600001)(8936002)(110136005)(71200400001)(5660300002)(54906003)(83380400001)(8676002)(6506007)(4326008)(66946007)(66476007)(66556008)(64756008)(66446008)(76116006)(186003)(107886003)(316002)(966005)(2906002)(36756003)(6486002)(91956017); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: MOHg2wZBbIc4N2YaxCbTUwauWCCXbrPss2NlR5NmXWTMAS1VKh1KOroM8pC0pYyL9O9oYOGhuXPRI1nEp+sAFc8levP/w4FyQRRqt5leQcx/M7mXkb810KLW6jB5rfBIaVQrqL5waOn0O6eZa0TFkM9md2pV7EDw5hGORMaUOXSZrL8eGMscHpbkypbKhQNf469dqqFEF5uKdUrsWYhjX9V9dqz0gLf8sWHUix1I1BF+63RvUnIzCXFGhqmiXXBiEj/ApGNMaH00vKzbk5lbrUGpag6GgtUdzgTmwJ2w02tFTI2StqnIZMNQF6ztNbvxIWmOHULcROuqfq8z7lQXYm8HgUSDAwqF5etdLeklYnl2FOxNhZNIlW/u1GkQH4sP5S5tytZPBq1uGh5diuduSmJ8wnt23CCcjHDbd5QPdXI3e00594yGkQFt71iQkJ7CwSdxnZvzWhWC6M4RHz6V3JjUcif+eQj3dYyLyqifYVFA//tMvXqSaeD8BdUPPgWx/+2jlxEocZSOaXpbABGKpUNidnk/pkoPIv3uCQ1MUgqzKoj/tv9LDwb5PCSFEuD8a3I3/fRhxTTiB+wzMQVdiHhOXGM3rcrFbNyjUX55D9keU/vJaeVO5YSdbKThIrPX31tiPd98pvU8FJL7td7N6cHsiH6c598Ph1DAlxguCQ0=
Content-Type: text/plain; charset="utf-8"
Content-ID: <D3C0151BF6E9C649B12B0F8279FE5B08@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BLAPR09MB6963.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9d9a7280-16bc-48af-c78c-08d85f37493f
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Sep 2020 20:37:12.8596 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gB9tOFPMu8O4G04Lr3mldEnpV/IJWApn0LHpMCazeLyKS5w/HziLYrRRzQV1s+UyJF5CZCdTizo48sK/IFiw5g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR09MB5564
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/epsQwlbxg0T28ALw1r3mHxGyruw>
Subject: Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 17/September/2020
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 20:37:19 -0000
I just uploaded the new version of the document including modifications Made in the following areas. I had discussions around extended community, eBGP, and RFC4360 including the last discussion, Nick has brought to the list. Today we modified the draft text and uploaded the newest version. The new version does address the issues that were raised during the WLC. Below I try to explain a bit the changes and the motivation. Of course the regular diff version does the same job. https://tools.ietf.org/html/draft-sidrops-bgpsec-validation-signaling-04 Thanks to all for the discussion and input, Oliver Modification 1: ================= This addresses the issue with RFC4360 and eBGP Original Text: ... If the router supports the extension as defined in this document, it SHOULD attach the BGPsec path validation state extended community to BGPsec UPDATE messages sent to BGP peers by mapping the locally computed validation state into the last octet of the extended community. This SHOULD be done automatically for iBGP peers and configurable for eBGP peers (see below). The last Sentence: This SHOULD be done automatically for iBGP peers and configurable for eBGP peers (see below). Is replaced with: Operational behavior is governed by Section 6 of [RFC4360]. Modification 2: ================= This modification addresses Nicks comment regarding the absence of the ext comm attribute and what that meant regarding the validation state of the UPDATE Original Text: In the absence of the extended community, the receiving BGPsec enabled router MUST NOT make any assumption about the validation sate of the UPDATE. We added the word "peer's" in front of validation: In the absence of the extended community, the receiving BGPsec enabled router MUST NOT make any assumption about the peer's validation state of the UPDATE. Modification 3: ================= This addresses Nicks comment regarding the local validation vs. received validation. We added the following sentence to the paragraph of Modification 2 Added sentence: A locally computed validation state for an UPDATE takes precedence over the received validation state. Modification 4: ================= This modification removed the mention of eBGP and other handlings of the ext com. It is generally handled in RFC4360. We also addressed case #3 of Nick where a non-BGPsec speaker is involved. Original Text: By default, routers SHOULD enable use of this community on all iBGP sessions and routers SHOULD disable the use of this community on all eBGP sessions. Implementations MUST NOT send more than one instance of the origin validation state extended community and MUST drop (without processing) the BGPsec path validation state extended community if received over an External BGP (eBGP) peering session that has not be explicitly configured to enable processing. New Text: By default, routers SHOULD enable use of this community on all iBGP sessions. Implementations MUST NOT send more than one instance of the BGPsec validation state extended community. Implementations MUST NOT send the extended community if not in a BGPsec UPDATE. Implementations MUST drop (without processing) the BGPsec path validation state extended community if received over a peering session where either the usage is not enabled or it is not part