Re: [Sidrops] draft-sidrops-rpkimaxlen

Ben Maddison <benm@workonline.africa> Wed, 10 March 2021 14:18 UTC

Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC8F33A0B83 for <sidrops@ietfa.amsl.com>; Wed, 10 Mar 2021 06:18:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X-9FIzaEqgAl for <sidrops@ietfa.amsl.com>; Wed, 10 Mar 2021 06:18:56 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20058.outbound.protection.outlook.com [40.107.2.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FDC23A0B53 for <sidrops@ietf.org>; Wed, 10 Mar 2021 06:18:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cPFT93K4tl7aSA8rVfwjkAgMyZWkFEEe6I/j3hxkIPFgn+gZK+dJwSHctDk9rMNIjaRUXIsug41imYVAuGt6F72xChxjUlvpq+NVGQY0AH9lJjU0F+u5CV2QOHrcxw7RlUgybBuTr73ID8joATDX8Sq5YtEotYgMoSe67P+PNMozXik8VodmdaXaEqSTWStakELkJ4MCRvfizcV8eHvzu4Ipp9hC5YEhKR53B82N4dIBhcaWvaylk5vSXEP59tfyn0mRIsozuPKG1AzazpPz7dC53kAAxyHsLG9vXFmuE5xDcOyH6PxEE6Myo2LHL+xx8ixbK2W0PQi1e4fKfjaJpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QtFRRhkD/KDESyPNmnUpcVsWI64HVI11fes1NCUXhk4=; b=MFKY1z8jzy5RoVlQqbAgKN6N8Hca4nkV+y8yc3ZzaJmvRYQmbaQlbigGrpkQuH58MYIBe1dh0BmpZtzCe00HsXzg+h4OvJh3bvTF9F+jcAkm8+p9c7KB4GahJ22wYBwfZ0kfUndiXgRYteUPKho0t+fzNa3OxIrFaPbHTNxkDQtPaiYFbPv5z/EdkmGvpeV8VVWLiONaALe4pJDHP/QB/VO1tFgx5hy4soMfmlIQEluzjBPmJLnyCyKQjqMjnFGCegLkiHNBQ9Jsv2I9u2lwjuvrV8CKy2e12XkxcSPyTJP9Qs6W4R8Z1lnSdCOGHIXhvMoh+jyPmPRCp0sJVoLIzQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QtFRRhkD/KDESyPNmnUpcVsWI64HVI11fes1NCUXhk4=; b=AdA+3vXwF7PhIAfBL/aTy6/MVRMtPn2cyn6DC8rCRa5X5hXobHCGbq+WX8PbTV5zcniXP9fD4GFAMkDIiJ731owA5IC+W23hcQvo7ysi7XRMvdf6GoY70gp83QQHCd/NEQnTrGVvCDEsOhSNmRrwyYy5+RWDklsFvIBOf39jSr0=
Authentication-Results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=workonline.africa;
Received: from DB8P190MB0746.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:12a::24) by DB9P190MB1193.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:226::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Wed, 10 Mar 2021 14:18:53 +0000
Received: from DB8P190MB0746.EURP190.PROD.OUTLOOK.COM ([fe80::30ad:1e5a:51e1:870]) by DB8P190MB0746.EURP190.PROD.OUTLOOK.COM ([fe80::30ad:1e5a:51e1:870%3]) with mapi id 15.20.3912.030; Wed, 10 Mar 2021 14:18:52 +0000
Date: Wed, 10 Mar 2021 16:18:45 +0200
From: Ben Maddison <benm@workonline.africa>
To: "Jakob Heitz (jheitz)" <jheitz=40cisco.com@dmarc.ietf.org>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Message-ID: <20210310141845.dezutltguh7awt74@benm-laptop>
References: <SN6PR0901MB236677B37676FFB11A22B14D84780@SN6PR0901MB2366.namprd09.prod.outlook.com> <alpine.WNT.2.00.1902240047270.4012@mw-x1> <SN6PR0901MB23662F6907DD092EA0EC988184790@SN6PR0901MB2366.namprd09.prod.outlook.com> <alpine.WNT.2.00.1902241416230.4012@mw-x1> <SN6PR0901MB2366DDDAB75A1619AD5A952E847A0@SN6PR0901MB2366.namprd09.prod.outlook.com> <alpine.WNT.2.00.1902250951230.4012@mw-x1> <BYAPR11MB32073F176C7DDB3D26EDA2A4C0919@BYAPR11MB3207.namprd11.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ln7w2ux5chgou5ij"
Content-Disposition: inline
In-Reply-To: <BYAPR11MB32073F176C7DDB3D26EDA2A4C0919@BYAPR11MB3207.namprd11.prod.outlook.com>
X-Originating-IP: [105.233.96.229]
X-ClientProxiedBy: CTXP275CA0024.ZAFP275.PROD.OUTLOOK.COM (2603:1086:100::36) To DB8P190MB0746.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:12a::24)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (105.233.96.229) by CTXP275CA0024.ZAFP275.PROD.OUTLOOK.COM (2603:1086:100::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Wed, 10 Mar 2021 14:18:51 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 795a3b33-c098-4c67-2e15-08d8e3cf6e6f
