IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-opsawg-finding-geofeeds-06

Randy Bush <randy@psg.com> Wed, 05 May 2021 15:32 UTC

Return-Path: <randy@psg.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90C23A157F; Wed, 5 May 2021 08:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1mc3B3kHyryB; Wed, 5 May 2021 08:32:49 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0DCF3A14C2; Wed, 5 May 2021 08:32:35 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1leJVn-0001QA-Hx; Wed, 05 May 2021 15:32:31 +0000
Date: Wed, 05 May 2021 08:32:28 -0700
Message-ID: <m21ralnqlv.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Kyle Rose <krose@krose.org>
Cc: Russ Housley <housley@vigilsec.com>, Last Call <last-call@ietf.org>, Ops Area WG <opsawg@ietf.org>, draft-ietf-opsawg-finding-geofeeds.all@ietf.org, IETF SecDir <secdir@ietf.org>
In-Reply-To: <CAJU8_nXym=0LtCv4Gw5W2vRWmWrQWUjqVf0f0Oj7VbBOGHtdSw@mail.gmail.com> <CAJU8_nUyFwoC4K3L-J-1sxzgrstSTa8qypxBsCYz-R41+w1cSg@mail.gmail.com>
References: <161969840202.30267.8231145700644479792@ietfa.amsl.com> <m21rasx3tc.wl-randy@psg.com> <CAJU8_nW2aA1SFjeAwzK+CYHPyQqJHLKYu3J9H91NpYfqhTYBWA@mail.gmail.com> <809A05C9-8ABD-4D63-970D-D3F8A2277F28@vigilsec.com> <CAJU8_nX-Timmuvv=vBpgXHYnbCLAd2ug-=BLy_Xp08ehLkGv9w@mail.gmail.com> <F6F67CB5-C824-4DA7-A85E-06EB4EBAD101@vigilsec.com> <CAJU8_nXr9MVefjgNxatfuAEWrvp+TzwLN3zGO8TVRmDJxTEoSQ@mail.gmail.com> <BF277402-4404-4D0D-9027-826C169E1A6F@vigilsec.com> <CAJU8_nUE3qTmRmyE3=88DzzyXbYdvq7-aceNV=bgrMUSv4W1kw@mail.gmail.com> <m24kfhnt3g.wl-randy@psg.com> <CAJU8_nXym=0LtCv4Gw5W2vRWmWrQWUjqVf0f0Oj7VbBOGHtdSw@mail.gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/LpFM_6MjmzcRhXnILk9jtwiDtuE>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-opsawg-finding-geofeeds-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2021 15:32:55 -0000

[ excuse typos; minor hand surgery ]

> Aren't the valid ranges for an AS specified in the RPKI-protected
> routing data feed (where RPKI is available)?

not really, on a number of dimensions

first, have a look at draft-ietf-sidrops-rpki-has-no-identity

i suggest we not drag ASs into this; they are orthogonal to address
space ownership.  e.g. someone owns a /24, but creates a ROA to
authorize AS42, their upstream, to actually originate the prefix.

i.e. ASs do not 'own' address space, the RPKI enables, through ROAs, for
address space owners to authorize ASs to announce a (possibly improper)
subset of the owner's address space.

and inetnum:s are quite disjoint from ASs.  heck, i have loaned
198.133.206.0/24 to be used by a north macedonian exchange point (not
joking).

also, neither the RPSL nor the RPKI invert to enumerate the address
space announced by an AS.  operators and researchers use the current bgp
tables from routers, route views, or ripe/ris if we want today's map.

> How does a client know that an IP range specified in the geodata feed
> is valid under a given RPKI signature?

the rpki is formally authoritative for ip space ownership.  in a sense,
the rpki was created to rigorously fill the gap left by the lack of
authenticity of RPSL.

the signature in the geofeed file can be 3779 validated to the trust
anchor of the RIR (it should be to the IANA, but the RIRs are at war
with the IANA).  and the IANA is the ultimate authority for address
space, and through it the RIRs.

> I.e., that the given AS has authority over that IP range?

again, let's not drag ASs in here.  they are not ip space owners.

the complexity of this space is embarrassing.  sorry.  i hope this
helps.  willing to chat on zoom or whatever.

randy

v2.23.0 | Report a Bug | By Email