Re: [Sidrops] Closed -- [WGLC] draft-sidrops-bgpsec-validation-signaling-05

Keyur Patel <keyur@arrcus.com> Fri, 11 December 2020 20:09 UTC

Return-Path: <keyur@arrcus.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 756E13A0EA6 for <sidrops@ietfa.amsl.com>; Fri, 11 Dec 2020 12:09:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0C4TVZG8QF1P for <sidrops@ietfa.amsl.com>; Fri, 11 Dec 2020 12:09:05 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-eopbgr760080.outbound.protection.outlook.com [40.107.76.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFB303A0EAA for <sidrops@ietf.org>; Fri, 11 Dec 2020 12:09:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ow5ffkvWNilu9HIE8fqs6mTMusW3OCbsdxMMNUs8SrfD06EuCnfghpexCDkzKI6fjBSYM8XhspUsA0jdZDS8xfx5n83Awcy583TuDi5YJVXXhlSKdqmqiu8IJVH7pOTRWeIwqFwb+iFoJ3UXvSi43svXyVjLAjrbWt7yHgJEG2K2g65hn3b6wXj0M8nGXtPKkqVLp18IuTkMc5x2l9YMfLBNvvLQxVvKRzx/Qw4L0jQdIajad+eg/VpUca9wGniPLg2CwtUhvDtAXBeFpt2xCkt1LCV/4HBwoy4KLsfDhTaDXWlwwolo4jfsopOE+Vmlx/WkK4lw1cInJsAQ0QCVhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=azZPU/fIozeA2LwwRego9sv2piWkSuhL6X0gwc0wizA=; b=C1s6Xr5vpL9WnZfETSeS0xT8RMluGVyI4yaPsOsMqGru8sOGvfik9yQCrFzfszb5U2arCv9zgM50n7Y7ZN+R4TG7iB3uP+AJwjMKTbyNUEOqNmkXEWHjopscqnzwLnyu3lGY5qqnN4zR6Sk7LVfKmmMWvErqGPpf/AmLYSZhVZIE3cK5XNeIeA/hQo4BvtsAiMs4NLGrnVhK4vpkqHPyYOSbGndB7yYtQ2x63ln4lKmw/URunltZaO1CbjZk47mGn+DJg/p+CdcI2vnuhncwkqCms83y0aT26I6Brt8rzTdWTYyYfrZQJSsQeJtJFxgq0eQ4EIA6vcfqFYLW/v10xg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arrcus.com; dmarc=pass action=none header.from=arrcus.com; dkim=pass header.d=arrcus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector2-NETORGFT1331857-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=azZPU/fIozeA2LwwRego9sv2piWkSuhL6X0gwc0wizA=; b=rWQ9IAADOHXKsVk8RB0Aqq+2fZyk9En4BZGCKDfvVhkrNA7MSbrFRFNOaF3astD5GgkhL1pAsHyXlR8uZgTRC/6tXA6xeSYxtX1oN50auS0PE/OvzLWskCqAmVcwYWujVMb5RmardrOy7lMGtj7zqGktqrZoPl66WxLjedTE2rs=
Received: from BYAPR18MB2696.namprd18.prod.outlook.com (2603:10b6:a03:10b::26) by SJ0PR18MB4059.namprd18.prod.outlook.com (2603:10b6:a03:2ed::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.23; Fri, 11 Dec 2020 20:09:04 +0000
