IETF Logo Mail Archive

Re: [Sidrops] some wording improvements in draft-ietf-sidrops-aspa-verification

"Borchert, Oliver (Fed)" <oliver.borchert@nist.gov> Mon, 22 May 2023 17:17 UTC

Return-Path: <oliver.borchert@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A68DEC14CE4B; Mon, 22 May 2023 10:17:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rPOazZjvc67B; Mon, 22 May 2023 10:17:07 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on20722.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d04::722]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12A01C15155E; Mon, 22 May 2023 10:16:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=H/Da0ONRQqZLWRSy7sk6ja5c2TC0nJYcmRoSvWv6tj22TZ0h4iHMvgv04WguAHe75bVPXJlI+WaT4djUpjAB42C/mmIXGIKKgfHLG0Jgr0gfyhwc8ycPTYk2HJsNj2bew583zjLF1iLcShuBpL1IwMIWFCkABukAcixX+9FwtOQBhxoDcy7lx1f9meJINvJjP/IacG7kEX4JBB5fKcPDYTrif8rZ+GOmIhBMNd75I8gHPd7sMhdTmxA7o6Z212Dv8FJ69r3q9eNKmJFtboVLXxBhSMIWMixAbUceliSXeHecYFqgju0F1sW78HT2wO7XEg+VgZYlEuVu+G9NatTe+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=66kbUULWLvyInwd9eghmJtu8yDn2CoI+QTUJo1gBlh0=; b=hHTlxa2rg1pnKUlTJsgplpkylEauzEX/1TzdCb6AxAIfVOfBlX8PTkeR39duSOVFyUUCrjfLLNMislVn40hdBZuZ5WKRNGbvJZjeqmsocWTBn91cKP250KjC6mx/EQVI+fu68u9BzTh++ISw4kmj3qX+Jh+WkeHjo3QcliL3ID+yjtKAaPvdpPUQ5H79KW3Gel4N3mofBX5wFnl4a9VxytD+6xzD5yDzMBzfXZ+TnzWIkfsPiI6HxuKDjAhXPbOcECMdkaflxkAvjJfg7vHY4CQ9HEPdwSmn8KDiqlugzb7uo6yYXekrBPd5uMyENgaEXY2evx7WmHgD40argcVcSQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=66kbUULWLvyInwd9eghmJtu8yDn2CoI+QTUJo1gBlh0=; b=nrgAo4liYUXpHXGYcKmD9y12QCgs0ox/SN1oHoYgVJRupHvAkf+ED1pQl81PylKCGzP7K2E8DaLy03QFHBkk7pV61qMu7ChgFRXXes2DlWgw5KTk1bWrAwN9/uXEr/MZ336yx8MvunuGO7+tId2SDb5eLj89pxCQpjwQ5eRoPgzseIen3k6Xk9rU8apk4tPdjbggmxlxjDvbAPABhb8LfhbdLyghq15wy5ik3J8STrSQ+GkXbAiUWg72aaPUEbSv3PDrNe9TrE9LyU1JVeBnbsPc+Xk4EPAC9xhFcrnKx0XAyGZUMCWCaqrebW2/q9xFljqFPNE6YyBaN4mFWpGkEg==
Received: from BLAPR09MB6322.namprd09.prod.outlook.com (2603:10b6:208:2af::22) by MW4PR09MB10380.namprd09.prod.outlook.com (2603:10b6:303:1fb::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Mon, 22 May 2023 17:16:54 +0000
Received: from BLAPR09MB6322.namprd09.prod.outlook.com ([fe80::7003:1ff8:272:942b]) by BLAPR09MB6322.namprd09.prod.outlook.com ([fe80::7003:1ff8:272:942b%3]) with mapi id 15.20.6411.028; Mon, 22 May 2023 17:16:54 +0000
From: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, Claudio Jeker <cjeker@diehard.n-r-g.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>, "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
