IETF Logo Mail Archive

Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 25/August/2020

"Borchert, Oliver (Fed)" <oliver.borchert@nist.gov> Wed, 26 August 2020 00:11 UTC

Return-Path: <oliver.borchert@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BE4D3A08CF for <sidrops@ietfa.amsl.com>; Tue, 25 Aug 2020 17:11:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UY20HuOHTUvn for <sidrops@ietfa.amsl.com>; Tue, 25 Aug 2020 17:11:34 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl2gcc02on2090.outbound.protection.outlook.com [40.107.89.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39A2C3A08D4 for <sidrops@ietf.org>; Tue, 25 Aug 2020 17:11:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=COD9kONVT57miTcd0GvPd12SZ+mcIha6fcLutCio0meFljthKNPzuSoPfr2FGsbrF0TgkgvfaKp5nyHBKOXLSCWugz8KT7MOBLaYFGQWZBfQDHx5KVaG+NdYChNOzLuX4bH+QqHH7Bwo1N2liWGUUC5yM6i0hFEA8wx/SpnW0gXIIh1cEUt4m/0Q1ViPSy/elgiFSh3NmNIOgl878M9JLcUB6n2IUVztymumeeM05hryGrbQ0F8uDaucZWdkxWT2yLPg032d0ZbJDUBm2++IA2FRoxqsc8dkDIwBrw6P1/gnZ1aLyJG9x9SZ+Udmt5pP1cao5YvXIHTRbMFHn40nsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KHaMckMMm1N3nKCy1k0i/+27kmCyptk2zyThL5K0iv8=; b=QbLrVXr7U4Oh7liaeSsmsxSx32xY5XbxmxzlyPRFKYlfenS9jrSILWDwdUXqORnX98Ke5DEs+Zz0HqKHxlqXncgwTi15V3Udl5zc/8CP+gi9cpbrh1DjL1jwkLci5giNHhMjgUNadVZ6aqtHcOzPF0XIWUuzggFto/TDKMW06bOQirqceoFnUQOmgr9xIMXFBLOn8ms5yHq5yKF4XyR8djAzU6d9cz0qldWHf8It6GecR3GdXk0KE+WhZ0NYlSwYUyYV4lUaRzbsJCV8RLrOJ6Fm311zX6ad7TI6P1Z5rtYvhFYv1j9MTgYCi6a/LDKs1ETl/43vpxKvLIbGn+FEAg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KHaMckMMm1N3nKCy1k0i/+27kmCyptk2zyThL5K0iv8=; b=nXQ70EZ3gDra1JgwVj7hULTOCwjqVluWZrq0uOEniHEas53I7X+eT7suWY0O3sZTJZarINNL9tiE9zh2nhAaR8DV+oI8rGsbVe2U7xZk6WlrcVnp435krL5xemsLaiUrrEVUaNDGf3Ui54gnKlcF2yPmS6EpZu2Trgrbc+SXHDI=
Received: from BLAPR09MB6963.namprd09.prod.outlook.com (2603:10b6:208:289::7) by MN2PR09MB5900.namprd09.prod.outlook.com (2603:10b6:208:220::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.19; Wed, 26 Aug 2020 00:11:32 +0000
Received: from BLAPR09MB6963.namprd09.prod.outlook.com ([fe80::558c:763b:a7d:1edc]) by BLAPR09MB6963.namprd09.prod.outlook.com ([fe80::558c:763b:a7d:1edc%6]) with mapi id 15.20.3305.026; Wed, 26 Aug 2020 00:11:32 +0000
From: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
To: Nick Hilliard <nick@foobar.org>, Keyur Patel <keyur@arrcus.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>, "Montgomery, Douglas C. (Fed)" <dougm@nist.gov>, Daniel Kopp <daniel.kopp@de-cix.net>
Thread-Topic: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 25/August/2020
Thread-Index: AQHWcA+HFL2ap5d5eEGUfZX0DE6/EKkzY/mAgBXzwIA=
Date: Wed, 26 Aug 2020 00:11:31 +0000
Message-ID: <F2528495-035E-4810-B865-F02A735CBE02@nist.gov>
References: <6A0CA35A-4BA3-4063-BDA8-B93B17636B4B@arrcus.com> <b69340ac-d702-3ee2-00ec-948dc3184135@foobar.org>
In-Reply-To: <b69340ac-d702-3ee2-00ec-948dc3184135@foobar.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: foobar.org; dkim=none (message not signed) header.d=none;foobar.org; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [2610:20:6005:223::89]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 99ce6dd2-3d0b-4dba-5b1d-08d849549656
x-ms-traffictypediagnostic: MN2PR09MB5900:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR09MB5900078A39E004E14F8D14C698540@MN2PR09MB5900.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MBU322+JYOSkKeFx2PuRBG2zl5eiFjSmTRoJmk6Ub/Yhbw6wuwOFtxyfHtJ9XNJBX0xg0fmZEY/XLYEp+oCDhaImpI0CEobLrbDGTVdeDTO7LRCkffB9q7W8kSlOtfMaX7tBpQkBTyQISqpS1+Bu845auzRG/Z/IG69LUYI1zbD33qM+7l9VzT3VBNzjDd1FjCHnhoYs+xQF9gUpPoCH0OLJmEIOSZzHQmUlS/l+u7AP6/NBImzLCOXhivbJtgWWHSVrVqyr/COWMWjwmz9cOJ/sjBvhqLlHkIBsJ18VTzX0IHt8WgajWSU7cvCKM5oqpa1jCwIpcAgCqoNUVYCOQCDhTSCCpymhP/jhTmEhOkzXQGm7a9qkdtIzLtKGuMES+CX/ykpiUiwiD65j5zTqFw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BLAPR09MB6963.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(346002)(376002)(396003)(39850400004)(76116006)(66574015)(186003)(66556008)(66446008)(6506007)(64756008)(33656002)(66946007)(86362001)(71200400001)(66476007)(8676002)(316002)(54906003)(110136005)(5660300002)(6486002)(6512007)(36756003)(966005)(4326008)(8936002)(91956017)(83380400001)(2906002)(478600001)(2616005)(45080400002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: znmg9cdgnOReAdRRPcHsIL06nL11tbMjvcIyizcqeJjym4d0kZPENY/qww7rMKgOBjUb87/Q78YXU3+gCjuwm/olrJ4XlGHbspbXhhW27D1R70FZFlXHt+vvnc29AEVMV7QDDKwUAEsa+x4xhe26XmAoIqAT32fGrtYauGVUf9Wvbc39nYQ6nsKPcy9X+41Ti+jvdMxlJcJ+nGb3HoBXN94lbYkjKRN4yGB0Vok/pY1MTYSnOffyLqKx7T3iFoAmaCSD/YYAsZdQFZa2UydBEibCfbi1PoKsH/8w4Wl0mcJLhadXMlYr6K2tMQuFmSabW/wbvN5dynDIHB40zlCg42U0/BL9OeYppi5ht676RFKyvX1LXyw9oKE9S1iGc2uRSgw/do9nyZCT5NPCuFDN/uIsnrFprs3O7gWYZ8QEa3z0UaWrfT3kDD1IolPI91htJVVGVH2yX1RqSgiPOCP3FANVCK7PbsX0QC/Kcj4nJLSoSGFyE8dv1mEyFVQlVgh1OxQDzY65AkVSkt47VwZs8Rp1ePI9DTefhvMZkKderld/0W4a9QoRoeg4ecZn0KxUzPsAy8APac5Ciepbx14nT0RSkwJziheM3cxXKuozHm7W/n2ZzJL4cNLdKk4s5ZD7YnFVqBqSlveKwsfSl9MQTFPTgBuU2qQkemM2ohAQxZI=
Content-Type: text/plain; charset="utf-8"
Content-ID: <C37860DA49D84B42A4B11674FB890528@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BLAPR09MB6963.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 99ce6dd2-3d0b-4dba-5b1d-08d849549656
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Aug 2020 00:11:31.9873 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EVvIpzJ3ShUDu5TxSBkXk3h3fGnyluTY5hNSbXoQW3GPSCehUq3sRDPYHAdak2K8JI2WpkrEAOlZ1J1Hl0Z8pw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR09MB5900
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/4tC2jGyQg-qgf68rC294Xy6n6r0>
Subject: Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 25/August/2020
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 00:11:36 -0000

