IETF Logo Mail Archive

[GROW] ASPA and Route Server (was RE: [Sidrops] IXP Route Server question)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 15 March 2022 15:33 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A50E93A1584; Tue, 15 Mar 2022 08:33:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.112
X-Spam-Level:
X-Spam-Status: No, score=-2.112 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWsk9VMC1qs3; Tue, 15 Mar 2022 08:33:53 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2072d.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d04::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 920633A1583; Tue, 15 Mar 2022 08:33:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OSzJRSaT4tYgYgnY/5Tz4oQJRHg9c2RXO4YXZ6evRFAkEO84A2plk7oDLupTxwkshrxTulngqMdVELBeersx0zbu9CcPAkyFSj4bG2Tn9N1jgHWvPOdKFIc5MTDypCQ56ruPP1+kh6EjaxDiGuiHxRD2nm0el3wmc8ZQeQiOyj2E9HtlABBg18UYd8CawEfYDBgn/xEolaHUh8vhBPM5tMPVPakFxAEmy4H4+RLKmu1sqqglsNt4fRWNhk6YnCQ3Dqn7aOqc+q9pVWNAeyzfeclEg9DCbVDW/bDl2A/yuSeFcgBLKmcS/i4ikIjCRiZXRYQ2d0lVTn5Jd07NiE8hNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5iC9fqOT73vBCzONV4Av+R2Gl+xO1fmiRAzWA2RRn68=; b=ZS5d3u2zpIx/QEXq5TtpYcgOcZhQMW3yF4l/H3xTqDDpdLCaq53K4e/JLO9IHVlqRUN8mYm7AfdMtXpqmsX9HDqaE2vHPnHR+E0decGE4LhT0qyDFdV1RsQXcMKoLmYD2uqbxxiVrsEsmPbtkpzURChgKYn0K0JaLyPQesSRL9nh3h5cw37xoiHgBE2OzPWOYZ4a0e7fsnIj9i7AmlOxyxt6RwHeYZlBxnMOkNM4w/KejadPuAU8SCfrDq4I2vuW0Ec1yoOF4bTO0y1YLpwh4rsY3nPpE8DrDOumsETOdG4E1NxDxSOAT8I8qObtOgHDOdD0g5fpA4Wp/jfOQfxPPQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5iC9fqOT73vBCzONV4Av+R2Gl+xO1fmiRAzWA2RRn68=; b=tGapFfznMw3U9vTIZb1CYlUyH3F12LVW9fHxbUimVGf4BAkgcFaQxUWfgWNXpeylcUEErSLA5dF3DsCawjjcAdLWaSXyd+CJid8B747Aa977VOyW8/ERgT3L/EWzXrlG1KttBVAtl8wq6Nsqx8ejkRJGx33QrZ573+kRN51peKw=
Received: from BY3PR09MB8131.namprd09.prod.outlook.com (2603:10b6:a03:34d::9) by BY3PR09MB7347.namprd09.prod.outlook.com (2603:10b6:a03:340::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.14; Tue, 15 Mar 2022 15:33:42 +0000
Received: from BY3PR09MB8131.namprd09.prod.outlook.com ([fe80::fc92:b68c:f535:6750]) by BY3PR09MB8131.namprd09.prod.outlook.com ([fe80::fc92:b68c:f535:6750%2]) with mapi id 15.20.5081.014; Tue, 15 Mar 2022 15:33:42 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Nick Hilliard <nick@foobar.org>
CC: Ben Maddison <benm@workonline.africa>, "grow@ietf.org" <grow@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: ASPA and Route Server (was RE: [Sidrops] [GROW] IXP Route Server question)
Thread-Index: Adg4ggI9zgEhWGRXSB+h1e3Exyc49g==
Date: Tue, 15 Mar 2022 15:33:42 +0000
Message-ID: <BY3PR09MB81315D53064951F865F2A23884109@BY3PR09MB8131.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 10e90952-65ae-47ae-7c9c-08da06992f92
x-ms-traffictypediagnostic: BY3PR09MB7347:EE_
