Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
of course, we would need to reinvent the AS_SET to go along with it, but this time, enumerating each exact path. Definitely unwieldy. -- Jakob Heitz. On Mar 29, 2012, at 9:10 AM, Jeffrey Haas jh...@pfrc.org wrote: On Wed, Mar 28, 2012 at 05:57:32PM -0400, Jakob Heitz wrote: This can be done. Like I said before: aggregate the signatures of the paths being aggregated. String all the signed paths together (after wrapping them with a header), add your SKI and destination AS (as normal) and sign over the lot. Question is: does anyone want to? At minimum, this would further decouple the signature from the actual path. And given multipath covers *many* routes, the result would likely be unwieldy. -- Jeff ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
Sandy, On Wed, Mar 28, 2012 at 05:00:43PM +, Murphy, Sandra wrote: Replacing ASs in the AS_PATH sounds like a behavior you would want the security protections to prohibit. It would enable attacks. Can you explain how you would distinguish legitimate uses of this feature? The feature is typically used on private AS numbers. One could point out that any procedures dealing with them are probably out of scope of SIDR. :-) -- Jeff ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
Jeff and Jakob: Several people shared the qualm that AS-SETS would be necessary. However, Sandy has always posited that aggregation creates a point of change/risk. So, are we just trying to reduce this risk by providing lists of certificates for paths? Or is would an AS-Sets originated at a point in the network - have the security information to consider the existing certificates and generate a valid certificate. Sue -Original Message- From: idr-boun...@ietf.org [mailto:idr-boun...@ietf.org] On Behalf Of Jeffrey Haas Sent: Wednesday, March 28, 2012 5:17 PM To: Jakob Heitz Cc: i...@ietf.org List; Tony Li; Paul Jakma; Robert Raszuk; sidr wg list Subject: Re: [Idr] [sidr] AS_SET depreciation (RFC6472) and BGP multipath On Wed, Mar 28, 2012 at 10:56:52AM -0400, Jakob Heitz wrote: The issue is SIDR can not aggregate multiple paths. Solutions I can think of: 1. Aggregate the signatures of the paths being aggregated. What are the semantics you're trying to preserve SIDR-wise? We're hitting the realm where Russ White would point out that BGP path validation can't prove how forwarding works. Presume we managed to pass along two distinct paths for the same multi-path route in BGP. What do you do if one doesn't validate? What do you do if they do, but you think this is a form of a route leak for one path? As a receiver of the route that is making use of multipath, you can't selectively choose which sub-paths to take. (It's not like we're gettng something like MPLS entropy labels.) 2. Don't aggregate, but send both paths. That doesn't cover the actual forwarding semantics. Should SIDR work on path aggregation? Are there other possibilities? The biggest problem here is SIDR secures BGP. The issue hasn't been clear in BGP for years, although I'm perhaps of the cynical opinion that it's been a well understood problem space for a while now. The protocol doesn't reflect what is done operationally. The safe thing operationally when aggregating unsafe paths is to generate sets, but some people have never liked sets. And as I mentioned elsewhere, it doesn't matter as long as you take care in where you redistribute such unsafe multipath. There was a reason I wasn't terribly supportive of the deprecating AS_SETs I-D. However, I also knew it was a losing battle. :-) -- Jeff ___ Idr mailing list i...@ietf.org https://www.ietf.org/mailman/listinfo/idr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
On Tue, 27 Mar 2012, Jakob Heitz wrote: Alternatively, send both routes and let the end user decide to use them in a multipath. Can you say ebgp add-path? Where's the document to describe how to do multi-pathing using add-path? E.g. what should happen when there is a non-add-path capable neighbour? regards, -- Paul Jakma p...@jakma.org twitter: @pjakma PGP: 64A2FF6A Fortune: The Second Law of Thermodynamics: If you think things are in a mess now, just wait! -- Jim Warner ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
