Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as
Leo Bicknell <bicknell@isc.org> Thu, 29 September 2011 13:04 UTC
Return-Path: <bicknell@isc.org>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9E1521F8CDA for <grow@ietfa.amsl.com>; Thu, 29 Sep 2011 06:04:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.85
X-Spam-Level:
X-Spam-Status: No, score=-0.85 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, MANGLED_OFF=2.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id brh3elXUupI4 for <grow@ietfa.amsl.com>; Thu, 29 Sep 2011 06:03:56 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id B45DE21F8CCE for <grow@ietf.org>; Thu, 29 Sep 2011 06:03:55 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 656F45F98F2; Thu, 29 Sep 2011 13:06:34 +0000 (UTC) (envelope-from bicknell@isc.org)
Received: by bikeshed.isc.org (Postfix, from userid 10294) id C6CEF216C3B; Thu, 29 Sep 2011 13:06:32 +0000 (UTC)
Date: Thu, 29 Sep 2011 13:06:32 +0000
From: Leo Bicknell <bicknell@isc.org>
To: Danny McPherson <danny@tcb.net>
Message-ID: <20110929130632.GA76531@bikeshed.isc.org>
References: <20110928193323.GA57548@bikeshed.isc.org> <CC4CB415-C615-4379-842F-2177B333D380@tcb.net> <20110928235156.GA65454@bikeshed.isc.org> <352BFFD6-B2C3-4ACD-96C1-46F28B5E5719@tcb.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <352BFFD6-B2C3-4ACD-96C1-46F28B5E5719@tcb.net>
Organization: Internet Systems Consortium, Inc
X-Mailman-Approved-At: Thu, 29 Sep 2011 06:20:08 -0700
Cc: "grow@ietf.org grow@ietf.org" <grow@ietf.org>
Subject: Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/grow>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2011 13:04:00 -0000
In a message written on Wed, Sep 28, 2011 at 09:35:55PM -0400, Danny McPherson wrote: > Simply put, if detection or policies can't be defined (discriminated) > based on authorized origin and a single upstream adjacent AS alone then > adjacent ASes and upstreams need to be codified. If the origins are > consistent in all locations and adjacent ASes are unique per location > via the same operator, the origin, adjacent ASes, and upstream adjacent > sets all need to be enumerated in detection or routing policies for the > prefix, that's the only way you can find a unique discriminator in the > set to key off of. I think I see where your world view and mine do not match. In a world where an Anycast service contracts with 4-8 upstream networks for transit they can easily enumerate all of the paths that might appear, and send it to someone. In a world where an Anycast service peers with a large number of networks, this is totally impractical. If I wanted to list the full set of possible paths by which you might see F-Root that list would be about 3,000 ASN's long right now. I suspect you don't notice that because we also make generous use of no-export both directly and indirectly, meaning a lot of these paths may not be visible to you, from your vantage point. I find, and track down (mostly innocent) route leaks of F on a weekly basis due to our rich peering. I can honestly say, for us, the approch you describe would not make things one bit easier for me. > But it can't today! Again, the very application of a common origin > in all locations for a given prefix, and the thought that that prefix > might well appear in some new place with the same origin and a new > upstream AS, or escape outside of it's intended catchment illustrates > just the problem. I.e., if it's leaked or hijacked how the heck would > anyone know? I have no idea how anyone, other than the operator of the service would know. In all proposed configurations the operator of the service knows how they configured it, and is the only one qualified to diagnose. Simply: A third party cannot know if the route is legitimate unless the Anycast operator tells them. If the operator must enumerate all paths anyway, the difference between your proposal and say the way F does it is the +1 ASN (N for your proposal, N+1 for F), but the list of paths is exactly the same length, N. That one extra ASN means inconsistent origin isn't required. So the operator can provide a list of N things in your proposal, or the same N things the way F does it, except our way doesn't go against the tradition of inconsistent origin being a "bad" thing. Indeed, I can write the vi transform easily: s/$/ 3557/ It's my hope that in the future DNSSEC, SecureBGP, RPKI, or some other out of band (to the routing system) method will be able to verify, but until then this proposal doesn't advance things. > > I see many of the arguments for this proposal were that it helped > > in diagnostic capabilities. Yet in all of the GROW archives I have > > read so far, and in the RFC itself I do not see a single example > > of how this configuration leads to faster/more accurate troubleshooting > > than say the F-Root model. > > OK, re-read the draft, and read the responses above, perhaps they help > clarify. Not really. An example would be: router> show ...... ---->>> This line has foo and bar in it, which mean a leak. Seriously, show me an algorythm to find a leak for a Anycast service that does not require any pre-knowledge about how the Anycast service is configured. I submit such a thing does not exist. If it doesn't, this draft does not advance anything, it recommends one method out of many with no particular advantage, and at least one easy to document disadvantage (inconsistent origin). -- Leo Bicknell; E-mail: bicknell@isc.org, Phone: +1 650 423 1358 INOC*DBA *3357*592; Internet Systems Consortium, Inc. www.isc.org
- [GROW] ISC Response to draft-ietf-grow-unique-ori… Leo Bicknell
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Danny McPherson
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Danny McPherson
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Leo Bicknell
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Leo Bicknell
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Danny McPherson
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Leo Bicknell
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Danny McPherson
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Leo Bicknell
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Christopher Morrow
- Re: [GROW] ISC Response to draft-ietf-grow-unique… John Kristoff
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Leo Bicknell
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Christopher Morrow
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Danny McPherson
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Leo Bicknell
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Christopher Morrow
- Re: [GROW] ISC Response to draft-ietf-grow-unique… Leo Bicknell