draft-ietf-rpsec-bgpsecrec-06.txt

In message <p06230909c0e6890b5791[128.89.89.106]>
Stephen Kent writes:
>  
> At 1:46 PM -0400 7/20/06, Curtis Villamizar wrote:
> >...
> >
> >BPG security mechanisms differ in the following
ways.
> >
> >   1.  The scope of key distribution may be local
or global.
> >
> >     a.  A BGP security mechanism may use a
transitive trust model,
> >
> >     b.  A BGP security mechanism may use a form of
authentication
> >         where keys are globally available and
provide authentication
> >	information which is globally verifiable.
> >
> >     c.  A BGP security mechanism may use both of
the above using one
> >         scope for one type of information and
another scope for
> >         another type of information.
> >
> >   2.  A BGP security mechanisms may authenticate
(or encrypte)
> >       different types of information including
combination of the
> >       following.
> >
> >     a.  A BGP security mechanism may provide
authentication of
> >	the origin or or information related to the
origin.
> >
> >     b.  A BGP security mechanism may provide
authentication of the BGP
> >         peer.
> >
> >     c.  A BGP security mechanism may provide
authentication of each AS
> >         in the path.
> >
>  
> I think it is confusing to refer to "a BGP
security mechanism" when 
> referring to  all of these security issues. For
example, one might 
> use different means of authenticating a BGP peer in
different 
> contexts and this choice may be completely independent
of a mechanism 
> used to verify route origination on a global basis.
>  
> Steve


Steve,

What term would you prefer?

BTW.  In a transitive trust model there is no implication
that all the
peers along the path used the same method to authenticate
there peer,
just that they used *some* authentication method and was
convinced
that the peer was who they claimed to be.  It would be
possible to add
an optional non-transitive attribute indicating that a
specific method
was used on the entire path.  If a router didn't understand
that
attribute it would be dropped.  That functionality was not
implied
anywhere above.

Curtis

_______________________________________________
RPSEC mailing list
RPSECietf.org
https://
www1.ietf.org/mailman/listinfo/rpsec

At 3:26 PM -0400 7/21/06, Curtis Villamizar wrote:
>
>...
>  > 
>>  I think it is confusing to refer to "a BGP
security mechanism" when
>>  referring to  all of these security issues. For
example, one might
>>  use different means of authenticating a BGP peer
in different
>>  contexts and this choice may be completely
independent of a mechanism
>>  used to verify route origination on a global
basis.
>> 
>>  Steve
>
>
>Steve,
>
>What term would you prefer?
>
>BTW.  In a transitive trust model there is no
implication that all the
>peers along the path used the same method to
authenticate there peer,
>just that they used *some* authentication method and was
convinced
>that the peer was who they claimed to be.  It would be
possible to add
>an optional non-transitive attribute indicating that a
specific method
>was used on the entire path.  If a router didn't
understand that
>attribute it would be dropped.  That functionality was
not implied
>anywhere above.
>

What I objected to was the use of the term "BGP
Security mechanism" 
to refer to what are a set of independent security
mechanisms that 
need not be uniform and which may be largely independent of
one 
another. I thought your example above was consistent with
what I was 
trying to say, but then I saw the reference to a path
attribute that 
attests to  what form of authentication was used on each
hop.

The confusion arises because the peer authentication to
which I was 
referring was what an (e)BGP router does to decide whether
to accept 
an inbound UPDATE message as being from the indicated peer,
at a low 
level.  This is a purely local example of peer
authentication. Your 
example is also a valid instance of peer authentication, but
one that 
arises only if one assumes reliance on transitive trust to 
authenticate a path. It is an example that makes sense only
under one 
set of assumptions, and that's what confused me.

Steve

_______________________________________________
RPSEC mailing list
RPSECietf.org
https://
www1.ietf.org/mailman/listinfo/rpsec