Received: from BYAPR18MB2696.namprd18.prod.outlook.com ([fe80::6835:7b3f:491c:74b4]) by BYAPR18MB2696.namprd18.prod.outlook.com ([fe80::6835:7b3f:491c:74b4%4]) with mapi id 15.20.3654.015; Fri, 11 Dec 2020 20:09:04 +0000
From: Keyur Patel <keyur@arrcus.com>
To: Job Snijders <job@ntt.net>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] Closed -- [WGLC] draft-sidrops-bgpsec-validation-signaling-05
Thread-Index: AQHWzMrrGv2wDjNKKEmky0li8kGWWqnsHJqAgAW2pIA=
Date: Fri, 11 Dec 2020 20:09:04 +0000
Message-ID: <2E4CC932-4C4C-4BCE-B25D-BB8001E3F583@arrcus.com>
References: <CB44F630-69CB-4F07-840B-6B4482C27632@arrcus.com> <X86Wa3Lf37GjF5Dq@bench.sobornost.net>
In-Reply-To: <X86Wa3Lf37GjF5Dq@bench.sobornost.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.43.20110804
authentication-results: ntt.net; dkim=none (message not signed) header.d=none;ntt.net; dmarc=none action=none header.from=arrcus.com;
x-originating-ip: [70.234.233.187]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ed5db366-2116-4420-1333-08d89e109bdb
x-ms-traffictypediagnostic: SJ0PR18MB4059:
x-microsoft-antispam-prvs: <SJ0PR18MB4059976984A34D75ADDFA0FFC1CA0@SJ0PR18MB4059.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: F++70aQL/hndP6TEUG3YD7wbQpGfboV8wQRx0S/j6uN4DUtaUoyX73ZSzbwjX1+R3AMxFH+8r8Ng2fJVP4S1ukbK8RpmJfveC+J9ZOkIUvEOT/0uqNO2B/9c3SYEjctjis/SCrivyYAG1YuN2gAA3wPJM0mi2XWjF8Zt2kCl/87JwNCAO7OsRVRZzNJZ2sRMqYp9VECrUw5MGzt4ln2lyr9ffkn0L837kjsx3lQ4Mft6fgjyD3Klq2lrQEfaPHt7IAuAz4j4VNFAfbaEET8IG5OmrAyQBZQFczyRahIvA9bJpHSZH2GPZuxPA/E6d/H0nEJMAg0MmprSmO5KPo4O1M4b8Qs99T5atgVO8ygZEvue9Y12+DjEVW5C2rX5FJiZOaF6FcldhbulY2bP3UHnkaBgUgiu0zMKC8Fba3ARGoyVB9kXLE9St+PKkS3yrhrjLKVPH12At085LaPMgDCtAw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR18MB2696.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(136003)(39830400003)(366004)(346002)(396003)(66556008)(66574015)(71200400001)(966005)(86362001)(64756008)(478600001)(8676002)(8936002)(83380400001)(5660300002)(2616005)(4326008)(6916009)(6512007)(66946007)(66446008)(26005)(6506007)(33656002)(36756003)(6486002)(76116006)(66476007)(186003)(2906002)(316002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?WXpGTzRROVhyMWdnRXJRMzBlN1Nmc01UbmpGYlFTMmp2VUUycE1zOUJwVXZO?= =?utf-8?B?b0dSdU9JWnk4N0J3ZHZEeitKbmpCVTM2UERyNU5CRzZGQURVUzM1YXN2OEhu?