Re: [sidr] Request for WG Last Call for draft-ietf-sidr-bogons-02.txt and draft-ietf-sidr-roa-validation-01.txt
Stephen Kent <kent@bbn.com> Wed, 03 December 2008 00:24 UTC
Return-Path: <sidr-bounces@ietf.org>
X-Original-To: sidr-archive@megatron.ietf.org
Delivered-To: ietfarch-sidr-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 50E7D28C227; Tue, 2 Dec 2008 16:24:25 -0800 (PST)
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 86B6928C20D for <sidr@core3.amsl.com>; Tue, 2 Dec 2008 16:24:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.574
X-Spam-Level:
X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4NZrF2RVDKrs for <sidr@core3.amsl.com>; Tue, 2 Dec 2008 16:24:23 -0800 (PST)
Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id 932A728C207 for <sidr@ietf.org>; Tue, 2 Dec 2008 16:24:23 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[69.58.70.106]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1L7fXL-0007gK-Fp; Tue, 02 Dec 2008 19:24:16 -0500
Mime-Version: 1.0
Message-Id: <p06240501c55b5d22b2c5@[69.58.70.106]>
In-Reply-To: <BEA2AFBC-3315-4ECB-95C2-FB515C6ED01E@apnic.net>
References: <C5521DCD.5484%andy@arin.net> <p06240501c559c1c219eb@[128.89.89.227]> <BEA2AFBC-3315-4ECB-95C2-FB515C6ED01E@apnic.net>
Date: Tue, 02 Dec 2008 19:24:12 -0500
To: Geoff Huston <gih@apnic.net>
From: Stephen Kent <kent@bbn.com>
Cc: sidr@ietf.org
Subject: Re: [sidr] Request for WG Last Call for draft-ietf-sidr-bogons-02.txt and draft-ietf-sidr-roa-validation-01.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: sidr-bounces@ietf.org
Errors-To: sidr-bounces@ietf.org
At 6:59 AM +1100 12/2/08, Geoff Huston wrote: >WG Hair hat OFF > >Hi Steve, > >What I _think_ you describes as the "ROA use convention" is the use >of a ROA with an AS of 0 to act as an explicit denial in terms of >saying "these prefixes are bogons". I could be wrong in my >understanding of course. I would not use the term "bogons" right now, given the debate about the meaning. The intent of the AS 0 ROA convention is to make an assertion that can be verified within the RPKI and which gives a relying party a basis for rejecting unverified assertions about routes for the prefix(es) in question. >I must admit that right now I don't think I understand your proposed >"ROA use convention" clearly enough to agree with your assertion > >The BOA Approach: > >The BOA document is coupled with the ROA validation document so that >the ROA interpretation and the BOA interpretation are explicitly >described. in this context the ROA does NOT act with a double >meaning - it is an explicit authority without any implicit negation >connotations. While it is fair to say that issuing an AS 0 ROA is intended to convey a special meaning, the processing of such a ROA is exactly the same as for any other ROA. So I hesitate to use the phrase "double meaning" even though I am sympathetic with your use of that term. >The presence of a ROA does not act as a form of negation of any >other form of route origination. The BOA has no max length attribute >- any more specific of any prefix described in the BOA is >encompassed in the BOA. > >The "ROA use convention": > >This "ROA use convention" has me confused. In particular my >confusion lies in the following areas: > > 1. Does a 'convention ROA' has any implicit denial associated with >it, or is it a simple positive assertion as described above? An AS 0 ROA is a positive assertion about the prefixes expressed in it, as far as RP software is concerned. The "feature" of this assertion is that, any unauthenticated assertions about the prefixes should be rejected in favor of this verifiable ROA (assuming that the ROA was signed by an entity that holds the prefixes in question). In saying that I am making some assumptions about how ROs use ROAs, and Danny has argued that we need to be more precise about such assumptions. I see the AS 0 ROA as a valuable tool to deal with unallocated and reserved address space, during the very long period when relying parties will see a mix of verifiable and unverifiable assertions about route origination. I have not thought so much about the utility of this capability in a fully deployed system. I also did not consider assertions about AS numbers, a feature of BOAs. > 2. How should a ROA with a AS value of 0 and a maxlength attribute >be interpreted. > Does a ROA for prefix=10.0.0.0/8 maxlength=8, AS=0 say >anything at all about 10.0.0.0/9? To prevent unauthenticated assertions about all more specific prefixes from being accepted, the max length would have to be 32. Otherwise, an unauthenticated assertion about a longer prefix would not be "trumped" by the AS 0 ROA. >So if you don't mind I'll reserve judgement on your question and >observe that while the BOA adds a further object to the repertoire >of 'recognised' RPKI signed objects, it does so in a manner that >makes negation explicit, does not rely on variable interpretation of >ROAs, does not stretch the ROA semantics beyond the simple positive >authority to as AS to originate a route and allows for incremental >piecemeal deployment in the network. I admit that the AS 0 convention is a way of expressing a negative assertion about resources under the control of the ROA signer. However, I think the fact that this mechanism does not create a new type of sighed object, and requires no new processing, makes it worthwhile to consider. Steve _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
- [sidr] Request for WG Last Call for draft-ietf-si… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… George Michaelson
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Terry Manderson
- Re: [sidr] Request for WG Last Call for draft-iet… George Michaelson
- Re: [sidr] Request for WG Last Call for draft-iet… Andy Newton
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Andy Newton
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Danny McPherson
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Samuel Weiler
- Re: [sidr] Request for WG Last Call for draft-iet… ksriram
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Andy Newton
- Re: [sidr] Request for WG Last Call for draft-iet… ksriram
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… George Michaelson
- Re: [sidr] Request for WG Last Call for draft-iet… Roque Gagliano
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Sandra Murphy
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Roque Gagliano
- Re: [sidr] Request for WG Last Call for draft-iet… Sandra Murphy
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Danny McPherson
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Danny McPherson
- Re: [sidr] Request for WG Last Call for draft-iet… Andy Newton
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Danny McPherson
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Danny McPherson
- Re: [sidr] Request for WG Last Call for draft-iet… George Michaelson
- Re: [sidr] Request for WG Last Call for draft-iet… Robert Loomans
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Danny McPherson
- Re: [sidr] Request for WG Last Call for draft-iet… Sandra Murphy
- Re: [sidr] Request for WG Last Call for draft-iet… Terry Manderson
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Andrew Partan
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Terry Manderson
- Re: [sidr] Request for WG Last Call for draft-iet… George Michaelson
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… George Michaelson
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… George Michaelson
- Re: [sidr] Request for WG Last Call for draft-iet… Terry Manderson
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call for draft-iet… Terry Manderson
- Re: [sidr] Request for WG Last Call for draft-iet… Sandra Murphy
- Re: [sidr] Request for WG Last Call for draft-iet… George Michaelson
- Re: [sidr] Request for WG Last Call for draft-iet… Stephen Kent
- Re: [sidr] Request for WG Last Call for draft-iet… Stephen Kent
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Danny McPherson
- Re: [sidr] Request for WG Last Call for draft-iet… Danny McPherson
- Re: [sidr] Request for WG Last Call for draft-iet… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Sandra Murphy
- Re: [sidr] Request for WG Last Call for draft-iet… Randy Bush
- Re: [sidr] Request for WG Last Call fordraft-ietf… Pradosh Mohapatra (pmohapat)
- Re: [sidr] Request for WG Last Call fordraft-ietf… Randy Bush
- Re: [sidr] Request for WG Last Call fordraft-ietf… Pradosh Mohapatra (pmohapat)
- Re: [sidr] Request for WG Last Call fordraft-ietf… Randy Bush
- Re: [sidr] Request for WG Last Call fordraft-ietf… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Danny McPherson
- Re: [sidr] Request for WG Last Call for draft-iet… Danny McPherson
- Re: [sidr] Request for WG Last Call fordraft-ietf… Danny McPherson
- Re: [sidr] Request for WG Last Call fordraft-ietf… Pradosh Mohapatra (pmohapat)
- Re: [sidr] Request for WG Last Call fordraft-ietf… Geoff Huston
- Re: [sidr] Request for WG Last Call fordraft-ietf… Pradosh Mohapatra (pmohapat)
- Re: [sidr] Request for WG Last Call fordraft-ietf… Geoff Huston
- Re: [sidr] Request for WG Last Call for draft-iet… Sandra Murphy
- Re: [sidr] Request for WG Last Call fordraft-ietf… Sandra Murphy
- Re: [sidr] Request for WG Last Call fordraft-ietf… Sandra Murphy
- Re: [sidr] Request for WG Last Call for draft-iet… Stephen Kent
- Re: [sidr] Request for WG Last Call for draft-iet… Andrew Newton
- Re: [sidr] Request for WG Last Call for draft-iet… Stephen Kent
- Re: [sidr] Request for WG Last Call for draft-iet… Andrew Newton
- Re: [sidr] Request for WG Last Call for draft-iet… Stephen Kent