IETF Logo Mail Archive

Re: [Sidrops] Path validation with RPKI

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Thu, 27 June 2019 22:53 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21678120287 for <sidrops@ietfa.amsl.com>; Thu, 27 Jun 2019 15:53:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRuiWtBiFKfA for <sidrops@ietfa.amsl.com>; Thu, 27 Jun 2019 15:53:11 -0700 (PDT)
Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-eopbgr840104.outbound.protection.outlook.com [40.107.84.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F88012026F for <sidrops@ietf.org>; Thu, 27 Jun 2019 15:53:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=eY+QEoZcAj0dQPMgcLJWb/SvyDb9Uui2K2/HVjKVk9IlK8ML/xGRHyecEcPXE/ehEIq4VAZPltH4v4M92BlQZ4SXi9HF9+TaiDUCkJ+3QB++NvSutmKxJq6IqQkPkghW6XREWOm4J5c75///osYXn3JhMQ2CkFKc4DTXP46L7cA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vBKJQJxdnKWilyJMCDNKsi6vMl3vYDHAmoKbcgnsMIM=; b=VkxYs8H5ripPD4r+dUMd5IfWerGdTBG4k2GorFQFSPiikvsKtKkTHa2xs+zTO1CCC2za6iVVvy3HpDixKIKvhqGN1grubYYCsO0vvvxOE3XUQOnh3CUfbPt9XCAnQIPrEelA8CmG8vg8CnsJ7qFDY+PgKQlnxC3PxFMDjLFB/7I=
ARC-Authentication-Results: i=1; test.office365.com 1;spf=none;dmarc=none;dkim=none;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vBKJQJxdnKWilyJMCDNKsi6vMl3vYDHAmoKbcgnsMIM=; b=MMxccOGNvmgKISlVM/tPXEhaBB0AaD0Sjch8yvyE5MybbUH9DTlK4jvuG8XCWfhLWvQh1nBeov4/mWJBAvre2d5jyZHcK4ioZIkOOU85PKTupa94ob16Y5m6YR4cwBxxmt1Eh1DTkqMMjhCvZnPhL7yTwYscRfGWSyN6se4Nt5U=
Received: from DM6PR09MB3019.namprd09.prod.outlook.com (20.178.2.203) by DM6PR09MB2794.namprd09.prod.outlook.com (20.176.98.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Thu, 27 Jun 2019 22:53:09 +0000
Received: from DM6PR09MB3019.namprd09.prod.outlook.com ([fe80::146b:72d7:952f:2424]) by DM6PR09MB3019.namprd09.prod.outlook.com ([fe80::146b:72d7:952f:2424%7]) with mapi id 15.20.2032.018; Thu, 27 Jun 2019 22:53:09 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Iljitsch van Beijnum <iljitsch@muada.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: Re: [Sidrops] Path validation with RPKI
Thread-Index: AdUtOXg7ebscyRtcRr+cBM+WeTCZhA==
Date: Thu, 27 Jun 2019 22:53:09 +0000
Message-ID: <DM6PR09MB3019C087BDBE27633C6641F584FD0@DM6PR09MB3019.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.140.161]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6cb950f7-b633-4474-0073-08d6fb5239eb
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DM6PR09MB2794;
x-ms-traffictypediagnostic: DM6PR09MB2794:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM6PR09MB27944CA065A1A35B5A3162F884FD0@DM6PR09MB2794.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 008184426E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(396003)(136003)(366004)(346002)(189003)(199004)(76116006)(14454004)(5660300002)(7736002)(26005)(316002)(4326008)(73956011)(66556008)(66446008)(66476007)(102836004)(66946007)(74316002)(966005)(6506007)(52536014)(305945005)(8676002)(71190400001)(6246003)(86362001)(64756008)(186003)(66066001)(478600001)(53936002)(6436002)(486006)(9686003)(68736007)(55016002)(229853002)(7696005)(81166006)(81156014)(8936002)(25786009)(2906002)(3846002)(6116002)(14444005)(6916009)(256004)(33656002)(71200400001)(6306002)(99286004)(476003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR09MB2794; H:DM6PR09MB3019.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: oob9rJzLoDhSTXPlHlw51nrJ9ovhZwX3XklP+b8e8x7J+rttpXefQpobkqtBImDnsKXdNZOLvis4T50gAxNwrmyJNbB0JI79BeCZW1UWR1YZqErr9GmoVVx0WsbdekBzEonOqpuG1tRJkHLzx+HBADpgD7x4DHs943Zx+P8Mr9SpvuRaCaeqeptPGKQKTG0tOpWCHgLVVZrT82Zlpvy6PvAqUQFylcrbeyLfrqejsowMdFWukHfGzB/1IWyHr8c6s+zlsnEX1K5QJqwV3CP8z8alCEEnFeesSlcKYeEzw3J5ZS5adFDWycDhhnfr/v//7Dwe/j8CHdA7Wk61EEVq+UakSTo4yCdXF1tKjCL8wKbhuNLcB9pXMVH9hcV7Ad31qVbbJOI/ZqNJESLpHGooAu153Np2EM2tTc+YPfz72VA=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 6cb950f7-b633-4474-0073-08d6fb5239eb
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jun 2019 22:53:09.6016 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ksriram@nist.gov
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB2794
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/ioXtlwDISuKy9slk9s1EV9c_8nQ>
Subject: Re: [Sidrops] Path validation with RPKI
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2019 22:53:14 -0000

Iljitsch,

Just in case you are not aware, there is another effort in the GROW WG 
for route leaks solution:
https://tools.ietf.org/html/draft-ietf-grow-route-leak-detection-mitigation-00  
 
You mention, "We implement this by extending RPKI ROAs so that 
in addition to the origin AS, they also list all possible transit ASes."
The idea of "extended ROA" was considered during BGPsec 
design discussions. See Section 6.5.2, list item #3 in RFC 8374:
https://tools.ietf.org/html/rfc8374 
The extended ROA was proposed to include the transit AS of the origin AS.
The purpose was to make it easier for resource-constrained stub ASes 
to participate in BGPsec without incurring the upgrade costs.

In your design, you seem to include in the ROA a sequence AS1, AS2, AS3, ... where
AS1 is the origin AS, AS2 is transit of AS2, AS3 is transit of AS3, etc. Is that right? 
Prefix owner may know the origin AS (AS1) and one level higher transit AS (AS2).
But they would typically not know the transit ASes further up in the hierarchy.
Does that pose a challenge for your design? 

Sriram

v2.23.0 | Report a Bug | By Email