x-microsoft-antispam-prvs: <BY3PR09MB7347C341A501D41F7921977984109@BY3PR09MB7347.namprd09.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FXpudX/uG5xPEbYhr/xUvSiACIYnruC6BUqNVKT/EBrqQYalnNEa7WuLJi5eOE732AWUgqgRt6rJ8swVRsc7hexPvueDXb3iQ9bmUl/jeXLm5rl+SDjK8W9hzyL28dJk0ByG6/oMT94VhHrWqJh/tMb0VQWstzTOIqFbnXcsjUvZhhzAFMS/+wWnkTxHf8DJlEBz+IRhYZG78kAMYHB9fJPGnn7X6lLLhKVJKMFUendXCTSoHdu/z8VX/nUcabOgcNFvAy8XSWXxUtJjqTukTMxv2IdZ87xUcZ7O9CqtD04Z6KmfNozdaSxJ5JI0F+VMqGcFJX8aa45bskia7M5XAWsdNN5CXy7ewpRc59XEKm1nLvbQk8S1X/7F3m8jIqHccyLnyQt/7/vhkysMrr5eaxiKlsJOB27CsQ+pyngSxJ2Gf2eCqwqDXEZEGnFza5kSYa2MvC/elbxZutLuSRvhfGbZ1AlMTn91n4tmeiznh5eRAW65kiVHkXVqfG1Nb/sncneteS85fa55KQxNtEvw9Z7q8Y9uJ4Gqk19lpe4KGyCyEjZO0xv1JBD4lpnSq01u/dnptEWRLTl6ZO+aHXhaAcAOMrzr/vWViqXoe6+WQz51PV6Z10SUmg9lVbcoXT04kVFa+TPV1M536v8TXA6ivAY89NIyPPzcv3keykNbGeMj6ZzPVxWQvtpUCQHj0rQE+rSX5snChqyJGzARhPxPRA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY3PR09MB8131.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(83380400001)(26005)(82960400001)(186003)(122000001)(54906003)(6916009)(52536014)(8936002)(5660300002)(9686003)(86362001)(2906002)(38100700002)(55016003)(71200400001)(7696005)(6506007)(33656002)(66946007)(66556008)(66476007)(66446008)(508600001)(64756008)(4326008)(8676002)(76116006)(316002)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gvPlG36NBeb2ZGgSn08L+qlgC0gabiFiCDWe5aeN40Rz7XpGnxrbuD2rmupMwp+RjkakhCbk2T3BIV6JYcjMw6odHG+uv+C2pIKMn58+xwbVP0LnJRAJNa8SE6L6fIm010jQ0VebaT4/fFcI5wenTY2RyT+lsEW5ewmiyqi8WrFXP30q9S+FFVGInEvBoffEBFYtl83znSbZIlUHTPMDFFQvjQIzVcU1xr9q6S6lvGsZvJWCyyLHF+MS0hV6qvt8EOd/AhIzDFGG5JNtkt8snIzr4nqhH4VNDHHBCU3OIQU4zkuKx6MbsJSZi2TlpqGGlVEy7Lv1fPnkgKs/huPC+Tj8cNcR2EhcFFYSzmGWXJfcNiRf1FDA5bZNcxr8vFENothH2fCsVpoAZXp52b/60gkBe9ptXUtSUHw9R7U25wdPKYKT87PUWSQTiiJjkXGytcxkUHDMVStqj1+itxssXJf/kEz/E/2Wuy6w5GkS29Af7ngjJJE/c39b2k8GE67b/RIb7IyM3m/PWjAEUrOy82UF9XeG3NQGPKnV7hMzxirMqLabuoTWM6gzokwDM++ksRoO5/Z7gz1b1JxRUqAW/H7/v7Xy3tNXGQykchGQZDEyY4rDtSeb44TS8f+ZEqv4YHCrDqYYH0vz2nWFg8AbsZ7xu4lD1q3QMGZ9uT+7hgwd8jeDjEb7yB8wb0xOdHhop1WFiqUlIogsHnmX8O52GGGsspLxJArjUWv7O4h7AcCbCezKQM5kfN1YjQdEywiLhwZYfB60YVugigtn460cSpzguJyjGkWJDbTr/HjrM4FwfwWWuKE0JcmFbYKzH7q396qu+CtrYP8Td4AKTNARJL67BJEm5ab7V9tLZPwWI5wUo1WTCn1BQhciY5tmt6L58ph0Hm+ZZaL0euSqBTlwufssJwi18hAQH8/W2d1zshAlgw28Vrk9e+QcwMmUSztXeLIEkzaDArkjZ8FBz7ctD3IUfnRZIAtXwo+2Lvw8iBr9QjHudwM3mMxlB7d2WOrB+8Ty03UBkwuJXqTo829HDBG1VvM/YOFt20UUSv0ppg8JH1U64Xhhw9knsqWFNDEU9aAmzlAqARzfeVE9GCJrNAT2mFTW2ECUFCEysNQvU57El+pFERFh6gMu/lQ2XOWO1JVLVDFbf8HQwLwa6UfcLWsn6VDhErj4vvS+Nm7vUEBawvAcHRptgaI2OCPssqUcJgUYsc0jHYj9Nh5vd2VtZdyD1N70C1+QvGjlhnkZDGHp0s2EjFgrwmPZ5uNYTIZjPFJnjDsUPfxVOxsr0MgXvAdwtIJWQPMpaOyM+PeMNrRt1LF2YliOAtOb6YxJr3CjYultw2BkcgHj4xTlpHVDXEmDxm6watuFuUT4L6uB0bHRjghK2cV3nA+BXCAlRHA26qrhbxhbFawrB7H+Ld5LWN8C33t79qUsJNtI6Lolnq0=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY3PR09MB8131.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 10e90952-65ae-47ae-7c9c-08da06992f92
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2022 15:33:42.2520 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR09MB7347
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/rKf3p5wZsGLc6eEP55fmllCL_Rw>
Subject: [GROW] ASPA and Route Server (was RE: [Sidrops] IXP Route Server question)
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2022 15:33:58 -0000

