IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-route-server-rpki-light-02.txt

Job Snijders <job@instituut.net> Tue, 25 July 2017 15:26 UTC

Return-Path: <job@instituut.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 129C2131CFB for <sidrops@ietfa.amsl.com>; Tue, 25 Jul 2017 08:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=instituut-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnog3fXmvUCp for <sidrops@ietfa.amsl.com>; Tue, 25 Jul 2017 08:26:44 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 490E0131D0F for <sidrops@ietf.org>; Tue, 25 Jul 2017 08:26:44 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id m85so45327830wma.1 for <sidrops@ietf.org>; Tue, 25 Jul 2017 08:26:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=instituut-net.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=dlPWfgLOqzM023zZ6s2b4FBVT9nF97P+2o3jH7HMYlg=; b=MRxHhGOpqdoi6IU/C/nyZeh5jaquovQQoVSt4954Xo2i+hz+y7JFlMGs+P982OhWTB hPeOwJdR0ScfFuUDdPrxH6hSuarizroCqGiT+aT8SPHEzKshzPjWLJny5pJsVThPzWcF /BvyMLXB05O3O+NOQoVgm4RK3xGguSQrWLmUDlIVvPjVaqxI7WbDDfv2ozvEOQs4LnM/ AfMG/EBsHdI7aNHl4uNNJt9KFiRlsak2g4KyRk+3gx2qt4WjbFtUf56lsQiTjAp8uFn4 bmkQJRVJWQgzVTBG4SmUYaJW1EYGALcQtHh8pCIddnK4SSWbXMKO8TOSj8+LAhrkkZ9b LJSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=dlPWfgLOqzM023zZ6s2b4FBVT9nF97P+2o3jH7HMYlg=; b=RXamqmsKKAMigb8NaRI6BJdxjaEtBwNhfXCCt/EuuCILDJNq3xu6pfQG0aFqEUFPjG Zt5Hb0FF4EBSTzK2IA+S4f/09H1y/MwPCvCEP/R8Ae9Ow1JYnnpXcEs0St+Wge/xEQGl GMwmAldiQCQghKJULHLjKyP9STT/RTKpUWzm8KmlUXb80CtdOMXNwEY6M8Qn6dAd1BUU LHYXMY8EGxPJLpI+lL3AnQafaUoJdWLBj/ENLevXt7aYOEAEhpaQtxguvBUryY7euuu6 D1nOxroR+sEHOtxr0hQ81Ko2ZsriPMAiblPbmgmt2iffMi4eh5u2A/hSJJ2PvIet6des qyBQ==
X-Gm-Message-State: AIVw111Il3su11aizBtVYwedrTuT6/OWqLzVTFP+RnPjnzb4ngORjkXy yrGFC7bEaOKsbzNg
X-Received: by 10.28.111.218 with SMTP id c87mr7585601wmi.36.1500996402524; Tue, 25 Jul 2017 08:26:42 -0700 (PDT)
Received: from localhost ([2001:67c:208c:10:58db:f3bc:13c1:ac46]) by smtp.gmail.com with ESMTPSA id h1sm15606443wrb.25.2017.07.25.08.26.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jul 2017 08:26:41 -0700 (PDT)
Date: Tue, 25 Jul 2017 17:26:40 +0200
From: Job Snijders <job@instituut.net>
To: Aris Lambrianidis <aristidis.lambrianidis@ams-ix.net>
Cc: Nick Hilliard <nick@foobar.org>, "sidrops@ietf.org" <sidrops@ietf.org>, draft-ietf-sidrops-route-server-rpki-light@ietf.org
Message-ID: <20170725152640.o2kqovryesai3ysh@hanna.meerval.net>
References: <149192729348.15702.14003842869826829117@ietfa.amsl.com> <8EB8DB53-793E-4269-8CF4-6BAB1D2B76B6@de-cix.net> <B3BC1C5C-27AE-4809-82B6-297D090CEF0C@ams-ix.net> <5971FE7B.6060607@foobar.org> <F1D60787-5C00-46EF-BADE-8E68ECDEB506@ams-ix.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <F1D60787-5C00-46EF-BADE-8E68ECDEB506@ams-ix.net>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: NeoMutt/20170714 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/gldpM2VTFhctvCsaBf2TaNvGkbw>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-route-server-rpki-light-02.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 15:26:47 -0000

Hi,

On Tue, Jul 25, 2017 at 04:38:38PM +0200, Aris Lambrianidis wrote:
> We’re working on an updated draft to elaborate further on the valid
> path hiding concerns you raised, as well as describing a new
> transitive extended BGP community attribute, (instead of reusing the
> one described in RFC8097), based on Job Snijders’ offline comments.

I elaborated that using a non-transitive extended community to cross
EBGP boundaries (in my opinion) is a mis-use of the community transivity
type. I know of a number of BGP implementations which will not send or
accept non-transitive extended communities across EBGP borders.

I am not sure whether a transitive extended community is the way to go
either. A transitive extended community will allow an adversary to
tunnel through networks which don't recognize the semantics of the "BGP
Prefix Origin Validation State Transitive Extended Community" and
possibly negatively impact such networks. This is the trouble with
communities: the granularity available to limit scope and distributino
is very coarse.

I'm not sure there is a good solution here. Any adversy will tag the
malicious announcement as "this is perfectly valid" and hope the 'valid'
community helps mitigate 'rpki light' barriers.

Kind regards,

Job

v2.23.0 | Report a Bug | By Email