I don't know. I'm just throwing ideas around. However, it appears that inter AS multipath has a lot of problems. -- Jakob Heitz. -Original Message- From: Paul Jakma [mailto:p...@jakma.org] Sent: Wednesday, March 28, 2012 6:10 AM To: Jakob Heitz Cc: rob...@raszuk.net; Tony Li; i...@ietf.org List; sidr wg list Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath On Tue, 27 Mar 2012, Jakob Heitz wrote: Alternatively, send both routes and let the end user decide to use them in a multipath. Can you say ebgp add-path? Where's the document to describe how to do multi-pathing using add-path? E.g. what should happen when there is a non-add-path capable neighbour? regards, -- Paul Jakma p...@jakma.org twitter: @pjakma PGP: 64A2FF6A Fortune: The Second Law of Thermodynamics: If you think things are in a mess now, just wait! -- Jim Warner ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
Jakob, The issue is also about intra-as ibgp multipath not inter-as one. Observe that data usually flows into opposite direction then routing ;) Cheers, R. On 28 mar 2012, at 16:11, Jakob Heitz jakob.he...@ericsson.com wrote: I don't know. I'm just throwing ideas around. However, it appears that inter AS multipath has a lot of problems. -- Jakob Heitz. -Original Message- From: Paul Jakma [mailto:p...@jakma.org] Sent: Wednesday, March 28, 2012 6:10 AM To: Jakob Heitz Cc: rob...@raszuk.net; Tony Li; i...@ietf.org List; sidr wg list Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath On Tue, 27 Mar 2012, Jakob Heitz wrote: Alternatively, send both routes and let the end user decide to use them in a multipath. Can you say ebgp add-path? Where's the document to describe how to do multi-pathing using add-path? E.g. what should happen when there is a non-add-path capable neighbour? regards, -- Paul Jakma p...@jakma.org twitter: @pjakma PGP: 64A2FF6A Fortune: The Second Law of Thermodynamics: If you think things are in a mess now, just wait! -- Jim Warner ___ Idr mailing list i...@ietf.org https://www.ietf.org/mailman/listinfo/idr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
The issue is SIDR can not aggregate multiple paths. Solutions I can think of: 1. Aggregate the signatures of the paths being aggregated. 2. Don't aggregate, but send both paths. Should SIDR work on path aggregation? Are there other possibilities? -- Jakob Heitz. -Original Message- From: Robert Raszuk [mailto:rob...@raszuk.net] Sent: Wednesday, March 28, 2012 7:32 AM To: Jakob Heitz Cc: Paul Jakma; i...@ietf.org List; Tony Li; sidr wg list Subject: Re: [Idr] [sidr] AS_SET depreciation (RFC6472) and BGP multipath Jakob, The issue is also about intra-as ibgp multipath not inter-as one. Observe that data usually flows into opposite direction then routing ;) Cheers, R. On 28 mar 2012, at 16:11, Jakob Heitz jakob.he...@ericsson.com wrote: I don't know. I'm just throwing ideas around. However, it appears that inter AS multipath has a lot of problems. -- Jakob Heitz. -Original Message- From: Paul Jakma [mailto:p...@jakma.org] Sent: Wednesday, March 28, 2012 6:10 AM To: Jakob Heitz Cc: rob...@raszuk.net; Tony Li; i...@ietf.org List; sidr wg list Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath On Tue, 27 Mar 2012, Jakob Heitz wrote: Alternatively, send both routes and let the end user decide to use them in a multipath. Can you say ebgp add-path? Where's the document to describe how to do multi-pathing using add-path? E.g. what should happen when there is a non-add-path capable neighbour? regards, -- Paul Jakma p...@jakma.org twitter: @pjakma PGP: 64A2FF6A Fortune: The Second Law of Thermodynamics: If you think things are in a mess now, just wait! -- Jim Warner ___ Idr mailing list i...@ietf.org https://www.ietf.org/mailman/listinfo/idr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
On Wed, 28 Mar 2012, Jakob Heitz wrote: The issue is SIDR can not aggregate multiple paths. Should SIDR work on path aggregation? If we ever want to make routing state scale sub-linearly (i.e. make IDR compact) in the size of the internet, then we're almost certainly going to need some form of conglomeration of routing information in some shape or form. Still having support for aggregation in BGP could then be useful. It'd be a shame if we ended up having to choose between scalable and secure routing. (OTOH scalable routing is potentially so far off in the future, and might be so different, that it's hard to say what level of extra engineering or overhead, if any would be justified for SIDR). regards, -- Paul Jakma p...@jakma.org twitter: @pjakma PGP: 64A2FF6A Fortune: COBOL: Completely Over and Beyond reason Or Logic. ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
