Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 BGPSEC Protcol Error Handling IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.

Slides:



Advertisements
Similar presentations
RPKI Standards Activity Geoff Huston APNIC February 2010.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Frame-Mode MPLS Implementation on Cisco IOS Platforms Troubleshooting Frame-Mode MPLS on Cisco.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 BGP Diverse Paths draft-ietf-grow-diverse-bgp-paths-dist-02 Keyur Patel.
The Border Gateway Protocol and Classless Inter-Domain Routing
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 Module Summary BGP has reliable transport provided by TCP, a rich set of metrics called BGP.
Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 7: BGP Route Reflection.
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization –All routers are identical –Network is flat. Not true in Practice Hierarchical.
1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.
CS Summer 2003 Quiz 1 A1) IGP (IS-IS, OSPF) BGP A2) Stub Transit. because it is adverting AS2’s routes to AS1 and vice versa. A3) Traffic discarded.
Delivery, Forwarding, and Routing
Draft-ni-l3vpn-bgp-ext-sd-co-lsp-00IETF 87 L3VPN1 BGP Extensions for Setup Service-Driven Co-Routed LSP in L3VPN draft-ni-l3vpn-bgp-ext-sd-co-lsp-00 Hui.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 BGP AS AN MVPN PE-CE Protocol draft-keyupate-l3vpn-mvpn-pe-ce-00 Keyur Patel,
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Inter-domain Routing Don Fussell CS 395T Measuring Internet Performance.
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
CS 3830 Day 29 Introduction 1-1. Announcements r Quiz 4 this Friday r Signup to demo prog4 (all group members must be present) r Written homework on chapter.
Border Gateway Protocol
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 6 Delivery and Routing of IP Packets.
© 2001, Cisco Systems, Inc. A_BGP_Confed BGP Confederations.
Wed 31 Jul & Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 SIDR Working Group IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
Chapter 19 Binding Protocol Addresses (ARP) A frame transmitted across a physical network must contain the hardware address of the destination. Before.
BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.
Advanced Roaming & Mobility Scenarios in IPv6 Rafal Lukawiecki Strategic Consultant & Director Project Botticelli Ltd in.
Understanding IPv6 Slide: 1 Lesson 12 IPv6 Mobility.
BGPSEC : A BGP Extension to Support AS-Path Validation Matt Lepinski BBN Technologies.
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
Draft-ietf-sidr-bgpsec-reqs-01 diffs from -00 (Jul) sidr / IETF Taipei Randy Bush sidr bgpsec reqs 1.
Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 8: BGP Confederations.
1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.
Wed 31 Jul & Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 SIDR Working Group IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 BGP Overview Understanding BGP Path Attributes.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
BGP Basics BGP uses TCP (port 179) BGP Established unicast-based connection to each of its BGP- speaking peers. BGP allowing the TCP layer to handle such.
Text BGP Basics. Document Name CONFIDENTIAL Border Gateway Protocol (BGP) Introduction to BGP BGP Neighbor Establishment Process BGP Message Types BGP.
IDR WG Document Status Update Sue Hares, Yakov Rekhter November 2005.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Introducing Confederations.
19 March 2003Page 1 BGP Vulnerabilities Draft March 19, 2003 Sandra Murphy
AS Numbers - Again Geoff Huston APNIC October 2009
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization All routers are identical Network is flat. Not true in Practice Hierarchical.
BGPSEC Protocol (From -01 to -02 and on to -03) Matt Lepinski.
Sandra Murphy Migratory ASs (my own interpretation of draft-ga-idr-as-migration & draft-george-sidr-as-migration) Sandra Murphy.
Migratory ASs Sandra Murphy
CS 3700 Networks and Distributed Systems
Connecting an Enterprise Network to an ISP Network
BGP 1. BGP Overview 2. Multihoming 3. Configuring BGP.
CS 3700 Networks and Distributed Systems
and answer command CCF Friday, April 5th 2016
Kumiko Ono End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03 Kumiko Ono.
Goals of soBGP Verify the origin of advertisements
Forwarding and Routing IP Packets
Chapter 6 Delivery & Forwarding of IP Packets
Testing a Solution.
BGPSEC Potential Optimizations for AS-PATH Prepending and Transparent Route Servers. sidr wg / Québec City Doug Montgomery
CARD Designteam A. Singh, D. Funato, H. Chaskar, M. Liebsch
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization All routers are identical Network is flat. Not true in Practice Hierarchical.
Geoff Huston APNIC August 2009
John Scudder October 24, 2000 BGP Update John Scudder October 24, 2000.
Resource Certificate Profile
Update on draft-ietf-bess-mvpn-expl-track A. Dolganow J. Kotalwar E
NMDA Q & A draft-dsdt-nmda-guidelines &
Scaling Service Provider Networks
draft-gandhi-pce-pm-07
BGP Overview.
BGP Route Reflectors and Confederation
BPSec: AD Review Comments and Responses
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization All routers are identical Network is flat. Not true in Practice Hierarchical.
Presentation transcript:

Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 BGPSEC Protcol Error Handling IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013

BGPSEC-Protocol Errors Noted MUST/MUST NOT in various places – Error handing mentioned in some of them Section 5.2: Validation Algorithm – “properly formed” – steps 1-5 – dealing with signatures and validity Fri 2 Aug 2013SIDR IETF 87 Berlin, German2

BGPSEC Protocol Error Response Section 5.2: – If any of these checks identify an error in the BGPSEC_Path attribute, then the implementation should notify the operator that an error has occurred and treat the update in a manner consistent with other BGP errors (i.e., following RFC 4271[2] or any future updates to that document). Section 4.3: – Such an error is treated in exactly the same way as receipt of a non-BGPSEC update message containing an AS_CONFED_SEQUENCE from a peer that is not a member of the same AS confederation. Fri 2 Aug 2013SIDR IETF 87 Berlin, German3

BGP Error Handling RFC4271 – Usually NOTIFICATION message is sent with code/subcode and the BGP connection is closed RFC error handling for confederations (AS_CONFED_SEQUENCE presence from non-confed member and vice versa) – another NOTIFICATION subcode IDR draft draft-ietf-idr-error-handling-04.txt – Three possible responses – "session reset” – "treat-as-withdraw" – "attribute discard” Fri 2 Aug 2013SIDR IETF 87 Berlin, German4

What to Do? Should response be more specific? Response Choice: – Follow RFC4271 (Notification with code/subcode and close session)? – Follow idr error handling draft? If so, which errors get which response? Fri 2 Aug 2013SIDR IETF 87 Berlin, German5

BGPSEC-Protocol Draft Error Handling “Properly formed” checks in Section check syntactic correctness 2.each Signature_Block has one Signature for each Secure Path segment 3.check that AS_PATH not present 4.for non-confed-member neighbor, ensure Confed_Sequence flag is not set 5.pcount=0 but peer is not configured to use pcount=0 “treat the update in a manner consistent with other BGP errors” Fri 2 Aug 2013SIDR IETF 87 Berlin, German6

Fri 2 Aug 2013SIDR IETF 87 Berlin, German7 BGPSEC-Protocol Draft Error Handling Section 5.2: unable to find key – mark Signature_Block Not Valid Section 5.2: no supported signature – consider unsigned Section 5.2: no matching covering ROA for AS: mark route Not Valid Section 5.2: signature fails, mark Signature_Block Not Valid Section 5.2: no valid Signature_Block, mark route Not Valid Section 4.3 (forward ref to 5.2) – Checks if confed bit set when neighbor not in confed – No text for vice versa case: i.e., confed bit not set from confed member

BGPSEC-Protocol Draft Error Handling Error handling for MUST NOT? E.g., Section 4.2 If a BGPSEC router has received only a non-BGPSEC update message (without the BGPSEC_Path attribute), …. then it MUST NOT attach any BGPSEC_Path attribute to the corresponding update being propagated. If neighbor messes up and produces a BGPSEC_PATH attribute anyway, and strips the AS_PATH, will that be caught? Fri 2 Aug 2013SIDR IETF 87 Berlin, German8

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.