IETF Logo Mail Archive

Re: [Sidrops] [routing-wg] misconceptions about ROV

Tim Bruijnzeels <tim@nlnetlabs.nl> Thu, 24 February 2022 12:13 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BA723A11E0 for <sidrops@ietfa.amsl.com>; Thu, 24 Feb 2022 04:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpM5ygQCNJPs for <sidrops@ietfa.amsl.com>; Thu, 24 Feb 2022 04:12:57 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:65::8:228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D56683A0BE3 for <sidrops@ietf.org>; Thu, 24 Feb 2022 04:12:49 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id D32FC383; Thu, 24 Feb 2022 12:12:42 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net []) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1645704761; bh=aNCzblVzsj76NU/wLNdh+T/Q7SUDxHK+dgE3cQk+LoQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=CV2xwMJHYleqwAskCJ7pB6kWJMhy+qcTKBlLYogXBBrU6GaNgaOn8MFNNNsMF7EVa wrvjR1QED8KCiLO04ZwGZYrSG0rZ994h5QMpx0C1kPnkcRPZBb/hEH/hZtVB68zRo2 LdHBoaNnkLDGfP1u8j83oc0oagl2OVkAbVw6qHTP2AGuuLSAHdNj0E0APYqLe6Fjzi srRioN0sExiuqDOoYf3x8gqudQnZ9jtU6dISkYnP+ph5jye7agu8JwerXRK1M4d0at Iy4zVNzJZ4aAe9QCxxlc8dkU3v47t8THMas3z7Q+PmL13FUoqshSqEUBqolZ1p5kKV ueF/dRjCSG6cA==
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.40.0.1.81\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <CAMFGGcBhm7bGbAL7CRdmHYJVsOtRGRaPD56Tvi=xSW=+Y=n8Rw@mail.gmail.com>
Date: Thu, 24 Feb 2022 13:12:38 +0100
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5AAF971A-CD2C-4D27-B5CB-CE370A7D6E40@nlnetlabs.nl>
References: <015C9C28-4230-40D8-A9F2-7420B726C00F@juicybun.cn> <DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl> <YhS/WR3czIP3jNLF@snel> <ABE3FA29-6C9D-492B-A72A-68C20176E76D@nlnetlabs.nl> <949277FD-27AF-40E8-B557-AA58C62BFEA7@apnic.net> <E16290C1-77ED-4CB1-8712-F6163304ED45@nlnetlabs.nl> <m2k0dmmntj.wl-randy@psg.com> <6D314C7A-8CEC-4B9B-8F80-6B1AC48037E2@nlnetlabs.nl> <85D947F4-E2A4-4FFE-86AF-2D129C49FB9C@psg.com> <8413F0CA-F50A-42B7-B0DA-19A0A90ABE6F@nlnetlabs.nl> <YhdCYjS+yDVsFgNF@snel> <60B6D863-047D-40A6-80DD-95C05391A0BA@nlnetlabs.nl> <CAMFGGcBhm7bGbAL7CRdmHYJVsOtRGRaPD56Tvi=xSW=+Y=n8Rw@mail.gmail.com>
To: Job Snijders <job@fastly.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/4Q4h_Kva05Fu-OHhlPpns7rae-U>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2022 12:13:03 -0000

Job,

Thank you for your reply.

I understand your concern about getting the 'basics' deployed first.
I am also willing to implement basic support in krill after 0.10.

I interpreted your use of capitals to mean that you wanted me to stop
the discussion beyond the current set of standards. I feel that you
interpreted my desire to discuss these things as unwillingness to
implement - but I don't see how these things conflict.

With regards to "looking for help".. not the most respectful way
of phrasing it.. but let's move on.. I asked questions about the
downgrade specifically. I don't think that I am the only one who was
unclear on this specific issue - and I felt that clarity would help me
and others.

With regards to "inconsistent positions".. This is not a bug, but a
feature of discussions involving listening and learning.

The source of this communication style is that I was trying to have
an open face-to-face-like exchange over email.

Since you and I are both going to the IETF meeting - how about having
a chat there and clearing things up?

Tim



> On 24 Feb 2022, at 11:54, Job Snijders <job@fastly.com> wrote:
> 
> On Thu, Feb 24, 2022 at 10:16:39AM +0100, Tim Bruijnzeels wrote:
> > > It seems you overlook some deployment aspects, for example: within a
> > > given Autonomous System (during the incremental deployment of BGPsec -
> > > which may take years) there will be ASBRs that support BGPsec and ASBRs
> > > that are unable to negotiate support for BGPsec. For example, it is
> > > entirely possible that at a given moment in time only half the
> > > adjacencies for 206238_15562$ are BGPsec capable, and half are not (yet).
> > 
> > Not at all - any adjacencies that are not BGPSec capable would not issue
> > any statement that they are capable. So stripping the signatures there
> > would be entirely expected.
> > 
> > I am talking about something else: signalling deployment beyond direct
> > sessions in order to enable detection of downgrade attacks. If router
> > can detect that the *entire* path is not only capable but also
> > committed to do BGPSec then removal of signatures can be flagged as an
> > attack.
> 
> At the risk of repeating myself: signalling at AS-level granularity
> seems too coarse for deployment reality. An AS might be able to do
> BGPsec in one part of their network, but not in other parts of their
> network. Another consideration: not all Autonomous Systems operate with
> a coherent backbone, some AS are "islands".
> 
> Imagine AS 65000, 65001, and 65002, who all have half their ASBR
> footprint BGPsec enabled; neither of those 3 AS can 'commit' to BGPsec;
> other than through per-BGP-session negotation. BGPsec islands connect to
> each other by virtue of unbroken valid signature chains.
> 
> 
> > > See this posting for a similar story on RPKI ROV invalids:
> > > https://mailman.nanog.org/pipermail/nanog/2021-April/213346.html
> > > 
> > > Frankly speaking, wouldn't it make far more sense to implement the
> > > specifications AS SPECIFIED AND PEER-REVIEWED BY MANY PEOPLE,
> > > *before* advocating new object profiles?
> > > 
> > > Especially since the CA side of BGPsec is so straight-forward and
> > > simple to implement ... ?
> > 
> > There is no need to shout Job..
> > 
> > I was trying to have a discussion about a possible way to help
> > operational future deployment.
> 
> I appreciate all the help you are willing to provide, but I question the
> soundness of initiating discussion about 'future deployment' while the
> first steps have yet to be set on the path towards deployment. How can
> anyone meaningfully comment on future operational deployment challenges
> without any operational experience with BGPsec "as is"?
> 
> > This is in no way preventing the development and deployment of current
> > standards. And should the idea be useful and accepted then of course
> > it would be handled as a WG document, be peer-reviewed etc.
> > 
> > I know - it's naive to think that that would be what the IETF
> > is for. Fine. I will stop here. Discussion once again seems
> > entirely pointless.
> 
> At times it seems you look to this WG for help, other times you purport
> opinion on what the future direction of RPKI / Secure Routing should be,
> and then other times you appear to engage in research/brainstorm
> activities. It is hard to tell which is which at times.
> 
> The current discussion might appear challenging because your positions
> appear inconsistent: first you expressed heavy skepticism to the point
> that it might even discourage others to consider BGPsec ("it doesnt
> scale"), then you pivot to suggesting new object profiles, all the while
> writing messages which contain imprecise terminology.
> 
> Here you ask for pointers: https://mailarchive.ietf.org/arch/msg/sidrops/shD2HMkgDrXSf7dLI6GAkOuaoKg/
> Here you reply you could find the documents yourself: https://mailarchive.ietf.org/arch/msg/sidrops/DcbDU25miO0Rcc9Hbd85kaDvDx0/
> 
> Here you ask whether there is 'operator demand': https://mailarchive.ietf.org/arch/msg/sidrops/XOHyvcRKH6VOG310jAUppzRXliA/
> But already back in October 2021, you yourself noted: "Wrt BGPSec.. I am actually very happy to see that so many people are in favor of supporting it.":
> https://www.ripe.net/ripe/mail/archives/routing-wg/2021-October/004454.html
> 
> It seems to me that one could extrapolate appetite for BGPsec in managed
> CA environments to mean that people also would like BGPsec support in
> all other CA implementations.
> 
> Let's make BGPsec a reality! It all starts by actually making BGPsec
> available to operators.
> 
> Regards,
> 
> Job

v2.8.7 | Report a Bug | By Email