headers
Ahmed Bashandy | 3 Apr 2012 01:36
Picon
Favicon

Re: draft-bashandy-idr-bgp-repair-label-03


The concept of PE-CE protection is not new. AFAIK it, was introduced in the paper titled "Achieving sub-second IGP convergence in large IP Networks” published in ACM SIGCOMM Computer Communication Review, 35(3):33-44, July 2005. the idea of having a special label was also mentioned in the paper

draft-bashandy-idr-bgp-repair-label-03 specifies PE-CE protection using repair label in a very concrete manner so that it can be implemented. That is why draft-bashandy-idr-bgp-repair-label-03 is a standards track draft. For example some of the concrete information in draft-bashandy-idr-bgp-repair-label-03 :
- proposes advertising the repair label as an optional non-transitive attribute.
- specifies the syntax of the proposed attribute section 3.1.2.
- Unambiguously specifies the semantics of the repair label and the forwarding behavior on the nodes participating in the scheme
- recommends using per-CE repair label allocation

In addition, the loop prevention specified in draft-bashandy-idr-bgp-repair-label-03 is independent of the method of choosing a repair path. For example, the repair path can be ECMP,  best external, or some other future mechanism.

Besides, the concept of repair label is very general and can be used in other BGP FRR mechanisms such as draft-bashandy-bgp-edge-node-frr-02.

Thanks

Ahmed


On 3/26/2012 1:20 AM, Xuxiaohu wrote:
P { MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px }

Hi co-authors of the abvove draft,

 

In you draft, it said"As usual, each PE allocates a local label for each prefix it can reach through an external neighbor CE. This is the primary label used for normal traffic forwarding." and "To provide repair path information to all PEs, the PE also allocates a repair label to the prefix if it can reach that prefix via an external neighbor."

 

Does it mean the external path which the repair label is associated with is a best external path? If so, could you explain what's difference between the above draft and this draft (http://tools.ietf.org/html/draft-xu-idr-best-external-loop-avoidance-00).

 

BR,

Xiaohu



_______________________________________________ Idr mailing list Idr <at> ietf.org https://www.ietf.org/mailman/listinfo/idr 
_______________________________________________
Idr mailing list
Idr <at> ietf.org
https://www.ietf.org/mailman/listinfo/idr
Permalink | Reply | 1 comment |
headers
Ahmed Bashandy | 3 Apr 2012 05:36
Picon
Favicon

Re: draft-bashandy-idr-bgp-repair-label-03

The correct reference is for PE-CE link protection is the paper titled “Achieving sub-50 milliseconds recovery upon bgp peering link failures,” published in IEEE/ACM Transactions on Networking, 15(5):1123–1135, 2007

Thanks

Ahmed

On 4/2/2012 4:36 PM, Ahmed Bashandy (bashandy) wrote:

The concept of PE-CE protection is not new. AFAIK it, was introduced in the paper titled "Achieving sub-second IGP convergence in large IP Networks” published in ACM SIGCOMM Computer Communication Review, 35(3):33-44, July 2005. the idea of having a special label was also mentioned in the paper

draft-bashandy-idr-bgp-repair-label-03 specifies PE-CE protection using repair label in a very concrete manner so that it can be implemented. That is why draft-bashandy-idr-bgp-repair-label-03 is a standards track draft. For example some of the concrete information in draft-bashandy-idr-bgp-repair-label-03 :
- proposes advertising the repair label as an optional non-transitive attribute.
- specifies the syntax of the proposed attribute section 3.1.2.
- Unambiguously specifies the semantics of the repair label and the forwarding behavior on the nodes participating in the scheme
- recommends using per-CE repair label allocation

In addition, the loop prevention specified in draft-bashandy-idr-bgp-repair-label-03 is independent of the method of choosing a repair path. For example, the repair path can be ECMP,  best external, or some other future mechanism.

Besides, the concept of repair label is very general and can be used in other BGP FRR mechanisms such as draft-bashandy-bgp-edge-node-frr-02.

