Jeff Haas wrote: >If the right-most AS path segment is a sequence, use the right-most AS as >the origin. >If the right-most AS path segment is a set, use the aggregator AS as per the >presentation.
In the presentation, we noted (slide 7) that there is a new attack possibility if the AGGREGATOR is used as the origin. We recommended (John Scudder and others supported) that the AS immediately to the left of the AS_SET should be used as the origin. The analysis we presented showed that the ASN in the AGGREGATOR attribute is no different from the ASN of the AS immediately to the left of the AS_SET (wherever it matters from a validation algorithm point of view). So we recommend using the AS immediately to the left of the AS_SET as origin and basically disregard the AGGREGATOR attribute in the validation algorithm. This approach is compliant with RFC 4271 and also keep the algorithm simpler. Regarding your other point earlier about AS_SET location in the AS path, the data analysis (2 million updates and 11 million RIB entries) shows that whenever AS_SET is present in an update, 100% of the time the AS_SET appears in the right-most position. Also from a practical point of view, it is not possible to have the AS_SET in the middle of the AS path because the AGGREGATOR does not know which preceding ASs originated which subprefixes. It can aggregate only by including all preceding ASs in one AS_SET that then goes in the right most position. Sriram ________________________________________ From: [email protected] [[email protected]] On Behalf Of Jeffrey Haas [[email protected]] Sent: Wednesday, July 28, 2010 12:18 PM To: Sandra Murphy Cc: [email protected] Subject: Re: [sidr] Comment about aggregators and AS_SETs On Wed, Jul 28, 2010 at 11:54:38AM -0400, Sandra Murphy wrote: > The problem is the possibility that not accommodating legitimate BGP > updates might result in opportunities for bad guys to get around > protections. > > So we need to have some statement of what to do with this legitimate BGP > update format. And we need some certainty that we aren't introducing > opportuntities to circumvent the protections of ordinary updates. > > Protecting the AS_SETs etc is out of scope. Sorry, I had hoped my comment at the microphone may have covered this: If the right-most AS path segment is a sequence, use the right-most AS as the origin. If the right-most AS path segment is a set, use the aggregator AS as per the presentation. -- Jeff _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