Nick (and all),

I was also rereading/reviewing Section 5.3 and had similar thoughts about the two options you outlined. As you noted, "the approach in Section 5.3 gives a workable outcome".  However… 

>... the RS should be treated as a provider by the rs client; the rs client should include the RS ASN in its SPAS; the rs client should evaluate ASPA as if the RS ASN were included in the path; the rs should evaluate clients as customers

Yes, I agree that "the rs client should include the RS ASN in its SPAS." Alexander and I have talked about this, and he mentioned that this would be added to the draft. 

Yes, I also feel that it is a better option that the RS client adds the ASN of the transparent RS to the AS path (for ASPA validation purposes only) and applies the downstream ASPA algorithm. Algorithmically this seems more appropriate. This is also better from a diagnostics point of view (if the need ever arises) because in this approach the relevant ASPA is used for validating the hop from the AS just before the RS to the RS.  

That said, I think there is a bigger issue about transparent RS in the middle of the AS path. Maybe this is what Ben’s question was hinting at. I think you are also raising this issue when you say:

>RSs do not partake in traffic forwarding, so they are not part of the data path between two ASNs; they're only part of the signaling path between the two ASNs.  This is a useful hack from a practical point of view, but it causes algorithmic breakage in places which assume congruency between the data plane and the signaling plane.  One of these places is AS path verification.

> ….ASPA verification should proceed as if the two rs-client ASNs were directly connected and each should treat the other as a provider

Based on the above observations from you, I am proposing the following:

An RS client of an RS (transparent or not) includes the RS AS in their SPAS/ASPA. The RS client also includes in its SPAS/ASPA any AS with whom it connects in the control plane via the RS.

The idea is that a path segment ASx-RS-ASy (where ASx and ASy are RS-clients connected in BGP via the RS) will be always verifiable with this proposal whether or not the RS is transparent. If the ASPAs are created by ASx and ASy per the proposal above, then the ASx-RS-ASy segment will be evaluated as Valid in either direction. I  think this proposal in conjunction with other ideas discussed above takes care of both transparent and non-transparent RSs in the ASPA verification algorithms. Does this seem reasonable?

Thank you.

Sriram

v2.39.1 | Report a Bug | By Email | System Status