On Wed, Mar 28, 2012 at 12:01 PM, Paul Jakma p...@jakma.org wrote: On Wed, 28 Mar 2012, Jakob Heitz wrote: The issue is SIDR can not aggregate multiple paths. Should SIDR work on path aggregation? If we ever want to make routing state scale sub-linearly (i.e. make IDR compact) in the size of the internet, then we're almost certainly going to need some form of conglomeration of routing information in some shape or form. Still having support for aggregation in BGP could then be useful. or we could have fixed the problem with locator/id separation... oh well. It'd be a shame if we ended up having to choose between scalable and secure routing. it's hardly a choice of one or the other, framing the question in this manner is a 'suckers choice'. http://sourcesofinsight.com/refuse-the-suckers-choice-4/ It's certianly possible that at some point when aggregation between AS's becomes used properly and effectively... someone will figure out the security properties if this configuration. (OTOH scalable routing is potentially so far off in the future, and might be so different, that it's hard to say what level of extra engineering or overhead, if any would be justified for SIDR). it seems that to date, folk can't seem to figure out the aggregation bits, maybe that will change in the future. -chris ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
Chris, it seems that to date, folk can't seem to figure out the aggregation bits, maybe that will change in the future. Let me point out that IBGP multipath is used very commonly today. When you do that you need to advertise something meaningful out to your neighbors. Yes that is open IDR topic no one seems to be actively working on. However let's not block any work on it just because SIDR can not handle some solutions. Are we going to freeze any AS_PATH modifications by operator's policy too ? I mentioned replace-as which all major vendors support. There can be more knobs like this coming in the future. CDNI is just getting extended to BGP (new SAFI) and they have their own uses for AS_PATH being sort of over the top of classic ASes. Regards, R. ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
On Wed, Mar 28, 2012 at 12:29 PM, Robert Raszuk rob...@raszuk.net wrote: Are we going to freeze any AS_PATH modifications by operator's policy too ? I mentioned replace-as which all major vendors support. There can be more knobs like this coming in the future. replace as i think is dealt with sign again and pcount=0 and move along. CDNI is just getting extended to BGP (new SAFI) and they have their own uses for AS_PATH being sort of over the top of classic ASes. good for them? ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
Wed, Mar 28, 2012 at 05:00:43PM +, Murphy, Sandra: Replacing ASs in the AS_PATH sounds like a behavior you would want the security protections to prohibit. It would enable attacks. Can you explain how you would distinguish legitimate uses of this feature? I've not used this feature, but from cisco's documentation, it doesnt appear to function as raszuk described. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gtbgpdas.html if local-as is configured for a peer(-group), ie: if configured to peer as a different AS than your own, such as for merging two ASes or changing your ASN, then: The replace-as keyword is used to prepend only the local autonomous-system number (as configured with the ip-address argument) to the AS_PATH attribute. The autonomous-system number from the local BGP routing process is not prepended. though I think that is unclear, I interpret it to mean that if my ASN is 1 and, I peer as ASN 2 with ebgp peer 3, then a route received from AS 3 will have the path [2 3], but if configured with replace-as, it will be [3]. I do not believe that the feature allows the arbitrary replacement of AS path elements. --Sandy From: sidr-boun...@ietf.org [sidr-boun...@ietf.org] on behalf of Robert Raszuk [rob...@raszuk.net] Sent: Wednesday, March 28, 2012 12:43 PM To: Christopher Morrow Cc: i...@ietf.org List; Paul Jakma; sidr wg list Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath Are we going to freeze any AS_PATH modifications by operator's policy too ? I mentioned replace-as which all major vendors support. There can be more knobs like this coming in the future. replace as i think is dealt with sign again and pcount=0 and move along. replace-as allows to replace any arbitrary match of list of ASes in the AS_PATH by your own AS. Does not need to be the last one. I don't think SIDR has a solution to deal with such policy. Best regards, R. ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
