details for the webex:
Topic: IETF83 SIDR wg meeting
Date and Time:
Wednesday, March 28, 2012 9:00 am,Europe Summer Time
(Paris, GMT+02:00)
Event number: 646 631 463
Event password: wgmeeting
Event address for attendees:
https://ietf.webex.com/ietf/onstage/g.php?d=646631463&t=a
-c
Per mic comment:
The slides propose a 8 octet "reserved field".
Instead, consider making it a container for TLVs. Length field of 2 octets.
Consider immediately specifying TLVs in it: 1 (or 2?) octet code point, 2
octet lengths. Immediately request a registry for this reserved section
with first
On Tue, Mar 27, 2012 at 6:20 PM, Matt Lepinski wrote:
> Terry,
>
>
> On 3/27/2012 4:22 PM, Terry Manderson wrote:
>>
>> I feel like the Monday meeting was a bit of a lost opportunity. I
>> appreciate
see previous gzip compression message :( I think we tried to stuff
8hrs of content into ~2hrs.
I
On 28/03/12 6:05 PM, "Christopher Morrow" wrote:
>
> sure. probably also writing down the 'what are we trying to solve'
> with this distribution system would be good to document (terry's call
> for requirements).
>
Happy to start documenting such if people want to throw their _requirements_
a
We operate a repository and we are using the others repositories for
our origin-validation tool. So, I would be happy to help documenting our
experience and some ideas to improve.
Regards,
as
On 28 Mar 2012, at 10:09, Terry Manderson wrote:
>
> On 28/03/12 6:05 PM, "Christopher Morro
On Tue, Mar 27, 2012 at 5:08 AM, Christopher Morrow
wrote:
> On Tue, Mar 27, 2012 at 4:45 AM, Tim Bruijnzeels wrote:
>
>> As I stated before I prefer to have the extra time during, or next to, an
>> IETF -- I already planned to attend those. So the extra meeting in Vancouver
>> works for me. I
Per my mic comment at IETF 83:
During the San Diego interim session we had discussed potentially signaling
in BGP the idea that a given AS may have fresher data available in its
repository.
My original thought had been something along the lines of a new AFI/SAFI
that contains this data. Matt L.,
Jeff,
On 28/03/12 6:19 PM, "Jeffrey Haas" wrote:
> Per my mic comment at IETF 83:
> During the San Diego interim session we had discussed potentially signaling
> in BGP the idea that a given AS may have fresher data available in its
> repository.
>
> My original thought had been something along
I thought John Scudder's belt and suspenders comment was a good one.
We have looked at some level of detail at both explicit expire times in
updates and key roll techniques to manage freshness of BGP updates.
Neither approach is a silver bullet and both have the potential to swamp
the syste
On Wed, Mar 28, 2012 at 01:30:03AM -0700, Terry Manderson wrote:
> I think this is interesting. I think I would further like an
> assessment/disussion of this "serial number" being consistent between the
> BGP information, the RPKI repository, and this through the validated cache
> and presented to
Have read and support adoption. I like the general idea. I don't
have comments on the particular wrappings chosen.
Minor comments:
It might be better to not specify the cryptosuite(s) in use -- aren't
those documented in draft-ietf-sidr-bgpsec-algs? (ECDSA is named in
sections 1 and 4.)
fyi..
The validator implementers have also discussed some of the common problems that
we see now, and other ways to distribute the rpki data over the past days. We
have some more thoughts on this, but I am not sure that we agree yet. I would
like to talk between us a tiny bit more to avoid mist
Sean,
This document seems settled, should we WGLC this in the near future?
-chris
On Mon, Dec 5, 2011 at 1:21 PM, wrote:
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories. This draft is a work item of the Secure Inter-Domain Routing
> Working Group of the I
Randy,
Is this document prepared/ready/willing for WGLC in the near future? I
believe there were some outstanding document comments still to be
handled by your edit-buffer?
-Chris
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo
howdy WG folk:
yes, some emails are coming out (now), perhaps I'll
double-count/mis-count on a document, please speak up if you think
that is the case :)
The purpose here is to get status updated on docs and move things
along if they are in the right place for said movement.
thanks!
-chris
_
Matt/Sean,
This document hasn't changed in a while, Wes (copied) had some
comments which I believe were addressed in the October/2011 update? Is
this document ready to move forward? Wes, did you review the changes
sent?
-Chris
On Mon, Oct 31, 2011 at 2:02 PM, wrote:
> A New Internet-Draft is a
Sean/Tom,
Tom had some comments on the previous (I believe) version of this
draft, are they addressed to your satisfaction Tom?
Sean, if Tom's ok with the changes, should we move this along?
