Re: [sidr] WGLC: draft-ietf-sidr-origin-ops

"George, Wes" <> Mon, 31 October 2011 13:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9A83821F8CFC for <>; Mon, 31 Oct 2011 06:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.646
X-Spam-Status: No, score=-0.646 tagged_above=-999 required=5 tests=[AWL=0.817, BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N9i6wuROJkyf for <>; Mon, 31 Oct 2011 06:53:30 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6289121F8CF5 for <>; Mon, 31 Oct 2011 06:53:29 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.69,432,1315195200"; d="scan'208";a="291525210"
Received: from unknown (HELO ([]) by with ESMTP/TLS/RC4-MD5; 31 Oct 2011 09:49:27 -0400
Received: from ([]) by ([]) with mapi; Mon, 31 Oct 2011 09:53:28 -0400
From: "George, Wes" <>
To: Shane Amante <>, Randy Bush <>
Date: Mon, 31 Oct 2011 09:53:27 -0400
Thread-Topic: [sidr] WGLC: draft-ietf-sidr-origin-ops
Thread-Index: AcyXjNrgiF+Gy75TRJWd7RU7BsN3FAARLCdA
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [sidr] WGLC: draft-ietf-sidr-origin-ops
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 31 Oct 2011 13:53:30 -0000

Randy, I think I know why you keep calling me Shane - we tend to raise similar concerns on your drafts ;-)

See also
Shane articulates it better, but consider this a +1 on his comments regarding the -12 proposed text. The only other place I could see this background info being is in the design rationale draft, which could then be referenced from this document. Otherwise, this is critical guidance for operators trying to determine the best way to implement this in their networks.

Ditto for the 4-6 hour recommendation and Danny's comments. Rationale, please.


> >> 3)  Granted, the following text is only a "SHOULD", but the text
> offers no reasoning as to why caches should be placed close to routers,
> i.e.: are there latency concerns (for the RPKI <-> cache protocol), or
> is it that a geographically distributed system is one way to avoid a
> single-point-of-failure, or something else entirely?  As a start, just
> defining "close" would help, e.g.: same POP, same (U.S.) state, same
> country, same timezone ... but, then a statement as to any latency or
> resiliency requirement for geographic deployment of RPKI caches wold be
> useful.
> >
> > we tried to go down this path and found it just got more and more
> > complex with no real improvement.  you probably want them in some
> > diameter of transport trust.  you probably want them in some diameter
> > of routing bootstrap reach.  you probably want them with reasonable
> > latency characteristics.  and there are probably more concerns.
> > that's why you get the big bucks. :)
> I'm more concerned for the 100's or 1000's of engineers that were not
> participating in this initial development effort and will be left
> wondering what, at a high-level, the thinking/background/concerns were
> that went into these guidelines.  With that information, future
> engineers can then weigh those criteria for themselves to decide if
> they are applicable to their environment, how they are applicable to
> their environment, etc.
> Remember, ultimately what you're laying out here is going to be read by
> engineers who are going to look at buying actual server HW, and network
> ports to attach them to, to set-up an RPKI in their network.  The more
> background material you give them the more confident they will be on
> putting together a budget estimate to start such a project ...
> >    <t>As RPKI-based origin validation relies on the availability of
> >      RPKI data, operators SHOULD locate caches close to routers that
> >      require these data and services.  'Close' is, of course,
> complex.
> >      One should consider trust boundaries, routing bootstrap
> >      reachability, latency, etc.</t>
> While I appreciate the attempt, I don't think the above satisfies my
> concern.  What 'trust boundaries' are you referring to, e.g.: within
> your ASN, not within your ASN but within your organization or
> neither/other?  With respect to latency, is what you're attempting to
> say that it's recommended to engineer for a high BW x low delay
> product, in order to achieve fast xfers of data between RPKI caches and
> also data between the RPKI cache to the routers?  If so, then aren't
> you conceding that low latency is necessary in order to _strive_ to
> attain "good [enough]" synchronization between all RPKI caches in the
> network so that 'new' RPKI data that affects BGP policy gets uniformly
> applied across all routers in the network at roughly the same time?

This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.