Nick,

This point has been made in the past (about origin validation signaling) and I think it is a bit of a red herring.

Operators can and are signaling validation state today with ad-hoc use of communities.  Operators do this for multiple reasons, including providing some resilience to the system should a router lose access to validating caches, to detect and diagnose RPKI state skew among routers in the same network etc.   Not having a standardized encoding of this practice won't be the determining factor of how this kind of signaling is used.

In the case of BGPsec, the need for diagnostics and resilience will be even higher.  Remember there is no "not found" in BGPsec to fall back to loss of contact with RPKI data.  If such signaling also facilitated performance optimizations or implementation of consistent policy decisions on routers that have deferred their own validation procedures, it actually might encourage more deployment than discourage it as you suggest.

In short, I see such mechanisms as supporting and encouraging deployment of these technologies - or at worse being a non-factor to the adoption question - as those who want to do this in non-standard ways will just continue to do so.

Oliver

-----------------------------------------------
Oliver Borchert, Computer Scientist
National Institute of Standards and Technology
(Office) +1.301.975.4856
(GVoice) +1.240.668.4117
 

On 8/11/20, 4:59 PM, "Sidrops on behalf of Nick Hilliard" <sidrops-bounces@ietf.org on behalf of nick@foobar.org> wrote:

    Keyur Patel wrote on 11/08/2020 19:45:
    > A working group last call has been requested for 
    > draft-sidrops-bgpsec-validation-signaling-03, “BGPsec Validation State 
    > signaling”. Please reply to the list with your comments. The WGLC will end 
    > on August 25, 2020.

    In general, replicating validation functionality using BGP communities 
    is a poor idea and from an ops point of view, it seems wiser as a long 
    term objective to push vendors to support bgpsec than to implement hacks 
    like this.  For this reason I don't support publication of the draft as 
    an rfc.

    Major issues:

    1. The draft lacks a problem statement and a sunset clause.

    2. Previously there's been a good deal of discussion on sidrops about 
    RPKI validation state signalling.  Several problems were listed here:

    > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fsidrops%2FYV1WfoxQNiwfOjtKIY1d6YJjRxM%2F&amp;data=02%7C01%7Coliver.borchert%40nist.gov%7Cf3710792241d4bae15bc08d83e397d8c%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637327763936298280&amp;sdata=jfbGfpeLvSkbjjMYjIxzHtKA%2BmW3l%2B6Esky8QGrw1NQ%3D&amp;reserved=0

    Most of the problems associated with validation state signalling 
    identified in that email also apply to bgpsec validation state 
    signalling, namely:

    - crypto authentication is lost
    - different and incompatible set of signalling hooks

    In particular all the problems associated with RPKI validation state 
    signalling over eBGP also apply to bgpsec state signalling over eBGP.

    Defining this as non-transitive is a good start, but the language needs 
    to change to ensure that it cannot escape an ASN.  Can I suggest the 
    following text changes:

    change:
    >    If the router supports the extension as defined in this document, it
    >    SHOULD attach the BGPsec path validation state extended community to
    >    BGPsec UPDATE messages sent to BGP peers by mapping the locally
    >    computed validation state into the last octet of the extended
    >    community.  This SHOULD be done automatically for iBGP peers and
    >    configurable for eBGP peers (see below).

    to:
    >    If the router supports the extension as defined in this document, it
    >    SHOULD attach the BGPsec path validation state extended community to
    >    BGPsec UPDATE messages sent to iBGP peers by mapping the locally
    >    computed validation state into the last octet of the extended
    >    community.

    and change:
    >    By default, routers SHOULD enable use of this
    >    community on all iBGP sessions and routers SHOULD disable the use of
    >    this community on all eBGP sessions.  Implementations MUST NOT send
    >    more than one instance of the origin validation state extended
    >    community and MUST drop (without processing) the BGPsec path
    >    validation state extended community if received over an External BGP
    >    (eBGP) peering session that has not be explicitly configured to
    >    enable processing.

    to:
    >    By default, routers SHOULD enable use of this
    >    community on all iBGP sessions.  Implementations MUST NOT send
    >    more than one instance of the origin validation state extended
    >    community, MUST NOT attach the BGPsec path validation state extended
    >    community to BGPsec UPDATE messages sent to eBGP peers and MUST drop
    >    (without processing) the BGPsec path validation state extended community
    >    if received over an eBGP peering session.
    Nick


    _______________________________________________
    Sidrops mailing list
    Sidrops@ietf.org
    https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&amp;data=02%7C01%7Coliver.borchert%40nist.gov%7Cf3710792241d4bae15bc08d83e397d8c%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637327763936298280&amp;sdata=auM0IyvMSRptpkD2LVEWInQIJqTEanKyc4b%2BElrTEHc%3D&amp;reserved=0

v2.23.0 | Report a Bug | By Email