IETF Logo Mail Archive

Re: [Sidrops] [WGLC] draft-ietf-sidrops-8210bis-03 - Ends 7/December/2021

Tim Bruijnzeels <tim@nlnetlabs.nl> Mon, 29 November 2021 11:17 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62EC03A0408 for <sidrops@ietfa.amsl.com>; Mon, 29 Nov 2021 03:17:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ThUvQDDJGCef for <sidrops@ietfa.amsl.com>; Mon, 29 Nov 2021 03:17:26 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:65::8:228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 569E23A0597 for <sidrops@ietf.org>; Mon, 29 Nov 2021 03:17:25 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id D12DB850; Mon, 29 Nov 2021 11:17:17 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1638184634; bh=w5otKNjBmwUljjlw8gHX8UVxCK3C5ZRayTR2YySaUes=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=FwaJdlbNQeoJq0Et/439KOp2iAemuIboTrr+xc1rXN6jx3rFLJDU+YuIHBch+85tA v2Yu9gIfG5DVyuTLRqL2yb+HeoHQ9SQTfi9m3ve4tNm/UblBXv0aVHXDOtE2OudcRY 9qrxLzhb1RieOTtOgIsLFZd0wvxbHeyUb7u0DoiGyqAwzE/exy9AsC+3/V1WmCtbeA PUTw+yc/7h7SD5wJCE+GjJhLMvf9qZF4JtHzOHck2NK94suPP3rcvbuOUeUm2T0gn9 45Is4wh+QDfmU1rIAmgsDKNthyx7l0j2Au0FBWRYLOoG6WVKDU60MX+feFjBsppHpD WcRpgD5ShF1pQ==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <m2ilwdovm7.wl-randy@psg.com>
Date: Mon, 29 Nov 2021 12:17:06 +0100
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0520521A-DF0E-4209-8FF2-745094D742C8@nlnetlabs.nl>
References: <0B2DE27E-B67F-413B-806B-7131B90F3333@arrcus.com> <14BFC0A3-0352-47C7-86CF-23223F0E660E@nlnetlabs.nl> <m2ilwdovm7.wl-randy@psg.com>
To: Randy Bush <randy@psg.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/0aoKXhv0jVuwpQU6TCa-ul60iks>
Subject: Re: [Sidrops] [WGLC] draft-ietf-sidrops-8210bis-03 - Ends 7/December/2021
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 11:17:33 -0000


> On 28 Nov 2021, at 03:35, Randy Bush <randy@psg.com> wrote:
> 
>> I think that a model similar to multiple ROA objects and resulting VRP
>> PDUs is preferred.
> 
> From: Randy Bush <randy@psg.com>
> Subject: Re: [Sidrops] Minor comments on draft-ietf-sidrops-aspa-profile-00
> To: Alexander Azimov <a.e.azimov@gmail.com>
> Cc: SIDR Operations WG <sidrops@ietf.org>, Tim Bruijnzeels <tim@nlnetlabs.nl>
> Date: Sun, 06 Oct 2019 17:07:36 -0700
> 
> i have not thought deeply abut this.  but it seems to me that, as in
> ROAs, one enters into and leaves relationship with a provider.  whacking
> a multi-AS ROA or a multi-provider ASPA record seems ill advised.  for
> example, what if there is a delay between delete and recreate?
> 
> keep things simple, please.
> 

I am all for simple, but you cannot assume there will only ever be one
valid ASPA object for a customer AS.

I know the profile text says the a CA MUST make a single ASPA for a customer,
and I agree. But there are a number of reasons why RPs need to be prepared to
see multiple valid ASPA objects in the RPKI:

1 CA migration make before break

Suppose that I want to change from one CA implementation to another, then
I want to ask my parent to authorise my new CA and set up everything, ROAs,
ASPAs etc before removing and breaking my old CA.

2 Parent publishing ASPA

A parent can publish an ASPA for my customer ASN, delegate the ASN to me,
and then I can publish a second ASPA. Ill advised indeed, but we cannot
assume it won't happen.

3 Multi TA

ASPA objects for the same customer ASN can appear in different trees, at
least in theory.

4 (future) Local exceptions (SLURM)

While this would not be an object as such, we can (and should) extend
SLURM to allow for local ASPA filters / additions. This could also cause
overlaps with actual objects.

5 Algorithm Roll?

I need to re-read this in detail (RFC 6916) but I think there may be
duplicate objects in there as well, though I am not sure whether RPs
are required to validate both for the same CA. But, there may be something
here too.


In short I think RPs should process all *valid* ASPA objects and then
derive the *union* of all providers for a given customer ASN and AFI.

Note that this is orthogonal to the question of whether that union should
be presented to routers as a single PDU, or that single provider announcement/
withdrawal PDUs could be used.


> randy
> 
> 
> From: Randy Bush <randy@psg.com>
> Subject: Re: [Sidrops] New Version Notification for draft-ymbk-8210bis-00.txt
> To: Alexander Azimov <a.e.azimov@gmail.com>
> Cc: SIDR Operations WG <sidrops@ietf.org>
> Date: Tue, 24 Mar 2020 12:02:10 -0700
> 
>> The current proposal addresses this issue for ASPA and ROAs in a different
>> way:
>> 
>>   - For ASPA a single PDU per customer AS is neveling the issue;
>>   - For ROAs the draft introduces ordering of the updates + suggests
>>   sending updates with the same prefix back to back.
>> 
>> The way ROAs will be processed decreases the chances that valid prefixes
>> will be marked as invalid, but they are not zero. My thinking is, that
>> since RTR protocol is negotiating its version at the start of the session
>> there is no need to keep full backward compatibility with the way ROAs were
>> processed previously. Instead, we can change ROA RTR PDUs is the same
>> fashion as it is introduced for ASPA: a single PDU for a selected prefix
>> that replaces previous records.
> 
> two dimensions of why not
> 
>  o the ASPA is a single atomic assertion signed by the only party who
>    has the authority.  it's pretty simple.

See above, there can be, and therefore RPs must assume there will be, more
than one object.

> 
>  o ROAs for a range are not atomic and may be asserted by many parties.
>    e.g. a /15 with two delegated /16s, each with delegated /whatevers.
>    if a /29 down the subnet-chain changes, you have to re-do the whole
>    shebang.
> 
>    a number of these are likely to be via CA delegation; more and more
>    as alex's marketing engine revs up.  so they will arrive at a cache
>    skewed in time.
> 
>    think what this does to the load on the router; and remember that
>    one major goal here is to minimize router load so current hardwhere
>    running on 6502s with 640k can route origin validate.

I am all for reducing the load on routers.

How is presenting a single PDU with a provider list that is supposed to
replace the previous list better on routers than having multiple PDUs
in a single update - i.e. before the end of data as Oliver mentioned?

In the first case there is possible overhead in case lists get long,
the second puts some burden on the router to build up its own new version
of a list before replacing the one it had. I expect that burden to be
low, but if router implementers can attest that it isn't then I would
love to hear it.

As I said, multi ASPA objects is orthogonal. If we MUST have a single
PDU then the cache can send the union of providers in ASPA objects as
a single PDU.

> and ask folk such as mark how rov deployment is going on some of the
> more common platforms.

I don't know who you mean by mark and what you mean by this. If there
are lessons to be shared, then please share specifics.

> 
> randy
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email