IETF Logo Mail Archive

Re: [GROW] [Sidrops] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt

Job Snijders <job@instituut.net> Sun, 15 January 2017 14:49 UTC

Return-Path: <job@instituut.net>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58CE112959E for <grow@ietfa.amsl.com>; Sun, 15 Jan 2017 06:49:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=instituut-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eqk-OhAhl0rd for <grow@ietfa.amsl.com>; Sun, 15 Jan 2017 06:49:49 -0800 (PST)
Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E2C8129547 for <grow@ietf.org>; Sun, 15 Jan 2017 06:49:49 -0800 (PST)
Received: by mail-wm0-x242.google.com with SMTP id c85so24258323wmi.1 for <grow@ietf.org>; Sun, 15 Jan 2017 06:49:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=instituut-net.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=bRNcgxHz2WZoD+YlloeSJ2li6WpkppFwtFR+CbmGT1k=; b=UT7bVIXK1sP+e3aeF7j3dVe2XGF78RQnJ7W5n87sQyEeMZ0QrE6DeaI8X5zHyiQGdP LBzu9oP4+S98MYjluFHhMd+pKgxfVUgBkGB23IvprIdJlIaL+TpP7eWN//ZO5YrPDdv9 rsCCAUiu52pP8BxFjRK0zJrf0t9SsoTFlHmAe28oULrF64DgFNRmPq/pQSsP/3gkOQ07 WVg00i1VwlSmv85ULlyy0AHrQM4GTDkUlsEN2Rxa/kcTwTsuMUE/aJ0GVGKemE85seJj 086wwdQ0rN482K9QDpdTomR+PdhPeuffd+PBGpzmy8DDUbKsB8fdzT1MIMtU7EeW2AKg hw3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=bRNcgxHz2WZoD+YlloeSJ2li6WpkppFwtFR+CbmGT1k=; b=KLz6Mz9sy9230Lmrk2RZqmpY41VOkv3x3uEEcR6upYC/0IzhjRSRekqfietOM4GPIg FkBG0kK34Bqtygqda+EP2LO8LYaKwrgwgKieGpmy2OKcEfVRcKOsrYQhm4ZLf20+Uj4h HSBS3oZD8Kr7Aw4/BtrXQn3uCyjvTxJA0qz+mOIiAOMSyQNjpKHB9FtxoWsWDunXImis E6lRvhTJpC9UGNWuSR2EG+4pt3tp/b4Q6j6s0D/pJz2oq+X+L4fNiKxe/dU1z2K669X8 mLqnmURZ7eHGlY85hg/G3caLuwBL57bqel4/cFsJRqKJcNvh78VfzcdXLpoHuVCM6FC8 fIoA==
X-Gm-Message-State: AIkVDXIYA3d9n6Sox4bc9TMlBC2CfNtYUDDNi2UldGEzps8qpR/EuJ9VTyYDnS+i+9uP0Q==
X-Received: by 10.28.126.146 with SMTP id z140mr9933467wmc.84.1484491787565; Sun, 15 Jan 2017 06:49:47 -0800 (PST)
Received: from localhost ([2001:67c:208c:10:61ed:4291:8634:b837]) by smtp.gmail.com with ESMTPSA id w7sm21400037wmd.24.2017.01.15.06.49.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Jan 2017 06:49:46 -0800 (PST)
Date: Sun, 15 Jan 2017 15:49:43 +0100
From: Job Snijders <job@instituut.net>
To: Marco Marzetti <marco@lamehost.it>
Message-ID: <20170115144943.GF1062@Vurt.local>
References: <7f08f967-247e-4060-b643-52bc45d8ab29@Spark> <1E278B10-A5BF-40BE-95C4-7A9B6AF6C817@gmail.com> <c55845cc-ca06-45c8-9b2e-075421d0447c@Spark> <m2lgueejxr.wl-randy@psg.com> <CAO367rX1jjOdenqgouzbTRBfeaWz+TFoUjGFJVtUr9tifwAw3g@mail.gmail.com> <20a8eefe-06e5-e1c9-04f8-3c4a66bc38f1@bogus.com> <CAO367rWdDkG7f7eF+FPj9VONsajZHYjTk7cEpWsxQKR1V9dnWw@mail.gmail.com> <44b83365-8ada-4e35-e485-885caa150f44@bogus.com> <m2eg05cgdl.wl-randy@psg.com> <CAO367rX_2SOhFGw5RnA13UdZcjZH7+Hks0XUmGD57SRKQk3VHA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAO367rX_2SOhFGw5RnA13UdZcjZH7+Hks0XUmGD57SRKQk3VHA@mail.gmail.com>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/qH5W4mArTSkgaH8R9IfqqYNh4qo>
Cc: sidrops@ietf.org, GMO Crops <grow@ietf.org>
Subject: Re: [GROW] [Sidrops] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 14:49:51 -0000

On Sun, Jan 15, 2017 at 03:39:37PM +0100, Marco Marzetti wrote:
> On Sun, Jan 15, 2017 at 1:32 AM, Randy Bush <randy@psg.com> wrote:
> > [ first, i do not use route serves (because of the data/control non-
> >   congruence), so my opinion here is worth even less than it normally
> >   is. ]
> >
> >> An ixp route-server is not a transit provider, all of the nexthops
> >> exposed are in fact peers. So no I do not consider such a  device an
> >> "upstream" it exists to service the policy needs of the peers on the
> >> fabric  rather than that of the exchange operator.
> >
> > to repeat my previous; those policy needs might vary across ix members.
> > some may want the ix to enforce origin validation for them, some may
> > not.  those exchanges which offer validation today offer the choice.  i
> > think that is the right thing; let the member make the choice at set-up
> > with the route server.
> 
> I think RSs should do RPKI by default and allow for two behaviors:
> 1) Drop (default)
> 2) Add ext-community as this draft suggests (upon request)

Or perhaps we consider a Route Server to be "Just Yet Another Autonomous
System"? Why should there be a difference between Autonomous Systems
with regard to routing security recommendations?

If the recommendation is to drop/ignore/reject "RPKI Invalid"
announcements, then that applies to Route Servers too, if the
recommendation is to just attach an Extended BGP Community, then that
will apply to all ASNs.

Kind regards,

Job

v2.23.0 | Report a Bug | By Email