[Idr] Re: I-D Action: draft-ietf-idr-deprecate-as-set-confed-set-15.txt

Claudio Jeker <cjeker@diehard.n-r-g.com> Thu, 29 August 2024 09:22 UTC

Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 887A7C14F699 for <idr@ietfa.amsl.com>; Thu, 29 Aug 2024 02:22:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.208
X-Spam-Level:
X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVXePKG5k975 for <idr@ietfa.amsl.com>; Thu, 29 Aug 2024 02:22:03 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB2A0C14F5FC for <idr@ietf.org>; Thu, 29 Aug 2024 02:22:01 -0700 (PDT)
Received: (qmail 59727 invoked by uid 1000); 29 Aug 2024 09:21:59 -0000
Date: Thu, 29 Aug 2024 11:21:58 +0200
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Message-ID: <ZtA9tsceQcRPqAsj@diehard.n-r-g.com>
References: <172409169774.1909130.7745685666245560135@dt-datatracker-6df4c9dcf5-t2x2k> <ZsSaLa0WH8tGu5rY@diehard.n-r-g.com> <BDDB8EC7-9883-4769-AA8D-7E1DC3130A7F@pfrc.org> <Zs8hiBX9Y8slMnpU@diehard.n-r-g.com> <F55EBF5B-D150-44D0-B656-698B0978619D@pfrc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <F55EBF5B-D150-44D0-B656-698B0978619D@pfrc.org>
Message-ID-Hash: ZD4CUJKQHMGO7HEW3AUZ4XTDDC3TUWE7
X-Message-ID-Hash: ZD4CUJKQHMGO7HEW3AUZ4XTDDC3TUWE7
X-MailFrom: cjeker@diehard.n-r-g.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: idr@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Idr] Re: I-D Action: draft-ietf-idr-deprecate-as-set-confed-set-15.txt
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/je9kblNOjP5icoRMIFYbH1s3JxI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>

On Wed, Aug 28, 2024 at 11:20:14AM -0400, Jeffrey Haas wrote:
> Claudio,
> 
> 
> > On Aug 28, 2024, at 9:09 AM, Claudio Jeker <cjeker@diehard.n-r-g.com> wrote:
> >> 
> >> Speaking for myself but nodding toward my chair hat, I don't know that
> >> we can ever do that.  You can proclaim all you want that "we'll never do
> >> 2 byte" but implementations will still need to deal with as4-path for
> >> time to come.
> > 
> > Nodding towards your chair hat, it would be good if IDR had a plan to
> > finish this transition in finite time. Other security critical protocols
> > realized that and started to deprecate a lot of old features. Just look at
> > how SSH and SSL/TLS do that.
> 
> The likely answer there is "bgp-5".

This sounds like the answer is "IPv6".
 
> You'll note a trend in some of the list discussion about the impacts of
> various transition and scoping mechanisms are happening partly to
> describe issues with bgp-4 and what we can do about those.
> 
> We might successfully evolve a set of mechanisms that avoid the version
> bump.  We've done so successfully for years.  We'll see.
> 
> 
> > I know it will take time but by having a plan and a clear goal will give
> > vendors an incentive to finally priorize RFC6738 support in their roadmap.
> 
> If this isn't a typo, I'm unclear how this specific IKEv2 mechanism
> addresses the IP routing bootstrapping issues identified by the KARP
> working group some years ago.

Yes this was a tyop and off by one all at once.
 
> >> That said, as a vendor, I'm happy to support knobs that say "don't let
> >> peering come up unless 4-byte is negotiated".  Sadly, we have knobs that
> >> do the opposite.
> > 
> > We implemented that exactly for this reason. Someone needs to start doing
> > this and put light pressure onto all those systems that did not update
> > their BGP implementation in the last 10+ years.
> > Also everyone should default to 4byte sessions by default (it seems that
> > is still not the case).
> 
> The short form of this is when implementations start deleting 2-byte
> capable code and don't permit sessions to come up without the 4byte
> capability, you'll have achieved your victory condition.
> 
> Go forth and do so in your stack. :-)

I think this comment is not helpful.

Just to be clear our stack enables 4-byte AS support by default on all
session since 2009. Lately we added a config option to enforce it and
at some point I will make the enforcement the default and have users
explicitly disable 4-byte AS support for those last few sessions that
need it. In most cases sessions negotiate down to 2-byte for no good
reason apart from bad config settings.

What are your stacks doing? Isn't it time to follow our footsteps?

-- 
:wq Claudio