Thanks

Ahmed


On 3/26/2012 1:20 AM, Xuxiaohu wrote:
P { MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px }

Hi co-authors of the abvove draft,

 

In you draft, it said"As usual, each PE allocates a local label for each prefix it can reach through an external neighbor CE. This is the primary label used for normal traffic forwarding." and "To provide repair path information to all PEs, the PE also allocates a repair label to the prefix if it can reach that prefix via an external neighbor."

 

Does it mean the external path which the repair label is associated with is a best external path? If so, could you explain what's difference between the above draft and this draft (http://tools.ietf.org/html/draft-xu-idr-best-external-loop-avoidance-00).

 

BR,

Xiaohu



_______________________________________________ Idr mailing list Idr <at> ietf.org https://www.ietf.org/mailman/listinfo/idr 
_______________________________________________
Idr mailing list
Idr <at> ietf.org
https://www.ietf.org/mailman/listinfo/idr
Permalink | Reply | 0 comments |
headers
David Freedman | 3 Apr 2012 10:34

Operational Message and Multiple-Sessions

Folks, 

Now that draft-ietf-idr-operational-message is a WG document,
we could do with your valuable input!

We'd like to put in some wording concerning dealing with OPERATIONAL
messaging
over multiple sessions, where we define these as sessions between the same
pair
of router identifiers.
(This could cover the multisession and non-multisession cases)

We would like to make sure that only one session at a time is transmitted
over
(but not preclude this happening in the future, perhaps looking at use
cases with fast control failover) and allow for messages to be received
over multiple sessions (but suggest that the implementation if it does
this, de-duplicate the received information)

For the moment, we're not concerned about which OPERATIONAL message type
is used, since we're decoupling the request from the session type
(for example, we request the AFI/SAFI in the STATE queries),
even in the case of the MUP/DUP/DUMP messages, it shouldn't matter which
session the bad data was transmitted over, only that we get the relevant
information back to the other side (feel free to should loudly if you
think this
decoupling is a bad idea, we think from a simplicity PoV this would be
appropriate)

We're toying with adding wording like this:

------------

Multiple Sessions:

Where multiple sessions are established between the same peer, OPERATIONAL
messages SHOULD be transmitted over a single ESTABLISHED session only,
at any one time.

OPERATIONAL messages MAY be received over multiple ESTABLISHED sessions
from the peer, an implementation SHOULD ensure that no duplicate
information 
is reported to the operator of the system.

------------

We could add the caveat that the transmit session is the oldest
established, in order
to gain some symmetry (do people feel that symmetry is important?)

Dave.

_______________________________________________
Idr mailing list
Idr <at> ietf.org
https://www.ietf.org/mailman/listinfo/idr
Permalink | Reply | 0 comments |
headers
Robert Raszuk | 9 Apr 2012 09:19

Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening


> Your analysis assumes that there a conventional BGP-4 AS_PATH field
> and then there is is BGPSEC_Path_Signatures from which AS path info
> can be inferred separately. This is not true in the latest BGPSEC
> update format as Matt presented it in Paris.

How an optional attribute replace well-known mandatory one ?

Sorry but for such step formal IDR WG approval is necessary if you 
choose to propose BGPSEC_Path_Signatures as mandatory attribute. This is 
major BGP protocol change.

Documentation of partial deployment is required as well as two 
interoperable implementations ;).

RFC4271:

5.1.2.  AS_PATH

    AS_PATH is a well-known mandatory attribute.  This attribute
    identifies the autonomous systems through which routing information
    carried in this UPDATE message has passed.  The components of this
    list can be AS_SETs or AS_SEQUENCEs.

draft-ietf-sidr-bgpsec-protocol-02.txt

    This document specifies a new optional (non-transitive) BGP path
    attribute, BGPSEC_Path_Signatures.

Best regards,
R.

_______________________________________________
Idr mailing list
Idr <at> ietf.org
https://www.ietf.org/mailman/listinfo/idr
Permalink | Reply | 70 comments |
headers
Sriram, Kotikalapudi | 9 Apr 2012 18:15
Favicon

Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening

The updates in a BGPSEC island can be BGPSEC (i.e., signed) or BGP-4 (i.e., unsigned).
In either case, the update necessarily has AS-path info.
If the update is BGP-4 (i.e., unsigned), it has the BGP-4 AS_PATH (mandatory) in it.
If the update is BGPSEC (i.e., signed), then it MUST have the "Secure Path" in it. 
The Secure Path is in the form of {ASN1, pCount1, ASN2, pCount2, ...., ASN-k, pCount-k}.
Please refer to slide 8 in Matt's presentation (BGPSEC Protocol) in Paris.
The Secure Path is semantically equivalent to the BGP-4 AS_PATH.
When the update is to leave a BGPSEC island to go to a BGP-4 only AS,
then the Secure Path is easily converted to BGP-4 AS_PATH at the edge of the BGPSEC island. 
Any prepend ASN that was collapsed in BGPSEC will be repeated pCount number of times,
and any transparent route server ASN (with pCount=0) in BGPSEC will be removed.
Is this semantic equivalence (of the Secure Path) and 
the guarantee of convertibility to BGP-4 AS_PATH not enough?
Should we really require in BGPSEC that the BGP-4 AS_PATH be carried (in a pristine way)
in addition to the Secure Path, albeit at the cost of duplication and associated 
processing cost/confusion? Just a honest question seeking people's opinion.

Sriram  

>-----Original Message-----
>From: sidr-bounces <at> ietf.org [mailto:sidr-bounces <at> ietf.org] On Behalf Of Robert
>Raszuk
>Sent: Monday, April 09, 2012 3:19 AM
>To: sidr <at> ietf.org
>Cc: idr <at> ietf.org List
>Subject: Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening
>
>
>> Your analysis assumes that there a conventional BGP-4 AS_PATH field
>> and then there is is BGPSEC_Path_Signatures from which AS path info
>> can be inferred separately. This is not true in the latest BGPSEC
>> update format as Matt presented it in Paris.
>
>How an optional attribute replace well-known mandatory one ?
>
>Sorry but for such step formal IDR WG approval is necessary if you choose to
>propose BGPSEC_Path_Signatures as mandatory attribute. This is major BGP
>protocol change.
>
>Documentation of partial deployment is required as well as two interoperable
>implementations ;).
>
>RFC4271:
>
>5.1.2.  AS_PATH
>
>    AS_PATH is a well-known mandatory attribute.  This attribute
>    identifies the autonomous systems through which routing information
>    carried in this UPDATE message has passed.  The components of this
>    list can be AS_SETs or AS_SEQUENCEs.
>
>
>draft-ietf-sidr-bgpsec-protocol-02.txt
>
>    This document specifies a new optional (non-transitive) BGP path
>    attribute, BGPSEC_Path_Signatures.
>
>
>Best regards,
>R.
_______________________________________________
Idr mailing list
Idr <at> ietf.org
https://www.ietf.org/mailman/listinfo/idr
Permalink | Reply | 0 comments |
headers
Robert Raszuk | 9 Apr 2012 18:29

Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening

Hi Sriram,

 > When the update is to leave a BGPSEC island to go to a BGP-4 only AS,
 > then the Secure Path is easily converted to BGP-4 AS_PATH at the edge
 > of the BGPSEC island.

What happens in the opposite direction ? How AS_PATH/AS4_PATH can be 
converted to BGPSEC_Path_Signatures without all necessary information 
present at the ASBR at any arbitrary Autonomous System ? Are you going 
to propose NULL signatures ?

How are you planning on a flag date where all ASBRs in the Internet are 
BGPSEC complaint ?

Why one needs to upgrade also all P routers (intra domain BGP speakers) 
to be BGPSEC complaint provided he is not using BGP as an overlay today?

If you think removal of AS_PATH/AS4_PATH is helpful in any way the much 
simpler would be to define new set of AFIs and call it "SECURED" leaving 
current AFI 1 and AFI 2 unchanged BGP protocol wise.

Thx,
R.