X-MS-TrafficTypeDiagnostic: DB9P190MB1193:
X-Microsoft-Antispam-PRVS: <DB9P190MB1193FF8C4C74C69F69601D7CC0919@DB9P190MB1193.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: /xkchryvEcaBvXHM8z9T7ct8IbxjS3r9pIZL4d6DOOWIjjH0Xf8+dNR1EFpi54+jzSaTq4zeqLRpBbJI2k3UfkdlPvRLi+wpU1fdRe8NTUfIYW/4htpG8cm0H3OnyTNCmjua6Fi9tVo3WW893eO0Lq93NOgsFORnf62yxBe5Ns9zKBo/YsTNiPh6w6xLhLa6MbfBsoh3YlJp92T+J3SyDmvqKcrpthwfrqzGGlSOOGHKcLqAee3kfjARx7VZvfaRYRnTd/yedhMbRBdCKLPc1zXAczcyReEjTbD2Rl088hSgtEBDAvSfoyVhUprfZl33TIZbQIy2nRtYzfgwmZqTUBdbvXQpJLrch8kfmMJTZFLwiijjtJ5JTw98RT8tflONDUiYm9pqjsDcUMAlfNN60mIAa7U4blZrYwRPS9HQcdSLiLHXKOB1SSfh+pvsbmZoOBqEdr43sfnHFHYiLC8Enw2DIasCqsxJCNo90EdYnG0w/U+EN1JBzcWqYMeSNmrGymI2xjM04RTof66Dn8IgNlMIvJmnoA4jwcNfArFpy/7vDC1VltnFas1UFktVZwlPCFPRnpHEi9ryP79FeoMKx/X6BR4YYGAv+XYat1BEPfI=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P190MB0746.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(7916004)(39840400004)(346002)(376002)(366004)(396003)(136003)(26005)(8676002)(52116002)(33716001)(6496006)(186003)(478600001)(1076003)(83380400001)(6486002)(5660300002)(2906002)(16526019)(316002)(4326008)(66946007)(66476007)(6666004)(66556008)(21480400003)(956004)(9686003)(8936002)(44144004)(86362001)(46492009)(2700100001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?M9pLgniLOZuJXDuzd4bX0Jq3zWWStFPIHZtICqzwfVFx8VLYOP6VqzpN3v2Y?= =?us-ascii?Q?ZqLiYsPSmnLCRAXjGdNiQ9H6IOLf0YYCTNZZ9rbNy1A0ZglnH/YQfS4/HsKv?= =?us-ascii?Q?Yu9akYhzlL+rsuBpYk+qB4Yqcr2/HJe9tiMWFhEf+ezhmofAh2WdJd5CzGqF?= =?us-ascii?Q?+2me82ssdoOmE4JAAUgPkJaYuxdLQGsZ+Ss4Zb/TQ/cFJzV2iWME5ds/kye3?= =?us-ascii?Q?0RagzxGp6FoiSxjwleQzeFoKxB0WOPNOmyh5qSDtrAb1JUXIlcRsJygSUTcN?= =?us-ascii?Q?lXfQIhFxmdAx699qSmtTIqWVpGwvlext4VsZcRdFNFvrWtgiEq1tZFzYithz?= =?us-ascii?Q?K789C5A5gHgN2KYIP58qHM6BnzKK5NAkIub8jwNosI1v4wvxs3Yj6pEdoDW2?= =?us-ascii?Q?h7lSIyL54TLNefwWcQbN6IegSn4di/s7cK6jhg2QwFb37OKcx9UJ+i6Ntpyw?= =?us-ascii?Q?+0xk1GTFWeeO/f4RSZavTty7WTI9/PlVDy2IJHOhv14J75O+oa80u8bRkldj?= =?us-ascii?Q?AjLz4hIxQ4OzkkgTZresskNOK3vycx8c1nkN2+dmmHG3ll6uiHTFBMFG3qcx?= =?us-ascii?Q?Ot4rw2LB0RdUdcoyqffIWh/F8B8ZGaL/V44qLiLgn4BVMJuYO3mTHjqYV5Ei?= =?us-ascii?Q?HFnd2P0/VVFT6d2ZRZhbhcIVG+cZ1Rf5cHamIc3icmE/NYEcRBOKvuXLb9GU?= =?us-ascii?Q?TXJWqwFczHq0pn1or3UAv/iKgciAPm/loS8xC7gVg2XdPLHPDzptlOFKiK7s?= =?us-ascii?Q?nG+vyS+MUng4dM5WAVWsQbzzjlUNK2BxxWaqbWVElgojEPoPOq7wJooOUiG0?= =?us-ascii?Q?DLAGnOJCDzC/OFVJCqxU1D6GnDc5stfM8sNFYTUwun0n/gWF/jHxtV0PRcnf?= =?us-ascii?Q?74gQCw+2Toj7L6YbeRqq+OoQyUbifz7ETIsU+460Z7m+0T0XE8fWBWjJF3ko?= =?us-ascii?Q?nmTVgdsSlw+tvZWsPVZVENMTtng6+5eEHpjZnrJH+cQwBXlc8nbtWlkmoBoP?= =?us-ascii?Q?mi9RCzvrTGLe6+UoZbwBXlWKso7UYiCnqHZ+Wu+NbeY85oVmsCTUx8uRxKYT?= =?us-ascii?Q?bIIin4SvaD8aOTgqLsUVJ+JWyGfQGEj4JsosOuWdkGOhaK/jebbsTYBNGR1t?= =?us-ascii?Q?En0YcJE6eOXhqaaQ0dn7UA48a91TgucS7bDrl2aiWp/Qi6xXtq+7b7ijxCK9?= =?us-ascii?Q?Tddpo51RPckvAb2GYuF5JOlS7JuFlXdSSCeffeOI1q7uNnsF2qqa1FRYZc1q?= =?us-ascii?Q?SRtGgPGUuD1tFRvDEe29gGXEzB32CbTNM5ZWy1dd6vZBKBmErrqgl62biVlz?= =?us-ascii?Q?YhAqHjG94uusuOdlvAdy9Pwg?=
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: 795a3b33-c098-4c67-2e15-08d8e3cf6e6f
X-MS-Exchange-CrossTenant-AuthSource: DB8P190MB0746.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Mar 2021 14:18:52.8936 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: SbZedxHQpBR4XXWYkH4e9Skm84lZgEOfbPK9kPsXjRDRR2npLaNDCdzuU6eoCo6nDiW+gOs8UHPyoDq0Rkzb4Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9P190MB1193
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/43b7OBW301wLc9-puhNU-CPiSAM>
Subject: Re: [Sidrops] draft-sidrops-rpkimaxlen
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2021 14:19:00 -0000

