Jeff and Jakob:
Several people shared the qualm that "AS-SETS" would be necessary.
However, Sandy has always posited that aggregation creates a point of
change/risk. So, are we just trying to reduce this risk by providing lists
of certificates for paths?
Or is would an AS-Sets originated at a
Sandy,
On Wed, Mar 28, 2012 at 05:00:43PM +, Murphy, Sandra wrote:
> Replacing ASs in the AS_PATH sounds like a behavior you would want the
> security protections to prohibit. It would enable attacks.
>
> Can you explain how you would distinguish legitimate uses of this feature?
The featur
of course, we would need to reinvent the AS_SET to go along with it, but this
time, enumerating each exact path.
Definitely unwieldy.
--
Jakob Heitz.
On Mar 29, 2012, at 9:10 AM, "Jeffrey Haas" wrote:
> On Wed, Mar 28, 2012 at 05:57:32PM -0400, Jakob Heitz wrote:
>> This can be done.
>> Like
On Wed, Mar 28, 2012 at 4:30 PM, Robert Raszuk wrote:
> I am saying that it exists in shipping implementations and simply asking
> what SIDR behaviour should be when such policy is present.
I guess what I wasn't saying was that not every oddball wierdness
permitted TODAY in BGP is able to be secu
including sidr
--
Jakob Heitz.
On Mar 28, 2012, at 11:57 PM, "Jakob Heitz" wrote:
> This can be done.
> Like I said before: aggregate the signatures of the paths being aggregated.
> String all the signed paths together (after wrapping them with a header), add
> your SKI and destination AS (a
On Wed, Mar 28, 2012 at 12:45:22PM -0400, Christopher Morrow wrote:
> ah yes, was thinking of local-as. the 'replace-as' seems like
> loop-creation, joy.
For the list, as I mentioned in SIDR, the use of local-AS where the router
has more than one local AS will generate AS_SETs in some implementati
On Wed, Mar 28, 2012 at 10:56:52AM -0400, Jakob Heitz wrote:
> The issue is SIDR can not aggregate multiple paths.
>
> Solutions I can think of:
> 1. Aggregate the signatures of the paths being aggregated.
What are the semantics you're trying to preserve SIDR-wise? We're hitting
the realm where
Paul,
On Wed, Mar 28, 2012 at 02:10:04PM +0100, Paul Jakma wrote:
> Where's the document to describe how to do multi-pathing using
> add-path? E.g. what should happen when there is a non-add-path
> capable neighbour?
In add-path, this is no different than receiving routes from directly
attached p
Chris,
On Wed, Mar 28, 2012 at 12:45:22PM -0400, Christopher Morrow wrote:
> ah yes, was thinking of local-as. the 'replace-as' seems like
> loop-creation, joy.
It can. The use of replace-as is typically in situations where you need to
replace private AS numbers with a public number. This is typ
Brian,
The customer's workaround was to erase entire AS_PATH via
redistribution. I am not saying that use of this knob is safe.
I am saying that it exists in shipping implementations and simply asking
what SIDR behaviour should be when such policy is present.
That's all.
Best,
R.
Arbitra
Arbitrary AS substitution allows loop creation, even if your own AS is
required.
All that is needed, is multiple instances of replace-as in the loop.
Suppose A replaces B C D with A E F.
Suppose B replaces G A with B C D.
A received B C D, sends A E F to G.
G sends G A E F to B.
B sends B C D
: sidr-boun...@ietf.org [sidr-boun...@ietf.org] on behalf of Robert Raszuk
[rob...@raszuk.net]
Sent: Wednesday, March 28, 2012 12:43 PM
To: Christopher Morrow
Cc: i...@ietf.org List; Paul Jakma; sidr wg list
Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
Are we goin
the 'replace-as' seems like
loop-creation, joy.
Nope. No loops at least in one implementation ... the implementation
mandates that you insert your own AS - that is not optional.
Rgs,
R.
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mail
Jakma; sidr wg list
> Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
>
> >> Are we going to freeze any AS_PATH modifications by operator's policy too ?
> >> I mentioned replace-as which all major vendors support. There can be more
> >>
...@ietf.org] on behalf of Robert Raszuk
[rob...@raszuk.net]
Sent: Wednesday, March 28, 2012 12:43 PM
To: Christopher Morrow
Cc: i...@ietf.org List; Paul Jakma; sidr wg list
Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
>> Are we going to freeze any A
On Wed, Mar 28, 2012 at 12:43 PM, Robert Raszuk wrote:
>
>>> Are we going to freeze any AS_PATH modifications by operator's policy too
>>> ?
>>> I mentioned replace-as which all major vendors support. There can be more
>>> knobs like this coming in the future.
>>
>>
>> replace as i think is dealt
Are we going to freeze any AS_PATH modifications by operator's policy too ?
I mentioned replace-as which all major vendors support. There can be more
knobs like this coming in the future.
replace as i think is dealt with sign again and pcount=0 and move along.
replace-as allows to repla
On Wed, Mar 28, 2012 at 12:29 PM, Robert Raszuk wrote:
> Are we going to freeze any AS_PATH modifications by operator's policy too ?
> I mentioned replace-as which all major vendors support. There can be more
> knobs like this coming in the future.
replace as i think is dealt with sign agai
Chris,
it seems that to date, folk can't seem to figure out the aggregation
bits, maybe that will change in the future.
Let me point out that IBGP multipath is used very commonly today. When
you do that you need to advertise something meaningful out to your
neighbors. Yes that is open IDR to
On Wed, Mar 28, 2012 at 12:01 PM, Paul Jakma wrote:
> On Wed, 28 Mar 2012, Jakob Heitz wrote:
>
>> The issue is SIDR can not aggregate multiple paths.
>
>
>> Should SIDR work on path aggregation?
>
>
> If we ever want to make routing state scale sub-linearly (i.e. make IDR
> "compact") in the size
On Wed, 28 Mar 2012, Jakob Heitz wrote:
The issue is SIDR can not aggregate multiple paths.
Should SIDR work on path aggregation?
If we ever want to make routing state scale sub-linearly (i.e. make IDR
"compact") in the size of the internet, then we're almost certainly going
to need some
s.
>
> --
> Jakob Heitz.
>
> -Original Message-
> From: Paul Jakma [mailto:p...@jakma.org]
> Sent: Wednesday, March 28, 2012 6:10 AM
> To: Jakob Heitz
> Cc: rob...@raszuk.net; Tony Li; i...@ietf.org List; sidr wg list
> Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6
idr wg list
> Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
>
> On Tue, 27 Mar 2012, Jakob Heitz wrote:
>
>> Alternatively, send both routes and let the end user decide to use them
>> in a multipath. Can you say ebgp add-path?
>
> Where's the
Tony Li; i...@ietf.org List; sidr wg list
Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
On Tue, 27 Mar 2012, Jakob Heitz wrote:
> Alternatively, send both routes and let the end user decide to use them
> in a multipath. Can you say ebgp add-path?
Where's the docume
On Tue, 27 Mar 2012, Jakob Heitz wrote:
Alternatively, send both routes and let the end user decide to use them
in a multipath. Can you say ebgp add-path?
Where's the document to describe how to do multi-pathing using add-path?
E.g. what should happen when there is a non-add-path capable neig
SIDR wise, to aggregate routes, you would have to
aggregate signatures. That means to put both signatures
into the aggregate and sign across the pair of them
at each subsequent hop. yuck.
Alternatively, send both routes and let the end
user decide to use them in a multipath.
Can you say ebgp add-p
26 matches
Mail list logo