= =?utf-8?B?QlYwb1FHK29iUEVuNzlwOCtLOWxWUTRWMElXS1lRTmVSNjZLL1l1ekR2Rk1Q?= =?utf-8?B?ZWxZakJMVGprQTBXOFc0RTY5U0ZZLysrMVl1S1krRUgySHpzLzFFOFFiWDZt?= =?utf-8?B?cVdVbk5aZG5lbm1BR3BoaXNWWnZuTW5vdGJseE5yVEd2enR2SkgxaEtkbjll?= =?utf-8?B?NFVGS2x2N3FYRUxkMjlPdTFzZzJrZFkwb0k4TlU1RnpqQW44Q3p4TjgzaENu?= =?utf-8?B?YmRmYkt5WU1zWUY4dlRxaTVDQUw0T1c3YzBFcWNmY1Z1aTg2b0tJTkxnK2o4?= =?utf-8?B?Q2htQk1BVHVLQndzVVhOUEhpbDN3ZmR4TTF2MXBpdkRiQkF0UDVhYkFxQU5S?= =?utf-8?B?S1VRKzVxOFpLbW1ONmVEcmdIRStXb0diVFphZzh2VnZhcnlDbjJXZ1ZteGNP?= =?utf-8?B?K3A3aGV5bEJLaDVjcVMya3FHM2RrbjVicVM1ODlwMld2bzhiQWR1OEIzYzlG?= =?utf-8?B?eHhEQWZtYUZTOE9CUFRCaHdlcysveElyT3dZa3A1VnJ4d3d6NmJRSUcrcDJW?= =?utf-8?B?dlcyditYU0QwN0ZYRktoQnI4bkUzUVFxWFhka1h3ek1QSFQwb2tVTEN5MU9m?= =?utf-8?B?Rkk2R0ZNTnpHUENsQjNiSEpzYmZGay9RQjVtSi9NZDVHamU5ekM0TVEvb2RW?= =?utf-8?B?cmxwd1lrYVJ1aTgrR2ZNMXVieHFuSDJoZEoxTWJLSE5jb2hMa3JiNmNpYVps?= =?utf-8?B?eG9nZURlU01qTUpicUlMM1JZK1MyT0wxTjhyNkRFYTN4ekxVc21oZ0dNcElr?= =?utf-8?B?dmt1UmpUeWhST3FIclhJdkVXQzF1NWYyTkljaEVUNytjMXZaZUpVc0I2Y2V5?= =?utf-8?B?SkU0LzdvajI2L3l6TzlZdnhkeWV2amMzZlBVVklVRFNzMVRweE9lSk1JNmRh?= =?utf-8?B?NGxDcW93MUZrOFdQenduTWhpYnUxcWNEdDhZWThCN0JMWTAzYVRMSTVrYWlT?= =?utf-8?B?dW5yelpRYUZsQldiS0RwT1Z4aHVDU3hud0UyMmNHRVVoSTdDaGN6WTZ4SnB6?= =?utf-8?B?dGpiS20raVFVWVZXQ091aVFVd2UwRzBjS1ExK0JCRk9adjZiYkFoZFVkUy9z?= =?utf-8?B?eldVdTNwa0tuTjNGY09sa0JQaGQvamxoSUN5UmkySGFmZVpvRWQwekdFaEhv?= =?utf-8?B?UDM2YTZ0RitYSTBDZUNZWnZkRk45YUVFN2p3UjVVYXoxQXdSRCs2YS9uY1Fo?= =?utf-8?Q?akD2tWwPBOwgZAbdD0+cml4ViYZy4a9q60?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <F09FF8EB84C07947A9400A98B89D46F9@namprd18.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR18MB2696.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ed5db366-2116-4420-1333-08d89e109bdb
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2020 20:09:04.3057 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: T0cLYmNml7vNDneYIE8L6wi3KUS3qj5XlA4DfH8JAFyPQ69QORNVAcUoxDT6tlG0TvEdhYBMB4YcptCh9UHF8w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR18MB4059
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/0DRYkm3YbIdZAPQNCsJocEmn7Ns>
Subject: Re: [Sidrops] Closed -- [WGLC] draft-sidrops-bgpsec-validation-signaling-05
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 20:09:08 -0000

Dear Job,

Thanks for the comments and the detail review of the draft. Couple points to note:

- The working group charter does not require us to have multiple implementations as of now. I do see your email suggesting to improve/modify charter on this topic.

- The chairs closed the WGLC for the draft on December 7th 2020. This WGLC was supposed to be closed on October 7th. The authors of the draft believes your comments were addressed. Your email suggests otherwise.  The chairs had a quick chat and we believe we can re-open the last call with hopes that you and other working group members can have their comments/concerns addressed.

Best Regards,
Keyur

On 12/7/20, 12:54 PM, "Job Snijders" <job@ntt.net> wrote:

    Dear Keyur,

    On Mon, Dec 07, 2020 at 06:58:16PM +0000, Keyur Patel wrote:
    > This working group last call is closed. Authors have already
    > incorporated relevant feedback received during the last call and at
    > this point the draft is ready to progress further. Accordingly we will
    > prepare a report and forward it to IESG.

    I really think this is a draft where it will proof to be useful to ask
    for an implementation report from *at least two* implementations,
    demonstrating interopability between the two implementations.
    In this (lengthy, sorry!) email https://mailarchive.ietf.org/arch/msg/sidrops/5-sFl3RCzn7xQ0YFOD31C56Ko4o/
    I tried to outline various problems I perceive with the draft in its
    current form, Oliver replied to all text, but zero changes were made to
    the document as he disagreed on all points of substance.

    Oliver claims to have an open source implementation, (which I am happy
    to believe!), and perhaps there is another implementation written by
    someone else? Has it been tested how they interact with each other in
    various configurations?

    If there is a second implementation, the working group can confirm
    whether the proposed Internet-Draft text, Oliver's implementation, and
    the second different implementation are aligned with each other and
    behave in exactly the way outlined in the document. An implementation
    report can be as simple as listing all IETF normative terms contained
    in draft, the line number, and a short comment whether the
    implementation is compliant (MUST), or an implementation specific choice
    was made (MAY), or anything else of note.

    Specifically in this draft, I really see potential for a repeat of the
    'IOS XE / origin validated extended communities'-problem that many
    operators suffered from when they tried to deploy RPKI Origin Validation
    in the BGP default-free zone, and I do not wish a similar repeat of
    events upon the BGPSec technology stack!

    Here is one of many references to the 'standardized' extended rpki
    origin validation communities causing issues in networks build using
    multiple BGP implementations, here is one mail thread. This was/is a
    multi-year problem because of the slow upgrade cycle of field-deployed
    routers: https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg67710.html

    I think there is some kind of technology stack layering problem when the
    state of a route can be manipulated through multiple channels. In this
    case (1) signaled via BGP community and (2) via signalled via
    RPKI-To-Router protocol, it can lead to problems for resource holders
    who are trying to use BGPSec, because there can be situations where
    their wishes are not expressed in the state of the network because of
    interference of an unauthenticated BGP communitiy. 

    So far I think some of us (perhaps myself included) have been too
    focussed mostly on the security aspect (and of course everyone knowns 
    extended BGP communities are not authenticated), but perhaps the
    *security* aspect of it is not the real problem, the real problem might
    be how an accidental misimplementation of draft-sidrops-bgpsec-validation-signaling-05
    can lead to operators having to turn the feature off in the entire fleet
    of devices, or roll back the software (be forced to keep running some
    unwanted version).

    If you ask anyone in the field about RFC 8097, virtually no operator
    will tell you that RFC 8097 in any way helped them deploy RPKI Origin
    Validation at scale (where scale is 100s of routers, multi-country
    network, multiple vendors). What you *will* hear is that there were
    interopability issues caused by the very existence of the RFC that
    caused many people extra work. It also means that everybody now has to
    test each and every new BGP software version they receive from their
    vendor on what exactly the behavior is of the proposed bgpsec origin
    validation signaling draft communities.

    If this draft is published as RFC, IANA will assign 3 codepoints to be
    used in some fashion in a generally unauthenticated protocol (BGP), and
    from that moment all operators doing QA will need to blackbox test the
    behavior of every BGP implementation they consider, to see if the
    implementation does not accidentally cause deviation from 'local policy'
    in any way under any circumstances.

    Standardizing codepoints to signal cryptographic validation states
    through unauthenticated channels really causes Internet operators down
    the road deployment problems, for multiple reasons.

    Kind regards,

    Job

    ps. I once was young and wet behind the ears and endlessly argued how
    great RFC 7999 was a *great* idea. At the time it really did seem great
    because DDoS attacks were a big problem, also lots of network operators
    with a 32-bit had difficulty picking suitable inter-domain BGP values.

    But in retrospect what I should have advocated for is a 'BLACKHOLE'
    PKIX-RPKI profile, now realizing that the RPKI via RRDP/RSYNC/RRDPv2
    might make for global near real-time public 'routing intention'
    distribution, really rivaling with the speed at which BGP updates
    propagate through the Default-Free zone.