Re: [sidr] Fw: New Version Notification for draft-ietf-sidr-bgpsec-protocol-19.txt
At Sun, 27 Nov 2016 14:53:17 +, "Sriram, Kotikalapudi (Fed)"wrote: > > This new version of the BGPsec specification draft incorporates > Alvaro's (Routing AD) comments. Another email follows that provides > responses to the comments and clarifies how each of the comments were > incorporated in the revision. Great, thanks! (for getting this done in short order, and after a long week away) -chris > > Sriram > > From: > internet-dra...@ietf.org Sent: Sunday, > November 27, 2016 9:30 AM To: Matthew Lepinski; Sriram, Kotikalapudi > (Fed) Subject: New Version Notification for > draft-ietf-sidr-bgpsec-protocol-19.txt > > A new version of I-D, draft-ietf-sidr-bgpsec-protocol-19.txt has been > successfully submitted by Kotikalapudi Sriram and posted to the IETF > repository. > > Name: draft-ietf-sidr-bgpsec-protocol Revision: 19 Title: BGPsec > Protocol Specification Document date: 2016-11-27 Group: sidr Pages: 40 > URL: > https://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-protocol-19.txt > Status: > https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/ > Htmlized: > https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-19 Diff: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-bgpsec-protocol-19 > > Abstract: >This document describes BGPsec, an extension to the Border Gateway >Protocol (BGP) that provides security for the path of autonomous >systems through which a BGP update message passes. BGPsec is >implemented via an optional non-transitive BGP path attribute that >carries a digital signature produced by each autonomous system that >propagates the update message. > > > > > Please note that it may take a couple of minutes from the time of > submission until the htmlized version and diff are available at > tools.ietf.org. > > The IETF Secretariat ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] AD Review of draft-ietf-sidr-bgpsec-protocol-18
Hi Alvaro, Thank you very much for this thorough and detailed set of comments. They greatly help improve the clarity, accuracy, and presentation in the document. I have worked with each of the comments and incorporated changes accordingly in the document. Please see version-19 that was just submitted. Many thanks to Sean Turner for his help with the updated IANA considerations section. My responses to your individual comments are shown below and are marked with [Sriram]. Let me know if the pdf opens OK for you. Also, please let me know if I missed anything. Regards, Sriram P.S. I tried to send this message with a pdf attachment earlier to the SIDR list. But looks like that post was not accepted by the IETF email exploder due to the attachment, may be? So I have copied and pasted here the text from the pdf. There may be line-wrap issue -- let us see. --- Dear authors: Hi! First of all, thank you for taking on the duties of editing this document. I have several comments (see below). For the most part, I think they should be easy to solve as many are related to clarifications. Most of the comments I classified as Major are due to the use of Normative language. The biggest concern I have with this document is the lack of an Operations and Management Considerations Section – please take a look at RFC5706 (Guidelines for Considering Operations and Management of New Protocols and Protocol Extensions). Some of the information suggested there is present in draft-ietf-sidr-bgpsec-ops, and (ironically) in the “Design and Deployment Considerations” section of draft-ietf-sidr-bgpsec-overview. However, important items such as migration or management are missing. I would like to see a well thought out Operations and Management Section in this document before moving it forward. Note that I’m not suggesting that a YANG model (for example) is required to move forward, but I would like to see considerations about migration, and the impact on network operations, to mention two items, all in one place in the document. I would like the authors/Chairs/Shepherd/WG to consider even merging in draft-ietf-sidr-bgpsec-ops as the base for this new section (or at least reference it prominently). [Sriram] Following the clarifications and additional guidance you provided in Seoul (when you, Chris, and I met), I have added a new Section 7 (Operations and Management Considerations). The topics you mention above are all covered in the new Section 7. Additional responses noted here below under your specific comments. Thanks! Alvaro. Major: M1. Registry Definitions M1.1. Section 2.1. (The BGPsec Capability) includes a Version field and some Reserved bits, but there are no IANA registries defined for how to manage these spaces. Please define the registries and the corresponding registration procedures. [Sriram] Done. Please see the updated IANA Considerations section. M1.2. Section 3.1. (Secure_Path) defines the Flags field and assigns the first bit (BTW, is that the MSB or the LSB, please clarify), but doesn't set up the registry or registration procedures. [Sriram] It is the MSB (left most bit) and that is now clarified in Section 3.1. Set up of the registry for the Flags field is now included in the updated IANA Considerations section. M2. Error Handling — Several sections don't have proper error handling procedures specified. (This is a management issue that I think is underspecified.) [Sriram] Now there is management and operations section (Section 7) added where error handling and other ops/mgmt. issues are discussed. M2.1. Section 2.2. (Negotiating BGPsec Support) doesn't fully specify the error handling behavior of the Capability, and it fails open. [Sriram] See my responses below for M2.1.1. The new management and operations section (Section 7) covers this case. M2.1.1. What should the action be if the Version is not 0? [Sriram]: From Section 2.2: “BGP update messages without the BGPsec_Path attribute MAY be sent within a session regardless of whether or not the use of BGPsec is successfully negotiated.” [Sriram] Based on the above, there is a possibility that BGPsec is not successfully negotiated but BGP is session is established – I think that is what you are calling fail open. If the intersection of BGPsec capability advertisements from both sides does not include Version 0, then BGPsec Version 0 has not been successfully negotiated. But a BGP session is still negotiated and BGP (unsigned) messages are exchanged. I have now included this wording in the new ops/mgmt. Section 7. M2.1.2. "…a BGP speaker MUST NOT advertise the capability of BGPsec support for a particular AFI unless it has also advertised the multiprotocol extension capability for the same AFI [RFC4760]." What should happen if it does advertise an AFI that is not covered by the multiprotocol extension capability? Or if the multi-protocol capability is
[sidr] Fw: New Version Notification for draft-ietf-sidr-bgpsec-protocol-19.txt
This new version of the BGPsec specification draft incorporates Alvaro's (Routing AD) comments. Another email follows that provides responses to the comments and clarifies how each of the comments were incorporated in the revision. Sriram From: internet-dra...@ietf.orgSent: Sunday, November 27, 2016 9:30 AM To: Matthew Lepinski; Sriram, Kotikalapudi (Fed) Subject: New Version Notification for draft-ietf-sidr-bgpsec-protocol-19.txt A new version of I-D, draft-ietf-sidr-bgpsec-protocol-19.txt has been successfully submitted by Kotikalapudi Sriram and posted to the IETF repository. Name: draft-ietf-sidr-bgpsec-protocol Revision: 19 Title: BGPsec Protocol Specification Document date: 2016-11-27 Group: sidr Pages: 40 URL: https://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-protocol-19.txt Status: https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/ Htmlized: https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-19 Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-bgpsec-protocol-19 Abstract: This document describes BGPsec, an extension to the Border Gateway Protocol (BGP) that provides security for the path of autonomous systems through which a BGP update message passes. BGPsec is implemented via an optional non-transitive BGP path attribute that carries a digital signature produced by each autonomous system that propagates the update message. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
[sidr] I-D Action: draft-ietf-sidr-bgpsec-protocol-19.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : BGPsec Protocol Specification Authors : Matthew Lepinski Kotikalapudi Sriram Filename: draft-ietf-sidr-bgpsec-protocol-19.txt Pages : 40 Date: 2016-11-27 Abstract: This document describes BGPsec, an extension to the Border Gateway Protocol (BGP) that provides security for the path of autonomous systems through which a BGP update message passes. BGPsec is implemented via an optional non-transitive BGP path attribute that carries a digital signature produced by each autonomous system that propagates the update message. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-19 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-bgpsec-protocol-19 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr