Re: [Sidrops] Opsdir last call review of draft-ietf-sidrops-ov-egress-01
Chris Morrow <morrowc@ops-netman.net> Wed, 18 March 2020 00:11 UTC
Return-Path: <morrowc@ops-netman.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65F1A3A0BAC; Tue, 17 Mar 2020 17:11:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.099
X-Spam-Level:
X-Spam-Status: No, score=-1.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SV9fGz9WdDkh; Tue, 17 Mar 2020 17:11:52 -0700 (PDT)
Received: from relay.ops-netman.net (relay.ops-netman.net [192.110.255.59]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D670A3A0C3C; Tue, 17 Mar 2020 17:11:48 -0700 (PDT)
Received: from mail.ops-netman.net (mailserver.ops-netman.net [199.168.90.119]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by relay.ops-netman.net (Postfix) with ESMTPS id 48D013C1ED8; Wed, 18 Mar 2020 00:11:47 +0000 (UTC)
Received: from mailserver.ops-netman.net.ops-netman.net (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.ops-netman.net (Postfix) with ESMTPSA id 1D3613BB; Wed, 18 Mar 2020 00:11:47 +0000 (UTC)
Date: Wed, 18 Mar 2020 00:11:46 +0000
Message-ID: <87d09av7wd.wl-morrowc@ops-netman.net>
From: Chris Morrow <morrowc@ops-netman.net>
To: Linda Dunbar <linda.dunbar@futurewei.com>
Cc: ops-dir@ietf.org, sidrops@ietf.org, last-call@ietf.org, draft-ietf-sidrops-ov-egress.all@ietf.org
In-Reply-To: <158448201565.32201.9748655174984394118@ietfa.amsl.com>
References: <158448201565.32201.9748655174984394118@ietfa.amsl.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/25.2 Mule/6.0 (HANACHIRUSATO)
Organization: Operations Network Management, Ltd.
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/0J78fz6BQ75HOTvy0PHkk00oga4>
Subject: Re: [Sidrops] Opsdir last call review of draft-ietf-sidrops-ov-egress-01
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 00:11:54 -0000
Just sniping a reply... which may be out to left (or right!) field :) On Tue, 17 Mar 2020 21:53:35 +0000, Linda Dunbar via Datatracker <noreply@ietf.org> wrote: > > Reviewer: Linda Dunbar > Review result: Not Ready > > I have reviewed this document as part of the Ops area directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the Ops area directors. > Document editors and WG chairs should treat these comments just like any other > last call comments. > > The document claims that it highlights an important use case of origin > validation in eBGP egress policies, explaining specifics of correct > implementation in this context. But I don't see where the "Use Case" is > described. It seems to me that the document should have more sections to > describe the Use Case and the procedure of Egress Export of the RPKI validated > Origins. > > Section 3 Egress Processing only has one sentence stating that > "When applied to egress policy, validation state MUST be determined using the > effective origin AS of the route as it will (or would) be announced to the > peer." What other choices there are ? Are there any routers that support RFC > 6480 RPKI not performing this step? how? > I think the sense of this sentence is really: "Your router may have configured ASXXX and present itself (confedaration) as ASYYY to peer1 and ASBBB to peer2 (merger/acquisition issues). Please make sure that you validate the origin accordingly" There are a few example networks in the real world where this sort of thing could be super relevant. Particularly look at recent 'network that merges a bunch' Level3/CenturyLink/Savvis/GlobalCrossing/etc... AS3356/AS209/AS<iforget>/AS3459/AS3549. A single edge device terminating customers on the 3356 backbone may plausibly have customers that haven't swapped over to 3356 and are actually expecting the remote peer to be any of 6 or more ASN. It's important that the 'i originated this prefix, I'm 3356, wait 3549, want 3459...' decision is backed up in ROA content as well as validation logic. Looking at the abstract to maybe dig a little deeper: "For egress policy, it is important that the classification uses the effective origin AS of the processed route, which may specifically be altered by the commonly available knobs such as removing private ASs, confederation handling, and other modifications of the origin AS." So somewhere deep in my network, bb01.pop01 has: 192.0.2.0/24 staticly routed, redistributed in BGP and marked for external announcement (community/etc). That route, internally has an origin-AS of: 65507 because that's one of the several private ASN that make up my confederation: ASBAR. So, when I announce: 192.0.2.0/24 - origin 65507 I need to both swap the origin in the bgp announcement and validate against the local-as the peer sees me as. 192.0.2/0/24 - origin 3356 192.0.2.0/24 - origin 3549 ...etc... This will require me to make ROA for all of these origins, as well. I think anyway that's the goal of the document, really. though, also, I could have missed the forest for the trees here. -chris > My two cents. > > Linda Dunbar > >
- [Sidrops] Opsdir last call review of draft-ietf-s… Linda Dunbar via Datatracker
- Re: [Sidrops] Opsdir last call review of draft-ie… Chris Morrow
- Re: [Sidrops] Opsdir last call review of draft-ie… Nick Hilliard
- Re: [Sidrops] Opsdir last call review of draft-ie… Randy Bush
- Re: [Sidrops] Opsdir last call review of draft-ie… Job Snijders
- Re: [Sidrops] Opsdir last call review of draft-ie… Randy Bush
- Re: [Sidrops] Opsdir last call review of draft-ie… Linda Dunbar
- Re: [Sidrops] Opsdir last call review of draft-ie… Ben Maddison
- Re: [Sidrops] Opsdir last call review of draft-ie… Randy Bush
- Re: [Sidrops] Opsdir last call review of draft-ie… Warren Kumari
- Re: [Sidrops] Opsdir last call review of draft-ie… Ben Maddison
- Re: [Sidrops] Opsdir last call review of draft-ie… Randy Bush