IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

Job Snijders <job@fastly.com> Thu, 23 March 2023 14:04 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEF38C1524B3 for <sidrops@ietfa.amsl.com>; Thu, 23 Mar 2023 07:04:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3F3EK60JIYC for <sidrops@ietfa.amsl.com>; Thu, 23 Mar 2023 07:04:02 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F004AC1522D7 for <sidrops@ietf.org>; Thu, 23 Mar 2023 07:04:02 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id w9so87096798edc.3 for <sidrops@ietf.org>; Thu, 23 Mar 2023 07:04:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1679580240; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=rtRdK1cf7NkG18Ht128+dftdmdG9q5lOnHcZCBITnVg=; b=E6a5Xh6BBM2/PU1HW9u3yFAGxCtWrJMzX/idWOqoHzAQT4WYG9lhNM1IZlBSbKj5vf mbao622IStvHRFJ3NadQ6MF1l3gPg2d3ox+xPJ4F8ZWbUTVyq354s2uAJ1bP9IP0cYK2 l+2Wk9cUdPwyGlo7hE4EffzouyrGFczlkqcaY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679580240; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rtRdK1cf7NkG18Ht128+dftdmdG9q5lOnHcZCBITnVg=; b=QdUCSb/RusZFOC+K5990/IGjsFI3+tyix9TWba1yHFDSuz2R0K3NV2LPxqa08JItIf 3eDCud0eYAWCMSZ88yT8m/56qBpbRy4VgVBoZWpbAlKJX4Lj6NvLaUTG6Ktr48Hf4JKX SUE5GjrZWS+kwzWhpz93lt2DFqrKReSLBisFcEr45oT7UA9hCQMtVkNp+eL1LjW7J6Gt bh91jxjpHkW3opAOA8VlKx+rlpKgfUI3rht9XO5Svtjnl97sALDIg6DLx8NLyuttGp3M tZq6TEy5SuAQw8JSnJJNvsX+EPtv08XcTMCAFplEcHPUiq/RUQLKG5Uh+YlhL8ZBO8WA w8Ag==
X-Gm-Message-State: AO0yUKXPQek5Cgr6Su6J3DU6xMYeCLexcBTQZzNaDyvLuQOPCb7geR2v e3ajysGvo8BKFDa068iShKcveg==
X-Google-Smtp-Source: AK7set8v7R2PFiEYidfuVAg6yFSU5xkrIG9g4gRE+C9vFlIhG4QREaoBEKlYqZ0M0h8jk2HMtSfWVg==
X-Received: by 2002:a17:906:15d5:b0:8b1:7e23:5041 with SMTP id l21-20020a17090615d500b008b17e235041mr10908547ejd.39.1679580240557; Thu, 23 Mar 2023 07:04:00 -0700 (PDT)
Received: from snel ([2a10:3781:276:1:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id tm8-20020a170907c38800b0093c82edfd48sm1225350ejc.80.2023.03.23.07.03.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Mar 2023 07:03:59 -0700 (PDT)
Date: Thu, 23 Mar 2023 15:03:56 +0100
From: Job Snijders <job@fastly.com>
To: Amreesh Phokeer <phokeer=40isoc.org@dmarc.ietf.org>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>, Aftab Siddiqui <Siddiqui@isoc.org>, Max Stucchi <stucchi@isoc.org>, Hanna Kreitem <Kreitem@isoc.org>
Message-ID: <ZBxcTHebGjhJGpzh@snel>
References: <SJ0PR06MB7677230255CC9134CAF94E98D6879@SJ0PR06MB7677.namprd06.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <SJ0PR06MB7677230255CC9134CAF94E98D6879@SJ0PR06MB7677.namprd06.prod.outlook.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/4zQLBjeR-M5CR8v59cpPKonM2FQ>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2023 14:04:07 -0000

Hi folks,

Thanks for your time and message.

On Thu, Mar 23, 2023 at 01:22:32PM +0000, Amreesh Phokeer wrote:
> Thank you to all those involved in this draft. We have reviewed the
> document and here are our comments:
> 
>   1.  Section 4: “An AS SHOULD NOT have more than one ASPA”
>      * It should be clarified that one ASPA per AFI is tolerated

Why?

>      * How do you do “make before break” in case an AS is changing
>        provider or in the case of a resource transfer?

I feel I'm perhaps missing some context behind this question.  Isn't it
standard make before break? Add the new provider, set up BGP
configurations accordingly, decommission BGP with the old provider, and
then update the ASPA? 

>   2.  VAP: it is unclear whether how the VAP will be merged but
>       grouped by AFI in the case of multiple ASPAs?

Ok, I suppose some 'merging' examples can be added in a non-normative
Appendix. Something along the lines of "given ASPA 1 and ASPA 2, the VAP
outcome is ABC". Thank for the suggestion.

>   3.  Validation of the ASPA payload
>      *   A Customer ASID cannot be 0, should it be mentioned in the
>          document or rather in the profile document?

I'm not entirely sure its worth mentioning: the CustomerASID is
constrained through the RFC 3779 delegation of authorizations: it seems
unlikely a RIR will delegate the ability to sign for AS 0 to any LIR.
Secondly, 'AS 0' cannot appear as value in BGP AS_PATHs, so such an ASPA
would never match any BGP updates.

>      *   To make it clear “AS 0 ASPA MUST only have AS 0 as Provider
>          AS”, it doesn’t clearly mention that “normal” ASPA (non AS 0
>          ASPA) MUST NOT have AS 0 in the Provider AS.
>      *   In the absence of point ‘b’ what if AS 0 is added as Provider
>          AS in the ‘normal’ ASPA?

I'm a bit unclear on what is meant with the above two points, can you
further clarify?


>   4.  ROV vs ASPA validation states, keep the states consistent (Unknown/notfound)
>      *   ROV States [valid, invalid, notfound] vs ASPA states [valid, invalid, unknown]

Why? Route Origin Validation and ASPA verification are two different
algorithms with different inputs and different outputs. To me it doesn't
seem to increase consistency.

Thanks for the feedback so far!

Kind regards,

Job

v2.23.0 | Report a Bug | By Email