Re: [GROW] draft-ss-grow-rpki-as-cones-00
Job Snijders <job@ntt.net> Wed, 23 May 2018 19:33 UTC
Return-Path: <job@instituut.net>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D91771270A3 for <grow@ietfa.amsl.com>; Wed, 23 May 2018 12:33:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.671
X-Spam-Level:
X-Spam-Status: No, score=-1.671 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.248, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9VMXo6kAbPm for <grow@ietfa.amsl.com>; Wed, 23 May 2018 12:33:11 -0700 (PDT)
Received: from mail-wm0-f44.google.com (mail-wm0-f44.google.com [74.125.82.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B984C127010 for <grow@ietf.org>; Wed, 23 May 2018 12:33:10 -0700 (PDT)
Received: by mail-wm0-f44.google.com with SMTP id a67-v6so11899484wmf.3 for <grow@ietf.org>; Wed, 23 May 2018 12:33:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=GgBA5ct7tMs6aYp8zZLjeFD1E0FovbJfQHouSDeD40Y=; b=oZ69lzbBO8x3ugitEyVonz6eV8058ER1r86hqNEeHGa9HBL9dG47byeyn53FrBMnPI FvtrIeWguuVwF9sV8Zb3CSwFcOzvBT8GAjRaAivMGKvGs9ctpTbMt8iVzOHzbUnElrZr uj1AskPJEbTysKF7IDLcS3Rk1ft4aTVbK/TVxxok95frUpDOYSCsUZuwUpbimM/taNs3 PsArJH0PC4IEM4WkMR2ny7XEbJvliBMCOzDyOIc+LEzInSqVZl7ivkL+s42qujlxUzw1 AtDAle3u4E7+NkcLGDjp6HDmqWJ5YHYXrUlfMT0UH6/8AphGYMRPS6vOM7rtMfp0W0fD v1EA==
X-Gm-Message-State: ALKqPwf/RoqY+iPeFCiEuyoGyv/SUw0+Mvm8QsQFuxPQpj3H2k2uQ+be uvD00WHHBQUZ/atP5oNVsBob2fXvfnA=
X-Google-Smtp-Source: AB8JxZrmzsBBHlZH4hOhnYtLaBD/5gaHvM51Fbdoz4M0JwGIMSeIVtNiAj80K3Uc7jAgHnPJRjnGHw==
X-Received: by 2002:a50:ad69:: with SMTP id z38-v6mr8683268edc.306.1527103989071; Wed, 23 May 2018 12:33:09 -0700 (PDT)
Received: from vurt.meerval.net (vurt.meerval.net. [192.147.168.22]) by smtp.gmail.com with ESMTPSA id g7-v6sm10429268edf.90.2018.05.23.12.33.07 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 23 May 2018 12:33:08 -0700 (PDT)
Received: from localhost (vurt.meerval.net [local]) by vurt.meerval.net (OpenSMTPD) with ESMTPA id de803731; Wed, 23 May 2018 19:33:07 +0000 (UTC)
Date: Wed, 23 May 2018 19:33:07 +0000
From: Job Snijders <job@ntt.net>
To: Randy Bush <randy@psg.com>
Cc: Brian Dickson <brian.peter.dickson@gmail.com>, grow@ietf.org
Message-ID: <20180523193307.GA73966@vurt.meerval.net>
References: <8c2da168-af67-9463-adbc-d6a0b778f24d@stucchi.ch> <m2tvr0eq0f.wl-randy@psg.com> <20180523134849.GV56139@hanna.meerval.net> <m2h8mybei6.wl-randy@psg.com> <20180523170728.GW73966@vurt.meerval.net> <CAH1iCir7_oddkaeJGJ-qNyUgwumd55R-0AC8CMPrKmNKGiaxqQ@mail.gmail.com> <CACWOCC8NvWZQYN9b1y65C_s4J8VATRWmUkKDR-n8CL9J1QY-_g@mail.gmail.com> <57356A8C-B82D-4084-9BC0-B6F1A23CCCF5@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <57356A8C-B82D-4084-9BC0-B6F1A23CCCF5@psg.com>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.9.5 (2018-04-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/Rx7dO_w11cbOR95JIuf-VqB23Ho>
Subject: Re: [GROW] draft-ss-grow-rpki-as-cones-00
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 19:33:12 -0000
On Wed, May 23, 2018 at 11:21:07AM -0700, Randy Bush wrote:
> > I believe the fundamental problem is (1) the same AS-SET name can
> > exist in multiple databases (duplication), (2) you don’t know which
> > as-set belongs to which ASN (ownership), and which as-set to use
> > (discovery).
>
> i think these may be part of the same confuddle; what is the
> “identity” of an as-set? in the irr, it is the maintainer (even
> ignoring multiple irr bases); but we have no such concept in the rpki.
Actually I thought we do: IANA issues a Certification Authority (CA)
certificate to each Regional Internet Registry (RIR). The RIR in turn
issues a CA certificate to an Internet Service Provider (ISP). The ISP
in turn issues EE certificates to itself to enable verification of
signatures on RPKI signed objects. This last CA is what I'd map to the
'irr maintainer' of an AS-SET.
> my understanding is that an as-set is a short-hand name for a
> collection of names of ASs and the names of other as-sets. when you
> ask that an AS owner sign an as-set, you are making an assertion of
> ownership/scope that i am not sure i understand. the signing AS is
> saying that the nickname is a valid list in some sense (part of
> brian’s question)?
The signing AS is saying they created (and named) the list. This helps
resolve various issues, such as "does AS-STEALTH belong to AS41847 or to
AS8002"?
> as the old rpki joke goes, you can use your cert to sign a gif of
> naked furries or a bank transaction. but what is the security
> *meaning* of your doing so?
The signing AS is saying they created (and named) the list, this in
itself is incredibly helpful.
> from the draft:
> > to enable operators to define a set of customers that can be found
> > as "right adjacencies", or transit customer networks, facilitating
> > the construction of prefix filters for a given ASN’
>
> so, when AS42 signs a list {AS1, AS2}, is AS42 trying to say that
> someone peering with AS42 should expect any prefixes for which there
> are ROAs with AS42, AS1, or AS2 in the ROA’s asID.
When AS 42 signs a list {AS 1, AS 2} and names the list "AS42-AS2914"
(or whatever convention / discovery mechanism we settle on) - AS2914
knows that it can create a prefix-list by doing inverse lookups for AS1,
AS2 (and perhaps AS 42 itself). AS 2914 knows at that point that AS 42
created the list. This information can be used to provision sessions
between 2914 and 42.
> but *anyone* can put an arbitrary AS number in an asID.
So? Same goes for IRR route-objects.
A second use case for the list is generation of AS_PATH filters.
Kind regards,
job
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Andrei Robachevsky
- [GROW] draft-ss-grow-rpki-as-cones-00 Massimiliano Stucchi
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Gert Doering
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Christopher Morrow
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Randy Bush
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Randy Bush
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Brian Dickson
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Jared Mauch
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Randy Bush
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Christopher Morrow
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Nick Hilliard
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Christopher Morrow
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Christopher Morrow
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Brian Dickson