On 19/11/2008, at 11:34 AM, Sandra Murphy wrote:
On Mon, 17 Nov 2008, Pradosh Mohapatra (pmohapat) wrote:
Hi Danny,
Thanks for the comments.
| A few specific things:
|
| 1) AS path origin-based policies alone are insufficient, as any
| targeted attack could most easily spoof the origin AS.
Yes, and that's why complete path attestation is still required and
needs to be addressed.
SIDR was chartered to fulfill the security requirements established
by the rpsec working group. That group was able to set path
origination as a security requirement but failed to come to
consensus of what sort of additional path security should be required.
No one in the rpsec wg argued that additional path security is NOT
required, it was just setting the exact security requirements for
security for the AS_PATH past the origination AS that was contentious.
So everyone recognizes that the origination of a route to a prefix
is not sufficient. But it is necessary. It is the starting point
of every suggested BGP protection that provides more protection of
the AS_PATH. (That I have seen.)
So we'll get done with this (someday!) and we can continue with more
work to further protect the AS_PATH and this current work will be
useful in the meantime and the basis for the more work (i.e., not
wasted).
WG Co-Chair Hat ON
To add a couple more words here to Sandy's, when RPSEC can resolve
their outstanding considerations related to the specification of
requirements with respect to securing the AS paths of BGP route
updates, then the charter of SIDR indicates that we can then work on
ways to meet such requirements. And in saying this I am aware that
this has been outstanding for some years now, and the RPSEC draft,
draft-ietf-rpsec-bgpsecrec-10.txt is still awaiting a clear consensus
from the RPSEC WG. However the alternative, of enjoying a word-for-
word replay of the entire RPSEC discussion on possible AS path
validation approaches and their relative merits in SIDR does not
strike this particular WG co-chair as a productive activity for the
SIDR WG. So at this point we are still awaiting RPSEC to complete on
its charter before heading off into AS Path validation approaches.
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
