IETF Logo Mail Archive

Re: [GROW] draft-ss-grow-rpki-as-cones-00

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 23 May 2018 17:25 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727671276AF for <grow@ietfa.amsl.com>; Wed, 23 May 2018 10:25:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOiZBvcoX7kB for <grow@ietfa.amsl.com>; Wed, 23 May 2018 10:24:59 -0700 (PDT)
Received: from mail-wr0-x230.google.com (mail-wr0-x230.google.com [IPv6:2a00:1450:400c:c0c::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A1511270A3 for <grow@ietf.org>; Wed, 23 May 2018 10:24:59 -0700 (PDT)
Received: by mail-wr0-x230.google.com with SMTP id w3-v6so20183955wrl.12 for <grow@ietf.org>; Wed, 23 May 2018 10:24:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Px67LdZJ9Qxiu/JTIIFc//B2zlgk+d/m60ACOqdCnVc=; b=mrJzyoHBbhIuTQtA9MhQTTl5bddZ6j+wvBHom65l2pDYTTI+qIR0Bc8f1S4I78QqA7 DJKvY18aUqOEK3H/MKgjj15gwWeYLSN9APDYemCF6Zddh4Qpigr7Af5n5mFXFYGHHxWa n7C0TCJGlm5cVaWHq6Fy/pmONj//aSIc6o9cIiaXpJ+5AdoAUFvSOjYTDxN02GLN1lcg c54R4r7hHhUU4V9+4l7DWvLztwqBij0yMiHcAgdKew8kc79bGYZnwqtxOPNDRf62BN71 zxB5ihnHoAY/3jaTPdOHgYDgRQWSd3cubI7LlV5Siu8n++PMmGmvFWADB71lrIc20+Vt uXDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Px67LdZJ9Qxiu/JTIIFc//B2zlgk+d/m60ACOqdCnVc=; b=Fqu1pbnntM8FG39XPlezi8KoBNpcgcUMty1HXXu6qZlftmPPTQAqi5k7reOydupLir 4JZP+hPXZUVm3GR6BdKI77lx6oJmr+WY4fiMYyvb3kYsZx+GhJuqBAxtVa5fOAlwLLXT xQpKnp+99aFEX4rxzO2AzuOdfQs3LXT40LGgfnumNTs+isRJqM/9bULkfYR+52I9b9J7 Vr74SD55UU1egtbxWZOHjLNbG0R7eH3UUbwnUjBZQhgXJZTFwl6DXrw1Cm2xs0w2Gj4H iKSd5dazbhiSGV8eS/Th/MFZ+ETeaTr84RN+rR7Ic3q8HsZJFvPH2V+MVTZK1X1SeCw8 lOeA==
X-Gm-Message-State: ALKqPwf/3mZt9RcMBzGSKwTrt1hB41H1rH8JQovbpQ/pYdcePyrxUSpt SHsvC+tA0TDy4eWw5jwI1g6lym1AeQ+TJ65/UI0=
X-Google-Smtp-Source: AB8JxZoesgA4OoV7h85xuvPQ3NVwwzKkZu7XFcbpGmarrkcZd4a5DsM7ao89TiJcrOEO8s0cWb33gQCuDbZrUrgRi8M=
X-Received: by 2002:adf:90cd:: with SMTP id i71-v6mr3250727wri.136.1527096297810; Wed, 23 May 2018 10:24:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a1c:6144:0:0:0:0:0 with HTTP; Wed, 23 May 2018 10:24:57 -0700 (PDT)
In-Reply-To: <20180523170728.GW73966@vurt.meerval.net>
References: <8c2da168-af67-9463-adbc-d6a0b778f24d@stucchi.ch> <m2tvr0eq0f.wl-randy@psg.com> <20180523134849.GV56139@hanna.meerval.net> <m2h8mybei6.wl-randy@psg.com> <20180523170728.GW73966@vurt.meerval.net>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 23 May 2018 10:24:57 -0700
Message-ID: <CAH1iCir7_oddkaeJGJ-qNyUgwumd55R-0AC8CMPrKmNKGiaxqQ@mail.gmail.com>
To: Job Snijders <job@ntt.net>
Cc: Randy Bush <randy@psg.com>, "grow@ietf.org" <grow@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e7203056ce2d0e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/cvfgJ0dkQ4JtYdKaab9T2zMwjmA>
Subject: Re: [GROW] draft-ss-grow-rpki-as-cones-00
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 17:25:02 -0000

Sorry for the top-reply:

I think the fundamental problem with AS-SETs in IRR is the unilateral
aspect of "control" of what amounts to assertion of a relationship.

