Doug, On Sat, Jul 26, 2014 at 01:14:18PM -0400, Doug Montgomery wrote: > What seems necessary to address the set of problems we examined is the > ability to: > > 1. Tag additional semantics for an individual announcement who's meaning is > globally known. > > 2. To have these tags be transitive, remaining on the route end to end (not > just one hop).
The first property is describable in the semantics of a community, but more likely via an extended community. The second property suffers the issue that much of people's policies end up being "throw out all communities that aren't mine". This is one of the things that hampered NO_PEER. > 3. In speaking to operators who were concerned about intentional leaks of > routes to critical infrastructure, it seems that the tags should be secured > so that a party anyone where on the net could verify which AS added the tag > on transmission to specific peer, and verify if a tag had be modified or > stripped in transit. I'm not sold on this property being essential, but it's certainly a Nice To Have item. My reasoning on this is that the behavior of this feature would be to inform a receiving peer that someone previously in the as-path had suggested that it shouldn't be accepted at a given level of the hierarchy. Rather than "maliciously" setting that property, they could have simply not have propagated the route. The attack space for such malicious behavior is probably that of the AS hop-limit features that had previously been discussed. You'd need to find something that violates expected forwarding behaviors. > It did not appear to us that this was achievable with current community > mechanisms. One could easily implement such semantics through some new > variant of community+protections, but it did not seem the current mechanism > addressed what we perceived as the requirements. The other property I find worth thinking about, discussed with Sriram in a prior hallway conversation, is that "up" will be not only with respect to a given prefix, but who is setting "down". I find it somewhat likely that a cooperating set of tier1/tier2 providers could simply achieve the desired behaviors of a version of this feature simply by agreeing to look for this bit as set by any of them. Or, as I hand-waved in the hallway using the CAIDA skitter graph of AS connectivity as an example, one provider may be willing to accept a violation of "up" depending on who and where it came from. But as long as the information about who set the bit is kept, each receiving party may make this independent choice. -- Jeff _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