-Chris
On Mon, Dec 5, 2011 at 1:20 PM, wrote:
>
> A New Internet-Draft is available from the on-line I
Hello authors,
What is your intent with this document? moving along the process?
delaying on other references? holiday-for-document in sweden?
Inquiring minds would like to be informed! :)
Thanks!
-Chris
On Sun, Dec 4, 2011 at 3:32 PM, wrote:
>
> A New Internet-Draft is available from the on-
Reviving a zombie thread...
So,
Where does this set of comments end us? Are the updates put in between
11/11 and 03/12 taking care of the discussion? or are there still
things to wrangle?
I think, given the length and breadth of discussion here we'd all do
to re-read and re-WGLC this doc once thin
Draft Author Ship Steerers,
This we didn't chat about at the meeting(s), but are there outstanding
bits/pieces or should this be sent along for WGLC in the near future?
-Chris
On Mon, Mar 12, 2012 at 4:53 PM, wrote:
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> dire
At 8:47 AM -0400 3/28/12, Christopher Morrow wrote:
Hello authors,
What is your intent with this document? moving along the process?
delaying on other references? holiday-for-document in sweden?
Inquiring minds would like to be informed! :)
Thanks!
-Chris
I think another rev is needed before
On Tue, 27 Mar 2012, Jakob Heitz wrote:
Alternatively, send both routes and let the end user decide to use them
in a multipath. Can you say ebgp add-path?
Where's the document to describe how to do multi-pathing using add-path?
E.g. what should happen when there is a non-add-path capable neig
> Is this document prepared/ready/willing for WGLC in the near future?
imiho, no
> I believe there were some outstanding document comments still to be
> handled by your edit-buffer?
it is matt's edit buffer which gives me pause
randy
___
sidr mailing
On Wed, Mar 28, 2012 at 9:29 AM, Randy Bush wrote:
>> Is this document prepared/ready/willing for WGLC in the near future?
>
> imiho, no
>
>> I believe there were some outstanding document comments still to be
>> handled by your edit-buffer?
>
> it is matt's edit buffer which gives me pause
terri
> -Original Message-
> From: sidr-boun...@ietf.org [mailto:sidr-boun...@ietf.org] On Behalf Of
> Christopher Morrow
> Sent: Wednesday, March 28, 2012 8:25 AM
> To: Randy Bush; sidr@ietf.org; sidr-cha...@ietf.org
> Subject: [sidr] draft-ietf-sidr-bgpsec-ops - Ready for WGLC?
>
> Is this docu
The webex session on Monday failed completely, due to laptop wireless
incapability to maintain a connection (20-50-80-100% packet loss).
The webex session on Wednesday (this morning) seemed to work (alternate
networking arranged).
But being the presentation laptop for webex, I was unable to see
Chris,
I think this draft should probably go in a cluster. There are normative
references to draft-sidr-bgpsec-pki-profiles and
draft-ietf-sidr-bgpsec-protocol. However, you could WGLC this draft
because unless you're planning on changing the alg (ECDSA) there's
really no dependencies on th
I'll re-review, but I think that this is similar to origin-ops, where until the
protocol design is stable, it's not really ready. We have a similar group of
docs that block each other as we did with the big chunk for origin validation.
Thanks,
Wes
> -Original Message-
> From: christoph
> 2) would having these coincident with existing events and ~1/month
> be acceptable to the majority
>
> we (everyone involved) do know that not everyone can make every
> meeting... aiming for best participation level is the goal.
>
> -chris
>
[WEG] Avoiding some number of messages saying "can't
To expand on my comments at the mic earlier today on this draft, I think there
is universal acknowledgment that there should be statements that attacks
involving path shortening should be acknowledged as a "threat" in this document.
OTOH, with respect to path-lengthening, my comment was NOT aime
Wes,
Please do not re-review until the -02 version. This document needs to be
updated based on some changes to other docs in the BGPSEC document suite.
- Matt Lepinski
On 3/28/2012 8:29 AM, Christopher Morrow wrote:
Matt/Sean,
This document hasn't changed in a while, Wes (copied) had some
co
I don't know. I'm just throwing ideas around.
However, it appears that inter AS multipath
has a lot of problems.
--
Jakob Heitz.
-Original Message-
From: Paul Jakma [mailto:p...@jakma.org]
Sent: Wednesday, March 28, 2012 6:10 AM
To: Jakob Heitz
Cc: rob...@raszuk.net; Tony Li; i...@ietf.o
Jakob,
The issue is also about intra-as ibgp multipath not inter-as one. Observe that
data usually flows into opposite direction then routing ;)
Cheers,
R.
On 28 mar 2012, at 16:11, Jakob Heitz wrote:
> I don't know. I'm just throwing ideas around.