> The updates in a BGPSEC island can be BGPSEC (i.e., signed) or BGP-4 (i.e., unsigned).
> In either case, the update necessarily has AS-path info.
> If the update is BGP-4 (i.e., unsigned), it has the BGP-4 AS_PATH (mandatory) in it.
> If the update is BGPSEC (i.e., signed), then it MUST have the "Secure Path" in it.
> The Secure Path is in the form of {ASN1, pCount1, ASN2, pCount2, ...., ASN-k, pCount-k}.
> Please refer to slide 8 in Matt's presentation (BGPSEC Protocol) in Paris.
> The Secure Path is semantically equivalent to the BGP-4 AS_PATH.
> When the update is to leave a BGPSEC island to go to a BGP-4 only AS,
> then the Secure Path is easily converted to BGP-4 AS_PATH at the edge of the BGPSEC island.
> Any prepend ASN that was collapsed in BGPSEC will be repeated pCount number of times,
> and any transparent route server ASN (with pCount=0) in BGPSEC will be removed.
> Is this semantic equivalence (of the Secure Path) and
> the guarantee of convertibility to BGP-4 AS_PATH not enough?
> Should we really require in BGPSEC that the BGP-4 AS_PATH be carried (in a pristine way)
> in addition to the Secure Path, albeit at the cost of duplication and associated
> processing cost/confusion? Just a honest question seeking people's opinion.
>
> Sriram
>
>> -----Original Message-----
>> From: sidr-bounces <at> ietf.org [mailto:sidr-bounces <at> ietf.org] On Behalf Of Robert
>> Raszuk
>> Sent: Monday, April 09, 2012 3:19 AM
>> To: sidr <at> ietf.org
>> Cc: idr <at> ietf.org List
>> Subject: Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening&  lengthening
>>
>>
>>> Your analysis assumes that there a conventional BGP-4 AS_PATH field
>>> and then there is is BGPSEC_Path_Signatures from which AS path info
>>> can be inferred separately. This is not true in the latest BGPSEC
>>> update format as Matt presented it in Paris.
>>
>> How an optional attribute replace well-known mandatory one ?
>>
>> Sorry but for such step formal IDR WG approval is necessary if you choose to
>> propose BGPSEC_Path_Signatures as mandatory attribute. This is major BGP
>> protocol change.
>>
>> Documentation of partial deployment is required as well as two interoperable
>> implementations ;).
>>
>> RFC4271:
>>
>> 5.1.2.  AS_PATH
>>
>>     AS_PATH is a well-known mandatory attribute.  This attribute
>>     identifies the autonomous systems through which routing information
>>     carried in this UPDATE message has passed.  The components of this
>>     list can be AS_SETs or AS_SEQUENCEs.
>>
>>
>> draft-ietf-sidr-bgpsec-protocol-02.txt
>>
>>     This document specifies a new optional (non-transitive) BGP path
>>     attribute, BGPSEC_Path_Signatures.
>>
>>
>> Best regards,
>> R.
> _______________________________________________
> Idr mailing list
> Idr <at> ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>

_______________________________________________
Idr mailing list
Idr <at> ietf.org
https://www.ietf.org/mailman/listinfo/idr
Permalink | Reply | 0 comments |
headers
Murphy, Sandra | 9 Apr 2012 19:07

Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening

speaking as regular ol' member

There is no reverse direction.

Incoming paths that are unsigned are not propagated by bgpsec speakers as signed paths.

And intradomain BGP speakers do not use bgpsec (ebgp sessions only).

And AS4_PATH is not needed in bgpsec speakers - who are assumed to be 4-byte aware.

So no need to worry about ASBRs, flag days, etc.  Don't worry, no problem.

--Sandy, speaking as regular ol' member.