Hi Jakob,

On 03/10, Jakob Heitz (jheitz) wrote:
> I agree that a hijack is made easier when a ROA exists without a corresponding BGP advertisement.
> 
> Implementing DDOS and RTBH as indicated in the draft is difficult without the ROAs for the required BGP announcements. As indicated in the draft, creating and distributing the ROAs required for RTBH and DDOS scrubbers is time consuming.
> 
The issues with DDoS mitigations and RTBH signals are very different.

The more-specific prefixes that you originate during DDoS mitigation
have to go everywhere (in the DFZ). Hence, so does the covering ROA.

That is not generally true of RTBH-signals, which are typically intended
for consumption within a local neighborhood.
That property makes dealing with RTBH amenable to solutions based on
local policy exceptions. At least until there is something better.

> Note that these ROAs are not required throughout the entire BGP space, the world.
> These ROAs are only needed near the AS requiring these services, thus distributing them
> around the entire world, just for some local RTBH implementation is disruptive to the
> rest of the world.
> 
Agreed

> To help with these "limited distribution ROAs" that are required quickly, and in
> a smaller space than the entire BGP space, I propose to invent a new BGP address
> family to publish them. Using BGP to publish a ROA enables fast distribution
> and allows to limit the distribution to only those ASes that need it.
> 
This is exactly the kind of idea that I was talking about, when I said
out-of-scope! :-)

> Anybody want to help me write a draft?
> 
Perhaps a conversation, then a draft?

Cheers,

Ben