of a BGPsec UPDATE. Oliver ----------------------------------------------- Oliver Borchert, Computer Scientist National Institute of Standards and Technology On 9/21/20, 5:51 PM, "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov> wrote: Hi Nick, Please see inline, I added an [ob] in front of my answers. On 9/21/20, 4:43 PM, "Sidrops on behalf of Nick Hilliard" <sidrops-bounces@ietf.org on behalf of nick@foobar.org> wrote: Keyur Patel wrote on 10/09/2020 18:27: > The wg chairs extended the call for a week in hopes that we would have a > consensus. Seems like more discussion is needed and so we plan extend > the call for 1 more week. TheWGLCwill now end on September 17, 2020 this comment is coming a bit late in the day, but I think it would be an idea to clarify the behaviour of the receiving bgp side a little better. > A receiving BGPsec enabled router SHOULD use the received BGPsec path > validation state in situations where a locally computed BGPsec > validation result is not currently available. In the absence of the > extended community, the receiving BGPsec enabled router MUST NOT make > any assumption about the validation sate of the UPDATE. The second sentence is a no-op, so it would probably be better to remove it. [ob] We added that exact wording because during 108, concerns were voiced that [ob] implementations could interpret the absence of the community string as a [ob] particular validation result. To prevent this from happening this addition [ob] was specifically requested. The draft intends that the bgp receiver treats routes with this extcomm as if they were locally validated by bgpsec. The simplified state outcome is: 1. the receiving bgp implementation has bgpsec enabled, and has computed a local validation result for the incoming prefix 2. the receiving bgp implementation supports bgpsec, but has not computed a local validation result for the incoming prefix 3. the receiving bgp implementation does not support bgpsec. At the moment, the text deals with case #2. Probably what you want to do here is state that local validation takes preference over the community value. Here's some suggested text as a replacement for the paragraph above, which deals with #1 and #2: > A receiving BGPsec enabled router SHOULD use the received BGPsec path > validation state in situations where a locally computed BGPsec > validation result is not currently available. If a locally computed BGPsec > validation result is available, then the received BGPsec path validation > state MUST be ignored. I'm not sure what you intend with state #3. The choices here are: SHOULD implement alternative policy handling mechanism, SHOULD NOT implement alternative policy handling mechanism, or no advice. [ob] RFC 8205 clearly states that a router can differ local validation. A good [ob] reason for that could be a temporary resource shortage. In both cases #1 and [ob] #2, I would assume that the implementation follows RFC 8205. [ob] My understanding was always that local validation takes precedence over [ob] the community value. The community value can be used until local validation [ob] is performed. The community attribute serves two purposes. Signaling [ob] the validation state within the boundaries of RFC4360 to (1) allow using [ob] a validation state until the router can perform the validation and (2) for [ob] operators to have a tool for diagnosis. [ob] I am not really concerned with case #3 because even without the community, [ob] operators can create an ext. comm. to signal the validation state to non [ob] BGPsec speakers. Some of this behaviour could be synthesised using normal policy hooks in the bgp stack's configuration grammar, but that would need coding and could be messy if there were ever future plans to support bgpsec because then there would be two frameworks, probably incompatible with each other. It would certainly be easier for implementers to state that the draft is not intended for bgp stacks which don't already implement bgpsec. Do the authors have any thoughts on this one? [ob] I believe that this community string serves multiple purposes as explained [ob] above and if someone really wants to use community strings to send a [ob] BGPsec validation state to a non BGPsec speaker, they can do so already by [ob] hand crafting their own community. Again as it was mentioned during some [ob] email exchange on the list some time ago, the absence of the ext. com. does [ob] not prevent operators of sending validation results. Nick Oliver
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Keyur Patel
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Nick Hilliard
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Keyur Patel
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Borchert, Oliver (Fed)
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Borchert, Oliver (Fed)
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Nick Hilliard
- Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validat… Borchert, Oliver (Fed)