> However, it appears that inter AS multip
Hi Sandy, All
I attended the Webex session this morning (Wednesday) and attempted the one on
Monday.
Here is my experience:
- Webex session was quick to launch and start today unlike Monday.
- I used the IETF audio stream along with the Webex visual just to get an idea
of real-time lag. (And
I think this draft should probably get out of the WG in a cluster.
There is normative references to draft-sidr-bgpsec-algs. However, you
could WGLC this draft because unless you're planning on the name format
or the alg in draft-ietf-sidr-bgpsec-algs there's nothing really to
argue about. It
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of
the IETF.
Title : BGP Algorithms, Key Formats, & Signature Formats
Author(s) : Sean Turner
Filena
On Sat, Mar 24, 2012 at 4:34 PM, Jakob Heitz wrote:
> https://datatracker.ietf.org/meeting/83/agenda/sidr-drafts.pdf
> link on agenda page is broken
maybe someone reported this to the HD already, but ... working now! :)
(or worked for me at least)
-chris
_
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of
the IETF.
Title : A Profile for BGPSEC Router Certificates, Certificate
Revocation Lists, and Certification Requests
The issue is SIDR can not aggregate multiple paths.
Solutions I can think of:
1. Aggregate the signatures of the paths being aggregated.
2. Don't aggregate, but send both paths.
Should SIDR work on path aggregation?
Are there other possibilities?
--
Jakob Heitz.
-Original Message-
From
Hi Sandy, All
I attended the Webex session this morning (Wednesday) and attempted the one on
Monday.
Here is my experience:
- Webex session was quick to launch and start today unlike Monday.
- I used the IETF audio stream along with the Webex visual just to get an idea
of real-time lag. (And
On Wed, 28 Mar 2012, Jakob Heitz wrote:
The issue is SIDR can not aggregate multiple paths.
Should SIDR work on path aggregation?
If we ever want to make routing state scale sub-linearly (i.e. make IDR
"compact") in the size of the internet, then we're almost certainly going
to need some
On Wed, Mar 28, 2012 at 12:01 PM, Paul Jakma wrote:
> On Wed, 28 Mar 2012, Jakob Heitz wrote:
>
>> The issue is SIDR can not aggregate multiple paths.
>
>
>> Should SIDR work on path aggregation?
>
>
> If we ever want to make routing state scale sub-linearly (i.e. make IDR
> "compact") in the size
Chris,
it seems that to date, folk can't seem to figure out the aggregation
bits, maybe that will change in the future.
Let me point out that IBGP multipath is used very commonly today. When
you do that you need to advertise something meaningful out to your
neighbors. Yes that is open IDR to
On Wed, Mar 28, 2012 at 12:29 PM, Robert Raszuk wrote:
> Are we going to freeze any AS_PATH modifications by operator's policy too ?
> I mentioned replace-as which all major vendors support. There can be more
> knobs like this coming in the future.
replace as i think is dealt with sign agai
Are we going to freeze any AS_PATH modifications by operator's policy too ?
I mentioned replace-as which all major vendors support. There can be more
knobs like this coming in the future.
replace as i think is dealt with sign again and pcount=0 and move along.
replace-as allows to repla
On Wed, Mar 28, 2012 at 12:43 PM, Robert Raszuk wrote:
>
>>> Are we going to freeze any AS_PATH modifications by operator's policy too
>>> ?
>>> I mentioned replace-as which all major vendors support. There can be more
>>> knobs like this coming in the future.
>>
>>
>> replace as i think is dealt
On Mar 28, 2012, at 3:34 PM, George, Wes wrote:
>> -Original Message-
>> From: sidr-boun...@ietf.org [mailto:sidr-boun...@ietf.org] On Behalf Of
>> Christopher Morrow
>> Sent: Wednesday, March 28, 2012 8:25 AM
>> To: Randy Bush; sidr@ietf.org; sidr-cha...@ietf.org
>> Subject: [sidr] draft
Replacing ASs in the AS_PATH sounds like a behavior you would want the security
protections to prohibit. It would enable attacks.
Can you explain how you would distinguish legitimate uses of this feature?
--Sandy
From: sidr-boun...@ietf.org [sidr-boun..
Hi Jay,
at this afternoon's sidr ssion, i presented two open issue with
draft-ietf-sidr-pfx-validate-04.txt
1 - Should updates learned via iBGP be marked?
