Re: [sidr] SIDR Charter Question

Wed, 28 Apr 2010 12:12:13 -0700

The relative frequency of use of AS_SETs is interesting, but not really germane to the point here.
If we were trying to develop a protection for AS_SETs then we might want to ask the engineering question of where and how often they were used. 


But for the purpose of validating received updates, we need a rule for 
what is done with AS_SETs that appear in the AS_PATH origin.  Lack of 
rules leaves opportunities for deliberate or accidental mischief.



AS_SETs might not be used very often, but that doesn't stop someone from 
using AS_SETs deliberately with malicious intent.



--Sandy, making a technical point as wg member and a document completeness 
point as wg chair.


On Wed, 28 Apr 2010, Warren Kumari wrote:



On Apr 28, 2010, at 2:37 PM, Sandra Murphy wrote:




On Thu, 29 Apr 2010, Geoff Huston wrote:


Thank you for this response. As I had noted earlier, if you had made it 
clearer in which role you were posting in these discussions it would be 
easier for others, or at least myself, to understand when you were making 
pronouncements as WG chair and when you were asking questions and airing 
opinions as an individual participant.



If proxy aggregation is "not part of our work" then the outcome of such 
actions, namely AS Sets in the AS_PATH is likewise "not part of our work." 
I will edit the roa validation draft accordingly.


Actually, no, that is not the case.


When I say that proxy aggregation is not part of our work, I mean that sidr 
does not promise to protect BGP announcements formed by proxy aggregation.



While it is true that AS_SETS are principally generated in BGP updates by 
an AS that is doing proxy aggregation, AS_SETS are still part of the BGP 
protocol and might appear in a received AS_PATH.



Until and unless the idr working group decides to eliminate that feature 
from the BGP protocol, the sidr route validation must still make a 
statement about what happens when the AS_PATH origin is an AS_SET.



That is necessary for completeness.  Furthermore, without such a statement, 
implementers could make different decisions as to how to handle such cases 
and attack paths could result.



The sidr wg is not now considering anything but origin authorization, so an 
AS_PATH segment that is an AS_SET but is not the origin is not of our 
concern at all.



Just for giggles I decided to see how how widely AS Sets were being used by 
having a quick look at route views data (yes, which I realize is incomplete, 
etc).



I used an as-path regexp to only get AS paths that included an AS_SET and 
then did some grep, sed and awk hackery to get a handle on the data.




I see zero AS_PATHs where the AS_SET is not the origin (i.e, where the AS_SET 
segment is not followed by i (internal), e (external) or ? (unknown):


wkum...@colon:~/tmp$ cat assets | grep '} [^ie\?]'

I see 39 unique paths where the "AS_SET" is only a single AS:

wkum...@colon:~/tmp$ cat assets | egrep "^\*" | sed 's/.*{\(.*\)}.*/\1/' | 
sort | uniq | grep -v ',' | wc -l

39

and 21 unique paths where the AS_SET contains multiple ASs:

wkum...@colon:~/tmp$ cat assets | egrep "^\*" | sed 's/.*{\(.*\)}.*/\1/' | 
sort | uniq | grep ','

11060,12262
1239,17079,27773
17746,64512
209,25729
21135,49476
25019,41426
25912,65427
31812,65473
33363,65129,65188
3356,8928,22351
3491,15412,19710
35821,35821,35821,35821
45514,45514,45514
45514,45514,45514,65081
4558,30994,33770
46124,46136
50693,64601,64604,64607,64608,64609,64610,65505
64520,64521
7470,24128,38865,45199
8002,15412
8508,24748,35434

Of these, only:
11060,12262
1239,17079,27773
209,25729
21135,49476
25019,41426
3356,8928,22351
3491,15412,19710
35821,35821,35821,35821
45514,45514,45514
4558,30994,33770
46124,46136
7470,24128,38865,45199
8002,15412
8508,24748,35434


do not contain private AS numbers. Some of the above contain only a single AS 
repeated multiple times (like 35821).



I don't want this to devolve into a discussion on the merits of aggregation, 
if AS_SETs should be deprecated or anything similar, this was just because I 
wanted know for my own sake what the numbers were and figured others might be 
interested too....


W







--Sandy






On 29/04/2010, at 3:16 AM, Sandra Murphy wrote:


I have said that it was the consensus even before sidr was officially a 
wg that proxy aggregation would not be part of our work.  And I pointed 
to the email archive for that discussion.



You have said that you do not believe that it is possible at this point, 
so I don't think that you are unhappy with that statement.



So I am confused as to what further statement I could make that would 
help at this point.


Can you point me to where you still see a problem?

--Sandy

On Wed, 28 Apr 2010, Geoff Huston wrote:


three weeks ago I asked:




It seems to me that the essential requirements for securing proxy 
aggregation are missing at this stage, which makes it somewhat 
difficult for SIDR to work on mechanisms without some re-spinning of 
the SIDR WG Charter (or some other WG) that would permit the 
preliminary work on security requirements relating to proxy aggregation 
to come first.



So my question to the WG Co-chairs is: is work on securing  Proxy 
Aggregation within the current SIDR charter? If so, on what basis?



I would hope that by now the WGchairs have had sufficient time to 
consider this question, so I'd like to ask once more: Is work on 
securing  Proxy Aggregation within the current SIDR Charter? If so, on 
what basis?



regards,

Geoff






_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr


--
Eagles soar but a weasel will never get sucked into a jet engine



_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr

























					Reply via email to