Re: [sidr] Request for WG Last Call for draft-ietf-sidr-bogons-02.txt and draft-ietf-sidr-roa-validation-01.txt

[Sandra Murphy <sandy@sparta.com>]

On Mon, 1 Dec 2008, Danny McPherson wrote:

>
> On Dec 1, 2008, at 4:12 PM, Sandra Murphy wrote:
>> 
>> The issue in incremental deployment is not what the people who haven't 
>> deployed it should do but what the people who DO deploy it should do. What 
>> do the people who DO understand ROAs(and BOAs) do when they see something 
>> unsecured - it might be legit, just not produced by someone who understands 
>> ROAs(BOAs).
>
> Right, but if the owner also published a BOA about who they
> should not accept it from - what's the value add for those
> who have deployed it again?  They can say, ohh, there's a ROA
> for AS 1 to originate 10.0.0.0/8.  They also published a BOA
> for AS2 to originate 10.0.0.0/16.  So, what's that mean to me
> since I deployed it?  Accept 10.0.0.0/8 only from AS 1.  I'm
> not going to put a policy in my router that says AND accept
> it from anyone else, or any more specific, except AS 2.  Tracking
> those BOAs is costing money (hardware, time, complexity) and
> there is no added benefit.

Danny, BOAs don't say "don't accept 10/8 from AS2".  They say "don't 
accept any advertisement for 10/8".

>
>>> I still don't by it..  As an operator, you tell me who is authorized
>>> to originate and that's the only origin AS I accept.  That's easier to
>>> configure in a router, requires less objects in the RPKI, and makes life
>>> much simpler.
>> 
>> So it seems you are in the "and that's all" camp in interpreting ROAs, 
>> right?
>
> No, I'm in the "show-me-how-to-configure-this-in-a-router-and-
> convince-me-that-all-the-complexity-and-added-infrastructure-is
> worth-the-investment-when-I'm-pretty-sure-I'd-be-just-as-happy
> with-an-'explicit accept'='implicit deny'-model-like-all-my-other-
> security-policies" camp.

I was trying to guess what you think a ROA means.  Your previous 
statements and this statement make it sound like you think a prefix holder 
will sign ROAs for every and all ASs that are allowed to advertise the 
prefix, so signing ROAs means "these ASs are allowed to announce the 
prefic -- and that's all".  Those configuring their routers use that 
semantics to decide what to configure.

If you think that a set of ROAs means "these ASs are allowed to announce 
the prefix, but not necessarily only these ASs", then router configuration 
goes differently.

We are presently working out how the meaning of these ROAs results in 
router configuration.

If you have ideas of how the configuration would happen, it would be 
valuable for us to hear them.

>
> I'm certain that if more people who are supposed to deploy this
> stuff were paying attention they'd be making the same arguments,
> but they're not, and so we need to give heavy consideration to this.
>
>> Does your answer assume operators are using ROAs to produce route filters?
>
> Maybe.
>
>> Does your answer change if operators are using ROAs in the decision 
>> procedure, as presented at the last meeting?
>
>
> Maybe.

I presume there's a smilie in there.  So when you figure it out, you'll 
let us know, right?  :-)


--Sandy


>
> -danny
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr