Re: [Sidrops] Closed -- [WGLC] draft-sidrops-bgpsec-validation-signaling-05
Keyur Patel <keyur@arrcus.com> Fri, 11 December 2020 20:09 UTC
Return-Path: <keyur@arrcus.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 756E13A0EA6 for <sidrops@ietfa.amsl.com>; Fri, 11 Dec 2020 12:09:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0C4TVZG8QF1P for <sidrops@ietfa.amsl.com>; Fri, 11 Dec 2020 12:09:05 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-eopbgr760080.outbound.protection.outlook.com [40.107.76.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFB303A0EAA for <sidrops@ietf.org>; Fri, 11 Dec 2020 12:09:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ow5ffkvWNilu9HIE8fqs6mTMusW3OCbsdxMMNUs8SrfD06EuCnfghpexCDkzKI6fjBSYM8XhspUsA0jdZDS8xfx5n83Awcy583TuDi5YJVXXhlSKdqmqiu8IJVH7pOTRWeIwqFwb+iFoJ3UXvSi43svXyVjLAjrbWt7yHgJEG2K2g65hn3b6wXj0M8nGXtPKkqVLp18IuTkMc5x2l9YMfLBNvvLQxVvKRzx/Qw4L0jQdIajad+eg/VpUca9wGniPLg2CwtUhvDtAXBeFpt2xCkt1LCV/4HBwoy4KLsfDhTaDXWlwwolo4jfsopOE+Vmlx/WkK4lw1cInJsAQ0QCVhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=azZPU/fIozeA2LwwRego9sv2piWkSuhL6X0gwc0wizA=; b=C1s6Xr5vpL9WnZfETSeS0xT8RMluGVyI4yaPsOsMqGru8sOGvfik9yQCrFzfszb5U2arCv9zgM50n7Y7ZN+R4TG7iB3uP+AJwjMKTbyNUEOqNmkXEWHjopscqnzwLnyu3lGY5qqnN4zR6Sk7LVfKmmMWvErqGPpf/AmLYSZhVZIE3cK5XNeIeA/hQo4BvtsAiMs4NLGrnVhK4vpkqHPyYOSbGndB7yYtQ2x63ln4lKmw/URunltZaO1CbjZk47mGn+DJg/p+CdcI2vnuhncwkqCms83y0aT26I6Brt8rzTdWTYyYfrZQJSsQeJtJFxgq0eQ4EIA6vcfqFYLW/v10xg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arrcus.com; dmarc=pass action=none header.from=arrcus.com; dkim=pass header.d=arrcus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector2-NETORGFT1331857-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=azZPU/fIozeA2LwwRego9sv2piWkSuhL6X0gwc0wizA=; b=rWQ9IAADOHXKsVk8RB0Aqq+2fZyk9En4BZGCKDfvVhkrNA7MSbrFRFNOaF3astD5GgkhL1pAsHyXlR8uZgTRC/6tXA6xeSYxtX1oN50auS0PE/OvzLWskCqAmVcwYWujVMb5RmardrOy7lMGtj7zqGktqrZoPl66WxLjedTE2rs=
Received: from BYAPR18MB2696.namprd18.prod.outlook.com (2603:10b6:a03:10b::26) by SJ0PR18MB4059.namprd18.prod.outlook.com (2603:10b6:a03:2ed::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.23; Fri, 11 Dec 2020 20:09:04 +0000
Received: from BYAPR18MB2696.namprd18.prod.outlook.com ([fe80::6835:7b3f:491c:74b4]) by BYAPR18MB2696.namprd18.prod.outlook.com ([fe80::6835:7b3f:491c:74b4%4]) with mapi id 15.20.3654.015; Fri, 11 Dec 2020 20:09:04 +0000
From: Keyur Patel <keyur@arrcus.com>
To: Job Snijders <job@ntt.net>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] Closed -- [WGLC] draft-sidrops-bgpsec-validation-signaling-05
Thread-Index: AQHWzMrrGv2wDjNKKEmky0li8kGWWqnsHJqAgAW2pIA=
Date: Fri, 11 Dec 2020 20:09:04 +0000
Message-ID: <2E4CC932-4C4C-4BCE-B25D-BB8001E3F583@arrcus.com>
References: <CB44F630-69CB-4F07-840B-6B4482C27632@arrcus.com> <X86Wa3Lf37GjF5Dq@bench.sobornost.net>
In-Reply-To: <X86Wa3Lf37GjF5Dq@bench.sobornost.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.43.20110804
authentication-results: ntt.net; dkim=none (message not signed) header.d=none;ntt.net; dmarc=none action=none header.from=arrcus.com;
x-originating-ip: [70.234.233.187]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ed5db366-2116-4420-1333-08d89e109bdb
x-ms-traffictypediagnostic: SJ0PR18MB4059:
x-microsoft-antispam-prvs: <SJ0PR18MB4059976984A34D75ADDFA0FFC1CA0@SJ0PR18MB4059.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: F++70aQL/hndP6TEUG3YD7wbQpGfboV8wQRx0S/j6uN4DUtaUoyX73ZSzbwjX1+R3AMxFH+8r8Ng2fJVP4S1ukbK8RpmJfveC+J9ZOkIUvEOT/0uqNO2B/9c3SYEjctjis/SCrivyYAG1YuN2gAA3wPJM0mi2XWjF8Zt2kCl/87JwNCAO7OsRVRZzNJZ2sRMqYp9VECrUw5MGzt4ln2lyr9ffkn0L837kjsx3lQ4Mft6fgjyD3Klq2lrQEfaPHt7IAuAz4j4VNFAfbaEET8IG5OmrAyQBZQFczyRahIvA9bJpHSZH2GPZuxPA/E6d/H0nEJMAg0MmprSmO5KPo4O1M4b8Qs99T5atgVO8ygZEvue9Y12+DjEVW5C2rX5FJiZOaF6FcldhbulY2bP3UHnkaBgUgiu0zMKC8Fba3ARGoyVB9kXLE9St+PKkS3yrhrjLKVPH12At085LaPMgDCtAw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR18MB2696.