Arbitrary AS substitution allows loop creation, even if your own AS is required. All that is needed, is multiple instances of replace-as in the loop. Suppose A replaces B C D with A E F. Suppose B replaces G A with B C D. A received B C D, sends A E F to G. G sends G A E F to B. B sends B C D E F to A. We have a loop, which eventually results in path overflow with E F E F E F etc. at the end of it. On Wed, Mar 28, 2012 at 4:07 PM, Robert Raszuk rob...@raszuk.net wrote: the 'replace-as' seems like loop-creation, joy. Nope. No loops at least in one implementation ... the implementation mandates that you insert your own AS - that is not optional. Rgs, R. __**_ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/**listinfo/sidrhttps://www.ietf.org/mailman/listinfo/sidr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
Brian, The customer's workaround was to erase entire AS_PATH via redistribution. I am not saying that use of this knob is safe. I am saying that it exists in shipping implementations and simply asking what SIDR behaviour should be when such policy is present. That's all. Best, R. Arbitrary AS substitution allows loop creation, even if your own AS is required. All that is needed, is multiple instances of replace-as in the loop. Suppose A replaces B C D with A E F. Suppose B replaces G A with B C D. A received B C D, sends A E F to G. G sends G A E F to B. B sends B C D E F to A. We have a loop, which eventually results in path overflow with E F E F E F etc. at the end of it. On Wed, Mar 28, 2012 at 4:07 PM, Robert Raszuk rob...@raszuk.net mailto:rob...@raszuk.net wrote: the 'replace-as' seems like loop-creation, joy. Nope. No loops at least in one implementation ... the implementation mandates that you insert your own AS - that is not optional. Rgs, R. _ sidr mailing list sidr@ietf.org mailto:sidr@ietf.org https://www.ietf.org/mailman/__listinfo/sidr https://www.ietf.org/mailman/listinfo/sidr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
Chris, On Wed, Mar 28, 2012 at 12:45:22PM -0400, Christopher Morrow wrote: ah yes, was thinking of local-as. the 'replace-as' seems like loop-creation, joy. It can. The use of replace-as is typically in situations where you need to replace private AS numbers with a public number. This is typically done when you have deployments that have a mix of private and public ASes behind a common transit carrier and remove-private isn't sufficient. The required behavior in order to avoid problems here is to make sure that the set of ASes involved are behind that common carrier and either are not multi-homed to the wider Internet (unlikely since they have private ASes) or are applying appropriate AS filtering to manually suppress loops. -- Jeff ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
Paul, On Wed, Mar 28, 2012 at 02:10:04PM +0100, Paul Jakma wrote: Where's the document to describe how to do multi-pathing using add-path? E.g. what should happen when there is a non-add-path capable neighbour? In add-path, this is no different than receiving routes from directly attached peers. You should either do Internet-safe multipath or do the less safe multipath knowing that you're in a position to cause problems. Add-path doesn't really change the basic problem of multipath. -- Jeff ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
On Wed, Mar 28, 2012 at 10:56:52AM -0400, Jakob Heitz wrote: The issue is SIDR can not aggregate multiple paths. Solutions I can think of: 1. Aggregate the signatures of the paths being aggregated. What are the semantics you're trying to preserve SIDR-wise? We're hitting the realm where Russ White would point out that BGP path validation can't prove how forwarding works. Presume we managed to pass along two distinct paths for the same multi-path route in BGP. What do you do if one doesn't validate? What do you do if they do, but you think this is a form of a route leak for one path? As a receiver of the route that is making use of multipath, you can't selectively choose which sub-paths to take. (It's not like we're gettng something like MPLS entropy labels.) 