IETF Logo Mail Archive

Re: [sidr] Request for WG Last Call for draft-ietf-sidr-bogons-02.txt and draft-ietf-sidr-roa-validation-01.txt

Andrew Newton <andy@hxr.us> Fri, 12 December 2008 19:31 UTC

Return-Path: <sidr-bounces@ietf.org>
X-Original-To: sidr-archive@megatron.ietf.org
Delivered-To: ietfarch-sidr-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E8D13A698A; Fri, 12 Dec 2008 11:31:20 -0800 (PST)
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8F5F3A6B03 for <sidr@core3.amsl.com>; Fri, 12 Dec 2008 11:31:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OguTfHxhidTv for <sidr@core3.amsl.com>; Fri, 12 Dec 2008 11:31:18 -0800 (PST)
Received: from zeke.ecotroph.net (zeke.ecotroph.net [70.164.19.155]) by core3.amsl.com (Postfix) with ESMTP id ED0333A698A for <sidr@ietf.org>; Fri, 12 Dec 2008 11:31:17 -0800 (PST)
Received: from zx80.arin.net ([::ffff:192.136.136.49]) (AUTH: PLAIN anewton, SSL: TLSv1/SSLv3,128bits,AES128-SHA) by zeke.ecotroph.net with esmtp; Fri, 12 Dec 2008 14:31:10 -0500 id 01588112.4942BBFE.0000189E
Message-Id: <E485B444-95DA-4FC5-8A4B-D044F2C10F97@hxr.us>
From: Andrew Newton <andy@hxr.us>
To: Stephen Kent <kent@bbn.com>
In-Reply-To: <p06240800c56836ccc2af@[128.33.244.160]>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Fri, 12 Dec 2008 14:31:10 -0500
References: <C5521DCD.5484%andy@arin.net> <p06240501c559c1c219eb@[128.89.89.227]> <BEA2AFBC-3315-4ECB-95C2-FB515C6ED01E@apnic.net> <p06240501c55b5d22b2c5@[69.58.70.106]> <3998050D-E54A-4F8B-8D18-0AAB55956879@hxr.us> <p06240800c56836ccc2af@[128.33.244.160]>
X-Mailer: Apple Mail (2.929.2)
Cc: sidr@ietf.org
Subject: Re: [sidr] Request for WG Last Call for draft-ietf-sidr-bogons-02.txt and draft-ietf-sidr-roa-validation-01.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: sidr-bounces@ietf.org
Errors-To: sidr-bounces@ietf.org

On Dec 12, 2008, at 10:52 AM, Stephen Kent wrote:

> Andy,
>
> Your characterization is good paraphrase of my comments at the mic.  
> In fairness to Geoff's BOA proposal, my ROA As 0 convention is not  
> as powerful, in that it has no provisions for making a negative  
> assertion about AS numbers.
>
> If I were a registry (or an ISP) making use of the AS 0 ROA  
> approach, I would issue one EE cert and one associated ROA )covering  
> all of the unallocated space that I hold). The EE cert would have a  
> lifetime consistent with the time I take to respond to allocation  
> requests, maybe on 1-day lifetime. That way I would not have to put  
> the EE cert on a CRL when a new AS 0 ROA was issued; I'd just be  
> issuing one new cert and one new ROA every day. Since it is probably  
> good practice to issue a CRL every day, the set of objects published  
> by the registry/ISP would have to change that frequently anyway, so  
> this is not much of a new burden, (e.g., the manifest has to change  
> whenever a new CRL is issued).
>
> I also note that even if we don't adopt AS 0 ROAs as a recognized  
> way to make this sort of assertion, any ROA issuer can use it  
> anyway, either explicitly or via analogous means :-).
>
> Steve

Steve,

Thanks for the information.  That was very helpful.

As to the use of a negative attestation (be it BOA or AS 0 ROA) by a  
registry, that will most likely be decided by policy in my opinion.   
But I do believe there are operational differences between the two  
approaches.

A 1 day lifetime is reasonable during the working week, but weekends  
and holidays are a different story.  And often times those weekends  
are used for maintenance windows.  Additionally, there are exception  
cases were allocations need to be updated urgently and then there are  
trouble shooting events... in both these situations an AS 0 ROA acts  
like an another moving part that needs to be double checked whereas a  
BOA requires less care and maintenance.  From my perspective, a BOA  
seems less error prone should negative attestations be desired.

I think there is also another angle to the adoption issue that needs  
consideration.  As I stated, I do not know if negative attestations  
will be immediately adopted and at what level.  But let's hypothesize  
about a community that adopts RPKI and does not use them.  And then, 5  
years after adoption they determine that such a thing is needed.  To  
get them, there would be a need to cycle back through the standards  
track and software adoption curve.  It seems better to have BOAs in  
the standard now and have them ignored then to have to iterate through  
another standards & software adoption process.

-andy

_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email