________________________________________
From: sidr-bounces <at> ietf.org [sidr-bounces <at> ietf.org] on behalf of Robert Raszuk [robert <at> raszuk.net]
Sent: Monday, April 09, 2012 12:29 PM
To: Sriram, Kotikalapudi
Cc: idr <at> ietf.org List; sidr <at> ietf.org
Subject: Re: [sidr] [Idr] draft-ietf-sidr-bgpsec-threats-02: Path shortening &  lengthening

Hi Sriram,

 > When the update is to leave a BGPSEC island to go to a BGP-4 only AS,
 > then the Secure Path is easily converted to BGP-4 AS_PATH at the edge
 > of the BGPSEC island.

What happens in the opposite direction ? How AS_PATH/AS4_PATH can be
converted to BGPSEC_Path_Signatures without all necessary information
present at the ASBR at any arbitrary Autonomous System ? Are you going
to propose NULL signatures ?

How are you planning on a flag date where all ASBRs in the Internet are
BGPSEC complaint ?

Why one needs to upgrade also all P routers (intra domain BGP speakers)
to be BGPSEC complaint provided he is not using BGP as an overlay today?

If you think removal of AS_PATH/AS4_PATH is helpful in any way the much
simpler would be to define new set of AFIs and call it "SECURED" leaving
current AFI 1 and AFI 2 unchanged BGP protocol wise.

Thx,
R.

> The updates in a BGPSEC island can be BGPSEC (i.e., signed) or BGP-4 (i.e., unsigned).
> In either case, the update necessarily has AS-path info.
> If the update is BGP-4 (i.e., unsigned), it has the BGP-4 AS_PATH (mandatory) in it.
> If the update is BGPSEC (i.e., signed), then it MUST have the "Secure Path" in it.
> The Secure Path is in the form of {ASN1, pCount1, ASN2, pCount2, ...., ASN-k, pCount-k}.
> Please refer to slide 8 in Matt's presentation (BGPSEC Protocol) in Paris.
> The Secure Path is semantically equivalent to the BGP-4 AS_PATH.
> When the update is to leave a BGPSEC island to go to a BGP-4 only AS,
> then the Secure Path is easily converted to BGP-4 AS_PATH at the edge of the BGPSEC island.
> Any prepend ASN that was collapsed in BGPSEC will be repeated pCount number of times,
> and any transparent route server ASN (with pCount=0) in BGPSEC will be removed.
> Is this semantic equivalence (of the Secure Path) and
> the guarantee of convertibility to BGP-4 AS_PATH not enough?
> Should we really require in BGPSEC that the BGP-4 AS_PATH be carried (in a pristine way)
> in addition to the Secure Path, albeit at the cost of duplication and associated
> processing cost/confusion? Just a honest question seeking people's opinion.
>
> Sriram
>
>> -----Original Message-----
>> From: sidr-bounces <at> ietf.org [mailto:sidr-bounces <at> ietf.org] On Behalf Of Robert
>> Raszuk
>> Sent: Monday, April 09, 2012 3:19 AM
>> To: sidr <at> ietf.org
>> Cc: idr <at> ietf.org List
>> Subject: Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening&  lengthening
>>
>>
>>> Your analysis assumes that there a conventional BGP-4 AS_PATH field
>>> and then there is is BGPSEC_Path_Signatures from which AS path info
>>> can be inferred separately. This is not true in the latest BGPSEC
>>> update format as Matt presented it in Paris.
>>
>> How an optional attribute replace well-known mandatory one ?
>>
>> Sorry but for such step formal IDR WG approval is necessary if you choose to
>> propose BGPSEC_Path_Signatures as mandatory attribute. This is major BGP
>> protocol change.
>>
>> Documentation of partial deployment is required as well as two interoperable
>> implementations ;).
>>
>> RFC4271:
>>
>> 5.1.2.  AS_PATH
>>
>>     AS_PATH is a well-known mandatory attribute.  This attribute
>>     identifies the autonomous systems through which routing information
>>     carried in this UPDATE message has passed.  The components of this
>>     list can be AS_SETs or AS_SEQUENCEs.
>>
>>
>> draft-ietf-sidr-bgpsec-protocol-02.txt
>>
>>     This document specifies a new optional (non-transitive) BGP path
>>     attribute, BGPSEC_Path_Signatures.
>>
>>
>> Best regards,
>> R.
> _______________________________________________
> Idr mailing list
> Idr <at> ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>

_______________________________________________
sidr mailing list
sidr <at> ietf.org
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
Idr mailing list
Idr <at> ietf.org
https://www.ietf.org/mailman/listinfo/idr
Permalink | Reply | 63 comments |
headers
Robert Raszuk | 9 Apr 2012 19:22

Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening

Hi Sandy,

> There is no reverse direction.

