Re: [Sidrops] [routing-wg] misconceptions about ROV
Geoff Huston <gih@apnic.net> Tue, 22 February 2022 19:14 UTC
Return-Path: <gih@apnic.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 6FE3D3A0BD8
for <sidrops@ietfa.amsl.com>; Tue, 22 Feb 2022 11:14:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=apnic.net
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id iK4yOggN3Sca for <sidrops@ietfa.amsl.com>;
Tue, 22 Feb 2022 11:13:59 -0800 (PST)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com
(mail-sy4aus01on20624.outbound.protection.outlook.com
[IPv6:2a01:111:f403:7005::624])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id F2E763A136C
for <sidrops@ietf.org>; Tue, 22 Feb 2022 11:13:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=R+79Hbf8W39HB9RGGF9PMFMfz/fMp7fcete6OB6i+aUtOZR+9RYqIreJMxayxiakIdhx5FQJtHoEF3ccLdmYR6ezFnyMjJ6EqaqxXJUXYrDWQPh4P8DhIX9b/OENwOrHoyUcbQ3squ06Px2vw6ktyc5CsOWgT5/54aDXNP6c2r7xEqymbrCRc3E7RZaiywdp1IqggN6rCRpP6nGeAnDrEZccaHDeAVR0vDWpdXUGx7rPYATad0CMZaOyiA63TjZ+fQXW20VutZiBWRwFT6MVacBKYFSJCKdyVPHPUl+d4xqzNTgRQI09x5fGlebnEQMfjlf8uw6cMDAx2HZzHBMGEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=fi4tSx5x/I3sRQh/W/AljbFlqK30maj6I7emF8hsdJw=;
b=Hmhzjqps1E6PSvpDKGHTbkUV5K8YSon7zJadSqXvJdPaVL2Yl6D3vq13RQtInd8ST/B95Hanz0nCRETjio+QGxvzD/qkxAhRq/K8wDZd/D2kp5wF4pOGAankQvReDeqiCbBRNlSItxPSZm4eiuvRsSdtspt5s2weJ5J6Tzfo32hSl7lI6TIUyoVQFhs5WdAjuAYMYOCe9tlngswnMyBoXuVB5rnA1iLNDW7rv+F7RyKVBjgk/A5SWTheTOihpIvXwvsfqVqlvmhaHhm3IVsnZVi1nYFUsNkPK2SugZrh87owerA5i6FAioJhyv0de7/2uG0f4wnPVb3rhOnSRzQ/Pg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net;
dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=fi4tSx5x/I3sRQh/W/AljbFlqK30maj6I7emF8hsdJw=;
b=h6j4d7GfBLnYwE2K37JlSnS5a0QUIK6IHN+udnn3vwY1T9VB+51/kxpuVKlGGHuJMPLsAkWVVNTj9MNLeid+R4WrA30S+jxsK84AzI50kHPKZPGdI3W1mvTdt9JgFHf1KgmQxpY8iChrszPShu/BbKh9kWmVNhK2QoBGrEkn4CU=
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:176::18)
by SYBP282MB0059.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:64::20) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.22; Tue, 22 Feb
2022 19:13:53 +0000
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM
([fe80::2d75:2788:316:de9]) by SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM
([fe80::2d75:2788:316:de9%3]) with mapi id 15.20.5017.022; Tue, 22 Feb 2022
19:13:53 +0000
From: Geoff Huston <gih@apnic.net>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] [routing-wg] misconceptions about ROV
Thread-Index: AQHYJ4VFkjviNJKAVEeT8169Y8bQpqyexX2AgAB7eQCAAALLAIAAB8OAgAAYuoCAAA5HgIAAfxgA
Date: Tue, 22 Feb 2022 19:13:53 +0000
Message-ID: <949277FD-27AF-40E8-B557-AA58C62BFEA7@apnic.net>
References: <m2h78roqbp.wl-randy@psg.com>
<7FBC2063-2404-4BF9-836E-210629C4BA63@juicybun.cn>
<m28ru3ofyq.wl-randy@psg.com>
<3C18BA8C-FA34-4D24-96E4-F85644089513@nlnetlabs.nl>
<015C9C28-4230-40D8-A9F2-7420B726C00F@juicybun.cn>
<DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl> <YhS/WR3czIP3jNLF@snel>
<ABE3FA29-6C9D-492B-A72A-68C20176E76D@nlnetlabs.nl>
In-Reply-To: <ABE3FA29-6C9D-492B-A72A-68C20176E76D@nlnetlabs.nl>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3693.60.0.1.1)
authentication-results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=apnic.net;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 68348622-fd08-49b5-3d51-08d9f6377735
x-ms-traffictypediagnostic: SYBP282MB0059:EE_
x-microsoft-antispam-prvs: <SYBP282MB0059CC268BF5A34508A2ABB6B83B9@SYBP282MB0059.AUSP282.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DHYFRmESFSQToDfu/h9b7FTKpkAJgWFcx3cEKAy9GUwIBumrjN28xecCRZfg/gbuCyJa5OwmkqqXOrfzmJZP5GrQvFRiZYGH1WTbhRAzbUWDjBrjiHBIRHula1yOORRb0387QrNpHa1wCXFdMaBjXZJovlLhhGMxFG5SJD+eeTuUgvrEBQqDrajjoUV8DSjmThqRvk5s68ddeLlcjEsFy55NRlqBkSV4Qv5q/Ze9KQSB9vkHKVLysLoqHuRV7LQggAXw+lkHEsZeREjl8duvv+veEdt8PDaPipK6+pmm2kmHRFnPWj7sjeAk+cHJtAM9UmrYPH8rBoo7tOhwltSGIVsHIM/a8UOojfuP6R8OnZ1168jgF5CFVbRTmxFDayWM0TjX5wDRnyGJUB+Rb8wX57JShoL50TQ9XfrgYLYEzMoj6I+tWAY6K5o7ZEc+EdwBboHd4xhUY3paSBieXU47yWfrwtbx15/BM9mEZNoY3FfBQfTBkasaZAsr8Y0CN+kazbV2+OUABTjD1Ptq1WYb92qKJNnPqwLaVavH232yXXPeE/bmvARlTICSK8zQ2ocqIsXoWEO01Ywl0PYtedQik77glS0M6ef6nu0gXRmjiHskUrnWwnKIVmhaxn6evIT7fO97pAZgUoHyjnvlUtyhyvS9uZLZ6nuyEJAS4pvMxnVo1tFiDbkN9iX+ftZieUdcFMQOkKBq8ktfmWlcjmNd8VYhqy/9o4sAsTPSvpKBaco=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
SFS:(13230001)(4636009)(396003)(366004)(136003)(376002)(39840400004)(346002)(6486002)(5660300002)(4326008)(6512007)(6506007)(508600001)(86362001)(36756003)(2616005)(2906002)(186003)(8936002)(38070700005)(122000001)(71200400001)(33656002)(6916009)(83380400001)(316002)(64756008)(66446008)(8676002)(66476007)(66946007)(76116006)(66556008)(38100700002)(45980500001);
DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?c2FreVdqcUd4eEpvUEFudGszb1ZYZ3loYkxIMmt2UzR2b3BNU3hyL2FqMUw0?=
=?utf-8?B?S2NDZXJHZlZOUU9QRW1Ka2Mza05uaGV0SUtScmVVdTVDZXA2YmVYR3R5Vlc5?=
=?utf-8?B?MnM2bnpiUmEvbnFOSTRRT0l1UWh6R0RvSFRzT2FRcmd1dGtYL0FzSS8wQWhl?=
=?utf-8?B?UGFRZUkwaFg0MGdHcnd5ZmJHcUpaZytlQXhoRjlUKzhZSTB6Z1A5MmtSRXZu?=
=?utf-8?B?RkZXdnVlajVXL3RmYmRrenZkcVBZak9jR3A1RVFjYyt3VzZnRlZwOVRFdWx4?=
=?utf-8?B?UnRqZzJtcFVjTnZCZnNoR1Q0R3lYVkZOQ2RTQlcwQ1NjN2dtbXNzejR1aTky?=
=?utf-8?B?amNhaVZVQ1lmOVE4SmFpSUhSQ1FKejI2QWVWc0NmNGo0eXlhakg4N05ZeURl?=
=?utf-8?B?N3BqWkFORkNVdkZzY2hlZjAvMWNTUWMrc0JDYm4vRzVMYWlyMzF0NDVjZVFW?=
=?utf-8?B?TXhuNjVPSGJJQ0dJbk00Tm9yalJzRFZhZVNRZll2ZndreG5rdXhIajI0QzE1?=
=?utf-8?B?dVVZMXJKUXFPZmdYUlBLWlBVdU16RU5ZblB4NVM2QUcwYi8xcGdSVms2NkI1?=
=?utf-8?B?Z2ExU2xEM2ExVlNuVXhnU0g3cmVvT2wrOVR5akQ1UGZMNEp3N085OFRCeVEv?=
=?utf-8?B?Z1JhWW1MbHRyb3pRUTd5STQ3Q01ZNjlrKy9uajFra0swUHJiclNrK3RScXAr?=
=?utf-8?B?cXB5TzRGM3ZOdU15RU9SYk9CMndCcVQvOTZxOFhnVTdGN2VINVdqdHlZb3FR?=
=?utf-8?B?ME80bFBZVzE4S01lUU9kWE04dW8wQ3d5bUd0VksyL2RwWEJuYkVGMlMwZmcy?=
=?utf-8?B?VDlLNnpoa0pzdUdtUlpYdEs1elNXNzBvMzVLYzEzNm1OL3pPSFVZVWh6d3pE?=
=?utf-8?B?SXJNaGMrRm5mVzZjR2hIWFNxVDZHaDNjb1duOE9wLy9UNFViU211RWQxYnBG?=
=?utf-8?B?Wm1rQ1ZRVDg5MU5hUFBIK2NnRStEUFJOVms4QlJjaFlla0VxRktEc2h0TTND?=
=?utf-8?B?TUtRTyttWm1jV24zU1UwbEZMbkFnSU4zK0FLMEwxZUZWd1pFR3VPZFhjV3Zl?=
=?utf-8?B?OGZOdkp3UEpoclVmcXFIaGdDTU9HVWx5TUkrZTZuazdwR3BFdTNMNVpodllC?=
=?utf-8?B?NHNDM0JXV0FLR0Q5QXNOUjF5a3hTN1VwUVpoVnJOZFYrN1dkUnZlOU8xL2k5?=
=?utf-8?B?MWpvWklQekRpbjdPUWF6Ry8wUk91YUJZNkd4c3ZxR0pJOFo3NURWZjFDNzFs?=
=?utf-8?B?RHpzS1R4QnM0Wit5NjhDVldtNkpKTHBHUUxtSGl5S210RHhLb1Y5NnRad2Zy?=
=?utf-8?B?dTUwT3Y0ZU1MalNjV3BpN1cyNUNOSFkxMnhINitZWVNYTGFVUjQ5SVlMWXF6?=
=?utf-8?B?ck00NzF3b0U4c21zRkl1NjlrSngrenhlUlhoOENLRWdMeTFEMXZRTjI4ZEVS?=
=?utf-8?B?aFc1VG9GNFdzVmlmSml2VklUYy96NkpOalZkblorRVpPWml5MXY1bFFMSUZT?=
=?utf-8?B?T1A2Wk4wMTBBb1F6WlM4eWk5dXRXL1lldStPdjBqVldqZTZpTVB6ZGlGSi9x?=
=?utf-8?B?ejJOZGhmOU5HS3dNaFgyWlJVaE5QTjNtYWx4VldHZzlpbi9pREZlMUVUbTIy?=
=?utf-8?B?dXprYjB3ZHVrVEsyYngrSTFiN3ZGU2JzOEdqU1JHRzN6amFXMmYrWjk1Sito?=
=?utf-8?B?S2p3Zmk2UkQrSUUrUndUTkMyQWw4Qm4zY2RyQWRUeGpJaS95TjlqRS92K0xF?=
=?utf-8?B?RE5EaUI0U0FRSldDRDZEdlF2TG5ISkVQM1VrbUR3WHlMSythZEhqVGZ6MUl5?=
=?utf-8?B?OVV3bGJhUzltUEljYS9xOUZDOSs0WGNINVlvbjlpelBPTmhrS0pBMU1NM01X?=
=?utf-8?B?LzF2endTMVJIZkRpUWZwSGdSSzdrWTFkbnJRS1Bkd2hLYWJFMmdkMDhIZ2lu?=
=?utf-8?B?L1RMSllydmpwZlFKRXM1N1AzNEhDOEI3Ym1CUUNBUEJzMkd6ZytBcnN1R21t?=
=?utf-8?B?SzBoVDQxRy9Dd1lvb0JNWDE5ejBBaVduSkRxa0k0QUdqdFpiSnNZNTl6THpE?=
=?utf-8?B?RUt0Z0JmUHBpL1J2Rm55b1czZnpoYld1MUxhK1QwWXhvb05NRXpYVGVWelZx?=
=?utf-8?B?L05HdGkyWFdEampoYXpCOUhZMndGcVRRckluMTBBcEc3TFF0Q1hXcGNSeGNu?=
=?utf-8?Q?PC1Rtxigc2/Zn0Hpl7Mn9rc=3D?=
Content-Type: text/plain; charset="utf-8"
Content-ID: <EECDBD1A8FE71C44A879EA1F55B3D1D1@AUSP282.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 68348622-fd08-49b5-3d51-08d9f6377735
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2022 19:13:53.1841 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: blHYfsrN9sYU0rB8byRmjU4OWNVaju9hhjIk55TkGPVDNNzR00oeY2Z/8MR7GjKE
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBP282MB0059
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/45xapAyI55fShalvhrYknU7HmRI>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>,
<mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>,
<mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2022 19:14:05 -0000
>> >> Are there any scenarios in which one would want to accept BGPsec invalid >> paths? Similarly, RP implementations discard malformed ROAs, network >> operators reject RPKI ROV-invalid BGP updates. > > Currently you need to accept BGPSec invalid path on any path where > at least one ASN does NOT participate in BGPSec. Applying BGPSec path > validation is only safe when you know that ALL ASNs on the path > participate. I can’t parse these two sentences Tim. They seem to contradict each other when I read em. The AS signing chain is stripped as soon as an update leaves the original BGPSEC “island”. I thought that an AS can’t just restart the signing chain subsequently. >> If people perceive risk: don't enable BGPsec, let others be the early >> adaptors. It is early days, lots of software still has to be written, >> lots of testing is required. > > What I am hoping for, essentially, is that a partial deployment model > would be more feasible where people are not expected to form islands, > which merge, without specifying how those islands form or merge. This desire seems rather inexplicable to me, in that if one allows routes where the AS signing chain is broken then it could be broken becuase of tampering or other malicious acts as much as they are broken for more benign reasons. How would the BGP speaker receiving the route tell the difference? And if it can’t, then it seems to me that there is no point in adding this additional workload to update processing if in fact it is incapable of detecting tampered AS Paths. Geoff
- [Sidrops] Fwd: [routing-wg] misconceptions about … Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Di Ma
- Re: [Sidrops] [routing-wg] misconceptions about R… Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Di Ma
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Geoff Huston
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Jeroen Massar
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Jeroen Massar
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Jeroen Massar
- Re: [Sidrops] [routing-wg] misconceptions about R… Montgomery, Douglas C. (Fed)
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders