IETF Logo Mail Archive

Re: [GROW] [Sidrops] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt

Matthias Waehlisch <m.waehlisch@fu-berlin.de> Sun, 15 January 2017 23:04 UTC

Return-Path: <m.waehlisch@fu-berlin.de>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69C94129481; Sun, 15 Jan 2017 15:04:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.72
X-Spam-Level:
X-Spam-Status: No, score=-4.72 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDPzBBY7XYh1; Sun, 15 Jan 2017 15:04:23 -0800 (PST)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBE0A1293F0; Sun, 15 Jan 2017 15:04:22 -0800 (PST)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.85) with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (envelope-from <m.waehlisch@fu-berlin.de>) id <1cStqU-003fL7-VN>; Mon, 16 Jan 2017 00:04:18 +0100
Received: from x5ce7e1b5.dyn.telefonica.de ([92.231.225.181] helo=mw-PC.fritz.box) by inpost2.zedat.fu-berlin.de (Exim 4.85) with esmtpsa (TLSv1:AES256-SHA:256) (envelope-from <m.waehlisch@fu-berlin.de>) id <1cStqU-002sKz-K5>; Mon, 16 Jan 2017 00:04:18 +0100
Date: Mon, 16 Jan 2017 00:03:40 +0100
From: Matthias Waehlisch <m.waehlisch@fu-berlin.de>
To: Nick Hilliard <nick@foobar.org>
In-Reply-To: <587A9DE9.1000608@foobar.org>
Message-ID: <alpine.WNT.2.00.1701152315390.14048@mw-PC>
References: <148433210469.9788.12815016683609966013.idtracker@ietfa.amsl.com> <20170113184009.GC1055@Vurt.local> <7C35D47D-6605-4D6D-A97E-BD7139F36DBA@gmail.com> <7f08f967-247e-4060-b643-52bc45d8ab29@Spark> <1E278B10-A5BF-40BE-95C4-7A9B6AF6C817@gmail.com> <c55845cc-ca06-45c8-9b2e-075421d0447c@Spark> <58795A0B.6000009@foobar.org> <alpine.WNT.2.00.1701141045460.14048@mw-PC> <587A03CF.3010001@foobar.org> <alpine.WNT.2.00.1701141619550.14048@mw-PC> <587A9DE9.1000608@foobar.org>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
X-X-Sender: waehl@mail.zedat.fu-berlin.de
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Originating-IP: 92.231.225.181
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/H26bVzWP43uYmDhukgIEBTotIE4>
Cc: sidrops@ietf.org, GMO Crops <grow@ietf.org>, job@ntt.net
Subject: Re: [GROW] [Sidrops] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 23:04:24 -0000

I don't know if we are losing sight. The argument that RS is doing best 
path selection was stated several times.

However, I still don't buy the argument "route servers and rpki are an 
uncomfortable fit."

I buy the argument that fine-grained policy configuration challenges RS 
operation. And for sure the principle is indepdent of RPKI. In the most 
boring case, the decision results in "Prefer the route received from the 
lowest peer address." Ups, is this the IP address of the peering LAN, 
given by the IXP.

What is specific to RPKI is proxying of security-related meta data 
(i.e., easier deployment of new protocols via RS).

For example, in the case of policy prefer-valid-over-invalid AND there 
is no valid, RS would announce the (invalid) prefix to peer P. P also 
established private peering and receives announcement for the invalid 
prefix. Without deploying RPKI, this BGP speaker could benefit from RS 
meta data, dropping both.



Cheers
  matthias

On Sat, 14 Jan 2017, Nick Hilliard wrote:

> Matthias Waehlisch wrote:
> > the current discussion makes clear that documentation of 
> > origin-validation-signaling in IXP context is needed
> 
> rpki is conceptually no different to any other type of signaling
> mechanism: it's simply another input into the BGP decision engine
> process, just like communities or meds or as-path.
> 
> What we're losing sight of here is that it's the route server which
> calculates the best path for each route using the routing decision
> engine, and then sends a _single_ best path to the client. Conceptually,
> it doesn't matter whether the tie-breaker on the route server is
> communities, meds, as-path or rpki: the point is that the policy
> decision mechanism needs to be configured on the route server itself,
> because the route server is the device which is calculating the best
> path.  If the route server operator doesn't do this, the clients will
> end up with path hiding (see 2.3.1 in rfc7947).  I.e. it's nothing
> specific to rpki.
> 
> This is already extensively documented in rfc7947 and rfc7948.
> 
> Nick
> 


-- 
Matthias Waehlisch
.  Freie Universitaet Berlin, Computer Science
.. http://www.cs.fu-berlin.de/~waehl

v2.23.0 | Report a Bug | By Email