2 - Should updates injected into BGP on this router be marked?
i think yes because:
o i want support of incremental deployment
o i do n
> I couldn't go to IETF either. The argument is over what the default
> behavior should be (spec'ed). My vote is that origin validation should
> NOT be performed on IBGP learnt prefixes by default as there is
> potential for loops and inconsistency. For everything else, there are
> knobs.
you m
I couldn't go to IETF either. The argument is over what the default
behavior should be (spec'ed). My vote is that origin validation
should
NOT be performed on IBGP learnt prefixes by default as there is
potential for loops and inconsistency. For everything else, there are
knobs.
you mean like
> No - knob to turn on IBGP validation.
how many knobs will i have to turn to get policy control of my router?
randy
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
Wed, Mar 28, 2012 at 05:00:43PM +, Murphy, Sandra:
> Replacing ASs in the AS_PATH sounds like a behavior you would want the
> security protections to prohibit. It would enable attacks.
>
> Can you explain how you would distinguish legitimate uses of this feature?
I've not used this feature,
These two drafts have been expired for a good while now. Do the authors intend
to pick them up now that the CP document is published?
The wg should take a look at these and see if there is still interest in
pursuing them.
--Sandy, speaking as wg co-chair
___
the 'replace-as' seems like
loop-creation, joy.
Nope. No loops at least in one implementation ... the implementation
mandates that you insert your own AS - that is not optional.
Rgs,
R.
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mail
> it doesnt appear to function as raszuk described.
Let me point out that heasley is looking at completely different knob
which has nothing to do with replace as path policy extension.
The correct pointer is: http://goo.gl/xVToJ
Rgs,
R.
Wed, Mar 28, 2012 at 05:00:43PM +, Murphy, Sandra
Arbitrary AS substitution allows loop creation, even if your own AS is
required.
All that is needed, is multiple instances of replace-as in the loop.
Suppose A replaces B C D with A E F.
Suppose B replaces G A with B C D.
A received B C D, sends A E F to G.
G sends G A E F to B.
B sends B C D
Brian,
The customer's workaround was to erase entire AS_PATH via
redistribution. I am not saying that use of this knob is safe.
I am saying that it exists in shipping implementations and simply asking
what SIDR behaviour should be when such policy is present.
That's all.
Best,
R.
Arbitra
Chris,
On Wed, Mar 28, 2012 at 12:45:22PM -0400, Christopher Morrow wrote:
> ah yes, was thinking of local-as. the 'replace-as' seems like
> loop-creation, joy.
It can. The use of replace-as is typically in situations where you need to
replace private AS numbers with a public number. This is typ
Paul,
On Wed, Mar 28, 2012 at 02:10:04PM +0100, Paul Jakma wrote:
> Where's the document to describe how to do multi-pathing using
> add-path? E.g. what should happen when there is a non-add-path
> capable neighbour?
In add-path, this is no different than receiving routes from directly
attached p
On Wed, Mar 28, 2012 at 10:56:52AM -0400, Jakob Heitz wrote:
> The issue is SIDR can not aggregate multiple paths.
>
> Solutions I can think of:
> 1. Aggregate the signatures of the paths being aggregated.
What are the semantics you're trying to preserve SIDR-wise? We're hitting
the realm where
On Wed, Mar 28, 2012 at 12:45:22PM -0400, Christopher Morrow wrote:
> ah yes, was thinking of local-as. the 'replace-as' seems like
> loop-creation, joy.
For the list, as I mentioned in SIDR, the use of local-AS where the router
has more than one local AS will generate AS_SETs in some implementati
including sidr
--
Jakob Heitz.
On Mar 28, 2012, at 11:57 PM, "Jakob Heitz" wrote:
> This can be done.
> Like I said before: aggregate the signatures of the paths being aggregated.
> String all the signed paths together (after wrapping them with a header), add
> your SKI and destination AS (a
On Wed, Mar 28, 2012 at 4:30 PM, Robert Raszuk wrote:
> I am saying that it exists in shipping implementations and simply asking
> what SIDR behaviour should be when such policy is present.
I guess what I wasn't saying was that not every oddball wierdness
permitted TODAY in BGP is able to be secu
i don't think the rsync scale issues surprise anyone that was paying attention.
If we're already considering new architectures, substrates, et al., here
perhaps we shouldn't be so quick on the trigger for Standards Track work and
move this and related "investigation" to the IRTF, or at least e
On Mar 28, 2012, at 4:19 AM, Jeffrey Haas wrote:
> Per my mic comment at IETF 83:
> During the San Diego interim session we had discussed potentially signaling
> in BGP the idea that a given AS may have fresher data available in its
> repository.
Shouldn't this problem be solved in the resourc
Speaking as regular ol' member.
Too bad you couldn't make the meeting, Danny.
This is in bgpsec path validation and the signalling would go no further than
the bgpsec path validation would go.
A method of "signalling" that was mentioned was the validity periods on the
router keys so all RPKI i
67 matches
Mail list logo