What do you mean there is no reverse direction ?

Sriram said:

"When the update is to leave a BGPSEC island to go to a BGP-4 only AS,
then the Secure Path is easily converted to BGP-4 AS_PATH at the edge of
the BGPSEC island."

That means that there is EBGP peering at the two ASes which on one side
supports BGPSEC on the other does not.

In order to establish any form of bidirectional communication sites on
the left need to know how to reach sites on the right and vice versa.

So your below "Don't worry, no problem" directly means "no 
reachability". I am afraid there is slight problem with that.

Best regards,
R.

> speaking as regular ol' member
>
> There is no reverse direction.
>
> Incoming paths that are unsigned are not propagated by bgpsec
> speakers as signed paths.
>
> And intradomain BGP speakers do not use bgpsec (ebgp sessions only).
>
> And AS4_PATH is not needed in bgpsec speakers - who are assumed to be
> 4-byte aware.
>
> So no need to worry about ASBRs, flag days, etc.  Don't worry, no
> problem.
>
> --Sandy, speaking as regular ol' member.
>
>
> ________________________________________ From: sidr-bounces <at> ietf.org
> [sidr-bounces <at> ietf.org] on behalf of Robert Raszuk
> [robert <at> raszuk.net] Sent: Monday, April 09, 2012 12:29 PM To: Sriram,
> Kotikalapudi Cc: idr <at> ietf.org List; sidr <at> ietf.org Subject: Re: [sidr]
> [Idr] draft-ietf-sidr-bgpsec-threats-02: Path shortening&
> lengthening
>
> Hi Sriram,
>
>> When the update is to leave a BGPSEC island to go to a BGP-4 only
>> AS, then the Secure Path is easily converted to BGP-4 AS_PATH at
>> the edge of the BGPSEC island.
>
> What happens in the opposite direction ? How AS_PATH/AS4_PATH can be
> converted to BGPSEC_Path_Signatures without all necessary
> information present at the ASBR at any arbitrary Autonomous System ?
> Are you going to propose NULL signatures ?
>
> How are you planning on a flag date where all ASBRs in the Internet
> are BGPSEC complaint ?
>
> Why one needs to upgrade also all P routers (intra domain BGP
> speakers) to be BGPSEC complaint provided he is not using BGP as an
> overlay today?
>
> If you think removal of AS_PATH/AS4_PATH is helpful in any way the
> much simpler would be to define new set of AFIs and call it "SECURED"
> leaving current AFI 1 and AFI 2 unchanged BGP protocol wise.
>
> Thx, R.
>
>
>> The updates in a BGPSEC island can be BGPSEC (i.e., signed) or
>> BGP-4 (i.e., unsigned). In either case, the update necessarily has
>> AS-path info. If the update is BGP-4 (i.e., unsigned), it has the
>> BGP-4 AS_PATH (mandatory) in it. If the update is BGPSEC (i.e.,
>> signed), then it MUST have the "Secure Path" in it. The Secure Path
>> is in the form of {ASN1, pCount1, ASN2, pCount2, ...., ASN-k,
>> pCount-k}. Please refer to slide 8 in Matt's presentation (BGPSEC
>> Protocol) in Paris. The Secure Path is semantically equivalent to
>> the BGP-4 AS_PATH. When the update is to leave a BGPSEC island to
>> go to a BGP-4 only AS, then the Secure Path is easily converted to
>> BGP-4 AS_PATH at the edge of the BGPSEC island. Any prepend ASN
>> that was collapsed in BGPSEC will be repeated pCount number of
>> times, and any transparent route server ASN (with pCount=0) in
>> BGPSEC will be removed. Is this semantic equivalence (of the Secure
>> Path) and the guarantee of convertibility to BGP-4 AS_PATH not
>> enough? Should we really require in BGPSEC that the BGP-4 AS_PATH
>> be carried (in a pristine way) in addition to the Secure Path,
>> albeit at the cost of duplication and associated processing
>> cost/confusion? Just a honest question seeking people's opinion.
>>
>> Sriram
>>
>>> -----Original Message----- From: sidr-bounces <at> ietf.org
>>> [mailto:sidr-bounces <at> ietf.org] On Behalf Of Robert Raszuk Sent:
>>> Monday, April 09, 2012 3:19 AM To: sidr <at> ietf.org Cc: idr <at> ietf.org
>>> List Subject: Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path
>>> shortening&   lengthening
>>>
>>>
>>>> Your analysis assumes that there a conventional BGP-4 AS_PATH
>>>> field and then there is is BGPSEC_Path_Signatures from which AS
>>>> path info can be inferred separately. This is not true in the
>>>> latest BGPSEC update format as Matt presented it in Paris.
>>>
>>> How an optional attribute replace well-known mandatory one ?
>>>
>>> Sorry but for such step formal IDR WG approval is necessary if
>>> you choose to propose BGPSEC_Path_Signatures as mandatory
>>> attribute. This is major BGP protocol change.
>>>
>>> Documentation of partial deployment is required as well as two
>>> interoperable implementations ;).
>>>
>>> RFC4271:
>>>
>>> 5.1.2.  AS_PATH
>>>
>>> AS_PATH is a well-known mandatory attribute.  This attribute
>>> identifies the autonomous systems through which routing
>>> information carried in this UPDATE message has passed.  The
>>> components of this list can be AS_SETs or AS_SEQUENCEs.
>>>
>>>
>>> draft-ietf-sidr-bgpsec-protocol-02.txt
>>>
>>> This document specifies a new optional (non-transitive) BGP path
>>> attribute, BGPSEC_Path_Signatures.
>>>
>>>
>>> Best regards, R.

_______________________________________________
Idr mailing list
Idr <at> ietf.org
https://www.ietf.org/mailman/listinfo/idr
Permalink | Reply | 4 comments |
headers
Montgomery, Douglas | 9 Apr 2012 19:48
Favicon

Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening


On 4/9/12 1:22 PM, "Robert Raszuk" <robert <at> raszuk.net> wrote:

>Hi Sandy,
>
>> There is no reverse direction.
>
>What do you mean there is no reverse direction ?
>
>Sriram said:
>
>"When the update is to leave a BGPSEC island to go to a BGP-4 only AS,
>then the Secure Path is easily converted to BGP-4 AS_PATH at the edge of
>the BGPSEC island."
>
>That means that there is EBGP peering at the two ASes which on one side
>supports BGPSEC on the other does not.

Right.  BGPSEC doesn't support partially signed PATHS.  Thus a update
either starts off signed, or it is not signed at all.

You can take a signed path, strip the PATH-SIG, reconstruct the AS-PATH
and transmit it to a non-BGPSEC speaker.  But from that point on, the PATH
remains unsigned.

A path that starts off unsigned, will always remain unsigned.

Dougm

_______________________________________________
Idr mailing list
Idr <at> ietf.org
https://www.ietf.org/mailman/listinfo/idr
Permalink | Reply | 0 comments |
headers
Robert Raszuk | 9 Apr 2012 20:02

Re: [sidr] draft-ietf-sidr-bgpsec-threats-02: Path shortening & lengthening

Hi,

> A path that starts off unsigned, will always remain unsigned.

Do you mean that:

"A path that starts off unsinged or transits via at least one non BGPSEC 
enabled BGP router (edge or core) will always remain unsigned."

?

Many thx,
R.

_______________________________________________
Idr mailing list
Idr <at> ietf.org
https://www.ietf.org/mailman/listinfo/idr
Permalink | Reply | 0 comments |

Gmane