Given the basic mechanisms already in play for RPKI (keys, signing, etc.),
I think this would be easy enough to fix:

   - Any relationship asserted should require both parties to confirm by
   signing
   - Any relationship can be revoked by either party (thus fixing the main
   IRR problem)
   - Anyone else can confirm that relationship via signatures
   - The nature of the relationship would need to be reflected, in order to
   have maximum benefit. E.g. transit-provider, transit-customer, peer,
   mutual-transit, other.
   - This plays well with preventing route-leaks, too.

This would only require the ability to associate things like groups of ASNs
with single entities that speak for them. If that isn't already part of
RPKI, it would need to be added.

Brian

On Wed, May 23, 2018 at 10:07 AM, Job Snijders <job@ntt.net> wrote:

> On Wed, May 23, 2018 at 08:03:45AM -0700, Randy Bush wrote:
> > >>> me and Job Snijders have recently submitted
> > >>> draft-ss-grow-rpki-as-cones-00, which discusses AS-Cones, an
> > >>> attempt to bring as-sets into RPKI to facilitate route filtering.
> > >>
> > >> in irr, an as-set may reference an as-set.  could you explain the
> > >> authority model you have for this when as-sets are signed?
> >
> > > My initial thinking for RPKI AS Cones, is that a given Cone in an
> > > ASN's namespace can only be defined by the owner of the ASN in who's
> > > namespace the Cone is defined.
> >
> > namespace?
>
> In the IRR world we have the concept of hierarchical naming of AS-SETs:
> an example is "AS15562:AS-SNIJDERS" [1] - under the "AS15562" hierarchy
> only the owner (or delegated folks) can add/change/remove AS-SETS. I
> call this a namespace, should a different term be used?
>
> > isn't this the irr authorisation model?
>
> The IRR AS-SET feature is working pretty well (since it is better than
> nothing), but there are some downsides.
>
> For instance "AS15562:AS-SNIJDERS" can exist in multiple IRR databases,
> and we don't know which of those was actually created by the owner of
> AS15562. I hope this can be addressed in AS Cones.
>
> Another problem is that there no longer is a way (or perhaps there never
> was) to autodetect what AS-SET should be used by which organisation to
> generate a filter. RPSL is broken, fundamentally flawed. Perhaps this
> can be addressed - not by introducing a new language - but just having a
> handy naming convention. Think of it as "AS15562:AS-2914", so AS 2914
> knows it should use AS15562:AS-2914 if it exists, and if it doesn't
> exist use AS15562:AS-DEFAULT.
>
> > and how did that work out for us?
>
> I consider it a feature that anyone can add anything to an AS-SET they
> created, this puts the workload on transit providers and doesn't require
> stub networks to do anything. The "member-of:" feature is barely used
> and seems to pose too much work.
>
> Clock is ticking... multiple RIRs are struggling with their IRRs (or
> lack thereof). If IETF does not pony up a solution that is good enough
> for operational purposes, we may end up with RIRs investing in legacy
> technology and a continuation of the duplication/discovery/ownership
> issue. There is an opportunity here and now, let's work on it?
>
> Kind regards,
>
> Job
>
> [1]: https://apps.db.ripe.net/db-web-ui/#/query?searchtext=
> AS15562:AS-SNIJDERS#resultsSection
>
> _______________________________________________
> GROW mailing list
> GROW@ietf.org
> https://www.ietf.org/mailman/listinfo/grow
>

v2.23.0 | Report a Bug | By Email