2. Don't aggregate, but send both paths. That doesn't cover the actual forwarding semantics. Should SIDR work on path aggregation? Are there other possibilities? The biggest problem here is SIDR secures BGP. The issue hasn't been clear in BGP for years, although I'm perhaps of the cynical opinion that it's been a well understood problem space for a while now. The protocol doesn't reflect what is done operationally. The safe thing operationally when aggregating unsafe paths is to generate sets, but some people have never liked sets. And as I mentioned elsewhere, it doesn't matter as long as you take care in where you redistribute such unsafe multipath. There was a reason I wasn't terribly supportive of the deprecating AS_SETs I-D. However, I also knew it was a losing battle. :-) -- Jeff ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
On Wed, Mar 28, 2012 at 12:45:22PM -0400, Christopher Morrow wrote: ah yes, was thinking of local-as. the 'replace-as' seems like loop-creation, joy. For the list, as I mentioned in SIDR, the use of local-AS where the router has more than one local AS will generate AS_SETs in some implementations. In particular, implementations with gated lineages may do this. This is because in pretending to be another AS it's still necessary to throw the global and local ASes in the path to prevent loops in cases where the local AS on one router may not be configured consistently (global) AS-wide. In those implementations, a single AS is simply added prior to the global AS in the path as a sequence or all local ASes as a set. In another implementation, the local ASes are added as a sequence. Adding the additional AS to the path would still require an additional signature step in BGPSEC. Clearly this doesn't work for AS-sets. -- Jeff ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
including sidr -- Jakob Heitz. On Mar 28, 2012, at 11:57 PM, Jakob Heitz jakob.he...@ericsson.com wrote: This can be done. Like I said before: aggregate the signatures of the paths being aggregated. String all the signed paths together (after wrapping them with a header), add your SKI and destination AS (as normal) and sign over the lot. Question is: does anyone want to? -- Jakob Heitz. On Mar 28, 2012, at 11:17 PM, Tony Li tony...@tony.li wrote: On Mar 28, 2012, at 2:09 PM, Robert Raszuk wrote: * Continue to call as_aggregate and still generate AS_SET effectively depreciating RFC6472 (quagga approach) Generating sets is the safest thing to do. Glad you said this. I do agree. Understood, but how do you ever secure this? Set SIDR aside for a second, what would ANY path verification mechanism have to do to secure the full path? It would seem that the ONLY thing one could reasonably do is to describe the full topology, and that would seem to require the ability to describe an arbitrary tree, not just a set of vectors of paths. Tony ___ Idr mailing list i...@ietf.org https://www.ietf.org/mailman/listinfo/idr ___ Idr mailing list i...@ietf.org https://www.ietf.org/mailman/listinfo/idr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
SIDR wise, to aggregate routes, you would have to aggregate signatures. That means to put both signatures into the aggregate and sign across the pair of them at each subsequent hop. yuck. Alternatively, send both routes and let the end user decide to use them in a multipath. Can you say ebgp add-path? -- Jakob Heitz. -Original Message- From: idr-boun...@ietf.org [mailto:idr-boun...@ietf.org] On Behalf Of Robert Raszuk Sent: Tuesday, March 27, 2012 1:57 PM To: Tony Li Cc: i...@ietf.org List Subject: Re: [Idr] AS_SET depreciation (RFC6472) and BGP multipath Hi Tony, * Propose an alternative encoding to address this case specifically for multipath use cases, but till this is deployed continue use AS_SET Another option might be to simply concatenate AS_PATHs. Yes, this would lose policy information and mis-represent AS topology to management stations and the like, but it would not create any risk of looping and would not require us to reinstitute AS_SET. Very true. However I am not sure how that would be effectively that much different SIDR wise from issue with AS_SET ;) Said this are there any other issues with AS_SET then SIDR ? R. ___ Idr mailing list i...@ietf.org https://www.ietf.org/mailman/listinfo/idr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr