IETF Logo Mail Archive

Re: [Sidrops] ROV with ATOMIC_AGGREGATE

Jeffrey Haas <jhaas@pfrc.org> Thu, 12 March 2020 14:56 UTC

Return-Path: <jhaas@pfrc.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9D913A0941 for <sidrops@ietfa.amsl.com>; Thu, 12 Mar 2020 07:56:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NnlK0eGSPRLK for <sidrops@ietfa.amsl.com>; Thu, 12 Mar 2020 07:56:54 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 26F503A096B for <sidrops@ietf.org>; Thu, 12 Mar 2020 07:56:53 -0700 (PDT)
Received: from dresden.attlocal.net (99-59-193-67.lightspeed.livnmi.sbcglobal.net [99.59.193.67]) by slice.pfrc.org (Postfix) with ESMTPSA id 41F3D1E2D3; Thu, 12 Mar 2020 11:02:56 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <e7c908238186300d6e3a7b60a50a2fbf656f13a8.camel@workonline.africa>
Date: Thu, 12 Mar 2020 10:56:51 -0400
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C266F9BC-3938-400C-AEC8-A72EBD6D5569@pfrc.org>
References: <bb9da4b2e853897b95a878f344c8e44193b2f632.camel@workonline.africa> <B15A5A6A-6CC9-43C3-AEEE-65CD886D0C8E@pfrc.org> <e7c908238186300d6e3a7b60a50a2fbf656f13a8.camel@workonline.africa>
To: Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/4PVceKfIC6ve8dZRYC08vLY6xdU>
Subject: Re: [Sidrops] ROV with ATOMIC_AGGREGATE
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 14:56:57 -0000

Ben,


> On Mar 12, 2020, at 8:54 AM, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org> wrote:
> 
> Thanks Jeff,
> 
> You can be kinda hard to parse sometimes!

Sorry, this was pre-coffee.

> 
> On Thu, 2020-03-12 at 07:07 -0400, Jeffrey Haas wrote:
>> 
>> If the origin AS, sans sets, is correct - the implementation should
>> believe it.
>> 
> You're saying that:
> 
> ```
>   o  Route Origin ASN: The origin AS number derived from a Route as
>      follows:
> 
>      *  the rightmost AS in the final segment of the AS_PATH attribute
>         in the Route if that segment is of type AS_SEQUENCE, or
> 
>      *  the BGP speaker's own AS number if that segment is of type
>         AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is
> empty,
>         or
> 
>      *  the distinguished value "NONE" if the final segment of the
>         AS_PATH attribute is of any other type.
> ```
> (https://tools.ietf.org/html/rfc6811#section-2)
> 
> Applies, as is, irrespective of the possible presence of
> ATOMIC_AGGREGATE, right?

Exactly.

ATOMIC_AGGREGATE these days[1] means that aggregation has been done at some point in the life of the BGP AS_PATH for the NLRI in question.

Once it has been added, subsequent aggregation could have been done, and may have set elements added to it.  In such cases, the current desired behavior is that the route cannot be used for origin validation purposes.

However, similarly, subsequent aggregation may be done and further information lost from the AS_PATH; we don't get more than one ATOMIC_AGGREGATE marker and it has no counter.

My general observations on aggregation with respect to origin validation have been:
- Parties that have the "right" to aggregate (prefix ownership, or owner of prefix that more specifics have been delegated from) can aggregate and it'd still match RPKI policies.
- Proxy aggregation by other parties will fail RPKI policies.

The first case means that ATOMIC_AGGREGATE ("brief") style aggregation is fine and fits the intent of RPKI origin validation.  The second case doesn't fit the intent and will fail regardless fo whether there's a set or not.

It's this set of properties that has me being an objecting party to the movement to completely kill set behaviors in BGP as-paths.  it has more than the usual incremental deployment issues to be conformant with actual "deprecation" and doesn't help with the desired intent.  I'm quite happy to say "don't do that" and let RPKI slowly extinguish the feature's use.

> 
> Cheers,
> 
> Ben
> 
>> If you want path validation, we need bgpsec.
>> 
> Depending on what you want to validate it *against*, you may need ASPA.
> But that's a different conversation.

Indeed.  Relevant to this particular conversation, if you're concerned about truncated paths, which is what ATOMIC_AGGREGATE is intended to help signal, you may care that the route's origin AS was actually originated by that AS.

-- Jeff

[1] The ATOMIC_AGGREGATE feature in BGP is an interesting anatomical vestige from the BGP-3 to BGP-4 transition that never got deployed properly.  The originally desired behavior for it was incorrect from the start and unimplementable.  It also made my nascent life in IETF work unnecessarily interesting.

v2.23.0 | Report a Bug | By Email