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(136003)(39830400003)(366004)(346002)(396003)(66556008)(66574015)(71200400001)(966005)(86362001)(64756008)(478600001)(8676002)(8936002)(83380400001)(5660300002)(2616005)(4326008)(6916009)(6512007)(66946007)(66446008)(26005)(6506007)(33656002)(36756003)(6486002)(76116006)(66476007)(186003)(2906002)(316002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: YzFO4Q9Xr1ggErQ30e7SfsMTnjFbQS2jvUE2pMs9BpUvNoGRuOIZy87BwdvDz+JnjBU36PDr5NBG6FADUS35asv8HnBV0oQG+obPEn79p8+K9lVQ4V0IWKYQNeR66K/YuzDvFMPelYjBLTjkA0W8W4E69SFY/++1YuKY+EH2Hzs/1E8QbX6mqWUnNZdnenmAGphisVZvnMnotblxNrTGvztvJH1hKdn9e4UFKlv7qXELd29Ou1sg2kdY0oI8NU5FzjAn8CzxN83hCnbdfbKyYMsYF8vTqi5CAL4OW7c0EqcfcVui86oKINLg+j8ChmBMATuKBwsUXNPHil3wfdxM1v1pivDbBAtP5abAqANRKUQ+5q8ZKmmN6eDrgHE+WoGbTZag8vVvaryCn2WgVmxcO+p7heylBKh5cqS2kqG3dkn5bqS589p2Wvo8bAdu8B3c9FxxDAfmaFS8OBPTBhwes+/xIrOwYkp5Vrxwwz6bQIG+p2VvW2v+XSD07FXFKhBr8nE3QQqXXdkXwzMPHT0okULCy1OfFI6GFMNzGPClB3bHJsbfFk/QB5mJ/Md5Gje9zC4MQ/odVrlpwYkaRui8+GfM1ubxqnH2hdJ1MbKHNcohLkrb6ciaZlxogeDeSMjMJbqIL3RY+S2OL1N8r6DEa3xzLUsmhgGMpIkvkuRjTyhROqHrXIvEWC1u5f2NIchET7+c1vZeJUsB6ceyJE4/7oj26/yzO9Yvxdyevjc3fPUVIUDSs1TpxOeJMI6da4lCqow1Fk8WPzwnMhibu1qcDt8YY8B7BLY03aTLI5kaiSunrzZQaFlBWbKDpOVxhuCSxnwE22cGEUhI7ChczY6xJpztjbKm+iQUYVWCOuiQUwe0G0cKQ1+BBFOZv6bbAhdUdS/szWUu3pkKnN3FcOlkBPhd/jlhICyRi2HafeZoEd0zGEhHoP36a6tF+XI0CeCYZvdFN9aEE7jwR5Uaz1AwRD+6a/ncQhakD2tWwPBOwgZAbdD0+cml4ViYZy4a9q60
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <F09FF8EB84C07947A9400A98B89D46F9@namprd18.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR18MB2696.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ed5db366-2116-4420-1333-08d89e109bdb
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2020 20:09:04.3057 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: T0cLYmNml7vNDneYIE8L6wi3KUS3qj5XlA4DfH8JAFyPQ69QORNVAcUoxDT6tlG0TvEdhYBMB4YcptCh9UHF8w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR18MB4059
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/0DRYkm3YbIdZAPQNCsJocEmn7Ns>
Subject: Re: [Sidrops] Closed -- [WGLC] draft-sidrops-bgpsec-validation-signaling-05
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 20:09:08 -0000
Dear Job, Thanks for the comments and the detail review of the draft. Couple points to note: - The working group charter does not require us to have multiple implementations as of now. I do see your email suggesting to improve/modify charter on this topic. - The chairs closed the WGLC for the draft on December 7th 2020. This WGLC was supposed to be closed on October 7th. The authors of the draft believes your comments were addressed. Your email suggests otherwise. The chairs had a quick chat and we believe we can re-open the last call with hopes that you and other working group members can have their comments/concerns addressed. Best Regards, Keyur On 12/7/20, 12:54 PM, "Job Snijders" <job@ntt.net> wrote: Dear Keyur, On Mon, Dec 07, 2020 at 06:58:16PM +0000, Keyur Patel wrote: > This working group last call is closed. Authors have already > incorporated relevant feedback received during the last call and at > this point the draft is ready to progress further. Accordingly we will > prepare a report and forward it to IESG. I really think this is a draft where it will proof to be useful to ask for an implementation report from *at least two* implementations, demonstrating interopability between the two implementations. In this (lengthy, sorry!) email https://mailarchive.ietf.org/arch/msg/sidrops/5-sFl3RCzn7xQ0YFOD31C56Ko4o/ I tried to outline various problems I perceive with the draft in its current form, Oliver replied to all text, but zero changes were made to the document as he disagreed on all points of substance. Oliver claims to have an open source implementation, (which I am happy to believe!), and perhaps there is another implementation written by someone else? Has it been tested how they interact with each other in various configurations? If there is a second implementation, the working group can confirm whether the proposed Internet-Draft text, Oliver's implementation, and the second different implementation are aligned with each other and behave in exactly the way outlined in the document. An implementation report can be as simple as listing all IETF normative terms contained in draft, the line number, and a short comment whether the implementation is compliant (MUST), or an implementation specific choice was made (MAY), or anything else of note. Specifically in this draft, I really see potential for a repeat of the 'IOS XE / origin validated extended communities'-problem that many operators suffered from when they tried to deploy RPKI Origin Validation in the BGP default-free zone, and I do not wish a similar repeat of events upon the BGPSec technology stack! Here is one of many references to the 'standardized' extended rpki origin validation communities causing issues in networks build using multiple BGP implementations, here is one mail thread. This was/is a multi-year problem because of the slow upgrade cycle of field-deployed routers: https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg67710.html I think there is some kind of technology stack layering problem when the state of a route can be manipulated through multiple channels. In this case (1) signaled via BGP community and (2) via signalled via RPKI-To-Router protocol, it can lead to problems for resource holders who are trying to use BGPSec, because there can be situations where their wishes are not expressed in the state of the network because of interference of an unauthenticated BGP communitiy. So far I think some of us (perhaps myself included) have been too focussed mostly on the security aspect (and of course everyone knowns extended BGP communities are not authenticated), but perhaps the *security* aspect of it is not the real problem, the real problem might be how an accidental misimplementation of draft-sidrops-bgpsec-validation-signaling-05 can lead to operators having to turn the feature off in the entire fleet of devices, or roll back the software (be forced to keep running some unwanted version). If you ask anyone in the field about RFC 8097, virtually no operator will tell you that RFC 8097 in any way helped them deploy RPKI Origin Validation at scale (where scale is 100s of routers, multi-country network, multiple vendors). What you *will* hear is that there were interopability issues caused by the very existence of the RFC that caused many people extra work. It also means that everybody now has to test each and every new BGP software version they receive from their vendor on what exactly the behavior is of the proposed bgpsec origin validation signaling draft communities. If this draft is published as RFC, IANA will assign 3 codepoints to be used in some fashion in a generally unauthenticated protocol (BGP), and from that moment all operators doing QA will need to blackbox test the behavior of every BGP implementation they consider, to see if the implementation does not accidentally cause deviation from 'local policy' in any way under any circumstances. Standardizing codepoints to signal cryptographic validation states through unauthenticated channels really causes Internet operators down the road deployment problems, for multiple reasons. Kind regards, Job ps. I once was young and wet behind the ears and endlessly argued how great RFC 7999 was a *great* idea. At the time it really did seem great because DDoS attacks were a big problem, also lots of network operators with a 32-bit had difficulty picking suitable inter-domain BGP values. But in retrospect what I should have advocated for is a 'BLACKHOLE' PKIX-RPKI profile, now realizing that the RPKI via RRDP/RSYNC/RRDPv2 might make for global near real-time public 'routing intention' distribution, really rivaling with the speed at which BGP updates propagate through the Default-Free zone.
- [Sidrops] Closed -- [WGLC] draft-sidrops-bgpsec-v… Keyur Patel
- Re: [Sidrops] Closed -- [WGLC] draft-sidrops-bgps… Job Snijders
- Re: [Sidrops] Closed -- [WGLC] draft-sidrops-bgps… Keyur Patel