IETF Logo Mail Archive

Re: [GROW] draft-ss-grow-rpki-as-cones-00

Jared Mauch <jared@puck.nether.net> Wed, 23 May 2018 17:48 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D890412E8D8 for <grow@ietfa.amsl.com>; Wed, 23 May 2018 10:48:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jSLkGVakWgC1 for <grow@ietfa.amsl.com>; Wed, 23 May 2018 10:48:31 -0700 (PDT)
Received: from puck.nether.net (puck.nether.net [204.42.254.5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D9C312EA76 for <grow@ietf.org>; Wed, 23 May 2018 10:48:31 -0700 (PDT)
Received: from [IPv6:2603:3015:3606:cbe1:1cff:f6f7:e9d8:2513] (unknown [IPv6:2603:3015:3606:cbe1:1cff:f6f7:e9d8:2513]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id 89F33541006; Wed, 23 May 2018 13:48:29 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAH1iCir7_oddkaeJGJ-qNyUgwumd55R-0AC8CMPrKmNKGiaxqQ@mail.gmail.com>
Date: Wed, 23 May 2018 13:48:26 -0400
Cc: Job Snijders <job@ntt.net>, "grow@ietf.org" <grow@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D3EEB1AA-E871-4C82-9609-E100D09754EB@puck.nether.net>
References: <8c2da168-af67-9463-adbc-d6a0b778f24d@stucchi.ch> <m2tvr0eq0f.wl-randy@psg.com> <20180523134849.GV56139@hanna.meerval.net> <m2h8mybei6.wl-randy@psg.com> <20180523170728.GW73966@vurt.meerval.net> <CAH1iCir7_oddkaeJGJ-qNyUgwumd55R-0AC8CMPrKmNKGiaxqQ@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/fLFAYJ0tNF5GLtr4wwhgOPXGeYM>
Subject: Re: [GROW] draft-ss-grow-rpki-as-cones-00
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 17:48:43 -0000


> On May 23, 2018, at 1:24 PM, Brian Dickson <brian.peter.dickson@gmail.com> wrote:
> 
> Sorry for the top-reply:
> 
> I think the fundamental problem with AS-SETs in IRR is the unilateral aspect of "control" of what amounts to assertion of a relationship.
> 
> Given the basic mechanisms already in play for RPKI (keys, signing, etc.), I think this would be easy enough to fix:
> 	• Any relationship asserted should require both parties to confirm by signing
> 	• Any relationship can be revoked by either party (thus fixing the main IRR problem)
> 	• Anyone else can confirm that relationship via signatures
> 	• The nature of the relationship would need to be reflected, in order to have maximum benefit. E.g. transit-provider, transit-customer, peer, mutual-transit, other.

So, this poses some challenges as it won’t actually fit into a well defined set of use-cases.

Being able to specify who can announce my route (or routes) and giving them a good way to specify this cone seems helpful.  Requiring both parties to sign, countersign, etc.. is not desirable or is problematic operationally.  How many e-mails back and forth have you seen go by where getting this updated is a problem?  I’ve seen quite a bit.  Not everyone is well automated and trying to use this as a sledge to turn that screw is going to be met with a collective yawn and be ignored by many folks.

- Jared

> 	• This plays well with preventing route-leaks, too.
> This would only require the ability to associate things like groups of ASNs with single entities that speak for them. If that isn't already part of RPKI, it would need to be added.
> 
> Brian
> 
> On Wed, May 23, 2018 at 10:07 AM, Job Snijders <job@ntt.net> wrote:
> On Wed, May 23, 2018 at 08:03:45AM -0700, Randy Bush wrote:
> > >>> me and Job Snijders have recently submitted
> > >>> draft-ss-grow-rpki-as-cones-00, which discusses AS-Cones, an
> > >>> attempt to bring as-sets into RPKI to facilitate route filtering.
> > >> 
> > >> in irr, an as-set may reference an as-set.  could you explain the
> > >> authority model you have for this when as-sets are signed?
> > 
> > > My initial thinking for RPKI AS Cones, is that a given Cone in an
> > > ASN's namespace can only be defined by the owner of the ASN in who's
> > > namespace the Cone is defined.
> > 
> > namespace?
> 
> In the IRR world we have the concept of hierarchical naming of AS-SETs:
> an example is "AS15562:AS-SNIJDERS" [1] - under the "AS15562" hierarchy
> only the owner (or delegated folks) can add/change/remove AS-SETS. I
> call this a namespace, should a different term be used?
> 
> > isn't this the irr authorisation model?
> 
> The IRR AS-SET feature is working pretty well (since it is better than
> nothing), but there are some downsides.
> 
> For instance "AS15562:AS-SNIJDERS" can exist in multiple IRR databases,
> and we don't know which of those was actually created by the owner of
> AS15562. I hope this can be addressed in AS Cones.
> 
> Another problem is that there no longer is a way (or perhaps there never
> was) to autodetect what AS-SET should be used by which organisation to
> generate a filter. RPSL is broken, fundamentally flawed. Perhaps this
> can be addressed - not by introducing a new language - but just having a
> handy naming convention. Think of it as "AS15562:AS-2914", so AS 2914
> knows it should use AS15562:AS-2914 if it exists, and if it doesn't
> exist use AS15562:AS-DEFAULT.
> 
> > and how did that work out for us?
> 
> I consider it a feature that anyone can add anything to an AS-SET they
> created, this puts the workload on transit providers and doesn't require
> stub networks to do anything. The "member-of:" feature is barely used
> and seems to pose too much work.
> 
> Clock is ticking... multiple RIRs are struggling with their IRRs (or
> lack thereof). If IETF does not pony up a solution that is good enough
> for operational purposes, we may end up with RIRs investing in legacy
> technology and a continuation of the duplication/discovery/ownership
> issue. There is an opportunity here and now, let's work on it?
> 
> Kind regards,
> 
> Job
> 
> [1]: https://apps.db.ripe.net/db-web-ui/#/query?searchtext=AS15562:AS-SNIJDERS#resultsSection
> 
> _______________________________________________
> GROW mailing list
> GROW@ietf.org
> https://www.ietf.org/mailman/listinfo/grow
> 
> _______________________________________________
> GROW mailing list
> GROW@ietf.org
> https://www.ietf.org/mailman/listinfo/grow

v2.23.0 | Report a Bug | By Email