Thread-Topic: some wording improvements in draft-ietf-sidrops-aspa-verification
Thread-Index: AQHZjM3f0W7zRtMbtUWpnp/Ag3CV0a9mhgFn
Date: Mon, 22 May 2023 17:16:28 +0000
Message-ID: <BLAPR09MB63225938E97B83F3A87FBB1D98439@BLAPR09MB6322.namprd09.prod.outlook.com>
References: <SA1PR09MB8142523FA03AC4EA6E0E014E847C9@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814235BE0566A5C6935CF5B184439@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814231707524646D651B69B884439@SA1PR09MB8142.namprd09.prod.outlook.com> <ZGs5bFRjPLnyL2Jd@diehard.n-r-g.com> <SA1PR09MB8142CF03CEBF445924004B0784439@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB8142CF03CEBF445924004B0784439@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BLAPR09MB6322:EE_|MW4PR09MB10380:EE_
x-ms-office365-filtering-correlation-id: 2b2616dd-c12c-4463-c7d7-08db5ae85726
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wL8kGNl0EZA4RxXKp5M/zZqaDMowMKI/6sl+7rbl2NE+KVOfN+xAHnPGtBlXvuPvfGXRcMcHFSnpV9JqyNdSKbibuElSYhCVQqGpvvSEpY1A5jroKBTWn5zApneyAzQFR5YGOB46rDRePYSR3Mulyl5+UNrcBMpz4oyu0oNyW1CqJMpCbYve/+271PN0nRovCfgQXMSOdCP9toKa9ymwi4NiqVIIsd5sMUFnMqbcgcpojeZMDC/HM3rZvF1p4+/9wDxV9VqP4glL/70aM7RePs2XaCCNKdwngWO4QZ9rL71CYL5WSVeZCBoauqm0LFqa1azWrmHPa1NnwlcKaFViQAVQ7Kq919PJrQ10M4u7XaktvjgoPL3oYTwUBvN8nzVaCkLEWQqr/ts/2vZxEsz9dpWYR5KgvrvZ0pA5tK46M7F76+5KQWRmzhUdo+Ua88USiWGVUxdYfc5xrGf//+MIuYdlIFQfuQQsaLQZXpDVRGqso+m12O4BYjssq3MKCYoNY9dc0dKTAmVpFwXTCyz8z9ghYYsgNKb/3Soz6SBdrfcyLswHgbmT0bxae0dEdtQFTstPfYJuqNxHBM8mISKa+DPYxCPy9viidedGJPgcFRE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BLAPR09MB6322.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(451199021)(2906002)(15650500001)(52536014)(5660300002)(83380400001)(8676002)(8936002)(91956017)(66446008)(76116006)(66946007)(66556008)(66476007)(966005)(4326008)(54906003)(110136005)(498600001)(7696005)(55016003)(6666004)(71200400001)(64756008)(33656002)(86362001)(107886003)(26005)(122000001)(82960400001)(186003)(6506007)(9686003)(53546011)(166002)(38100700002)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tmCPp/5HN9ndwQvdlyWJdrlLC9Vfwx3pn17eLxblcGiup3PZYMrpLBYmxxvpR6FWHQQilamLqy/YB+ctqEcfcOo79UkM3QpNZsKVpG1BFRAD0etmFl4o/pywkfACJ+xhveV07FLIZMg6zskaE+IysYGKEB0bB/NDeeBpWFNBJiNUOHjjAcmS8UnBSThWxUaJJUSt8rhf1djczirZkffo3dtVQlo2GS9AXPmILQawnZ2oSZCCG4gM1ociOWeGlwx2Bgpsoys1gGPLKatoPkUy/0aRfIhbHIykj/SJbhL32zLaa0/ZZ1JQc3Efg6xw4h/a+74Z/W3d9v+Ac5pLI7DfO4kmd/uwt//dEp61x3OHgHfFwFylMcwcMMS1Ofe+XgqrCpxY2EOcrMrYcSN4QqrzV6+gOB2imUGNx1buBBB+q8VXKzoa8VVu/DUIN5oRgj5l+yW7aPTvxZxm0ErYQzBkIKxlvfbHEgEjXEY5TrD5JYilXDDHePs3phKLt0ZfiKzjXlrgDLY6OGOpQOpJZ/1giN54jBWTh0dCYDZjPDlwyDj1CCwFfLhJNbHEw8fIwFSIdxbQ3RVLo84/Z0A+cZuKFIvwwm5LkLTV5zlZsmUMWrBX8KXr044Egs7RR/2yU/GvG8KcmBw5UF8lh++ozXYZ7OO3pvjH1MIIUl+8SKFkOUZDh/8LRmN8adFvthtVVIVmIXbQcsX/TGQFNiqF5mqP/FyaNx25XhqARQZWTGUjnmiinOq3oZ6W0zYk6aIZ5zLMyq85BDbmk5OhyKbN6uorwr7ixI0M0YQIaLNKX00c0IKjb/QzbJmUnqqp8HUlX+PZqLcA4Iskc6VeBUh7Ty5l6lq6qOMCXYAwMDQs0D1nbdMfytnOhRFX0W5oHRWoGysfcUBAUDLziWJBaz9YdQcYQwvrwJRsFKF2Y5mM/c2s6Nok0LetTIGXodAtX1QlDTWBaX8I3yoXCDy2aZ5P38+zGxhITFrPKFpQeKBS1YFY2bU9IdcBwlUNU6B2ToQeeUa1Ju6kg0bzN8WrkvHODO+Hce0+C2klNXD5v+ulf1w5kYsLQDvNX8cDt3HtIlsuzhdAlh1odi/PaoKfOOJJ4xUwj7KLQserXHjm3VKCxyzujH7lMVyT7QZBnRrx1qWwKT6aGfOiHUDUgYBmX4u6ZMWsAhcYgjaGylKb8+OYs6GxTt8o+pDg0kAwhq7Mvwmn9diFBPy4lKABBU42ML+pMnlTbxg2cZIVxtnN2lLbEhRIvFw7yFieKVc6gj2meE09gwQ8RAAOZ3IDm8jbU4i4wdL7/PbQW2wqOkz6pZojwVy1p1+6lvfW6bIblwC8detDQKytnsg/0BES7rTs5ZklFry9izXVegXeH61fPMTR7d8SlOx+ixs1iqwuCnv2tklR9z1QCxnyDnsNHgtrTfCBtBlPaI+Dd3mO5poG1/hbDvaFe5f1/TZKhR9toe3tWW2X+lkOpcP+sA9sFsPjnAk4EykQig+/wRlDt6iSuTeofTXlrVHz3V/IIMr0Pf3WIswLWJkLIfjSAkds7m4DBJ2A8Q527s4PObVniWTr0r1ZyLSrdus=
Content-Type: multipart/alternative; boundary="_000_BLAPR09MB63225938E97B83F3A87FBB1D98439BLAPR09MB6322namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BLAPR09MB6322.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2b2616dd-c12c-4463-c7d7-08db5ae85726
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2023 17:16:54.3986 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR09MB10380
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/6Aar7_X36mh2ex-uyhJh7GKEEgk>
Subject: Re: [Sidrops] some wording improvements in draft-ietf-sidrops-aspa-verification
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 17:17:13 -0000

Also, to remove any confusion, I propose a modification in the ASPA Profile draft to completely remove the Note in Appendix B that reads:


  Note that two PDUs are always generated per Customer ASID: one with
  AFI Flags = IPv4 and one with AFI Flags = IPv6.

Oliver

From: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov>
Date: Monday, May 22, 2023 at 12:53 PM
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc: Borchert, Oliver (Fed) <oliver.borchert@nist.gov>, sidrops@ietf.org <sidrops@ietf.org>, draft-ietf-sidrops-aspa-verification@ietf.org <draft-ietf-sidrops-aspa-verification@ietf.org>
Subject: some wording improvements in draft-ietf-sidrops-aspa-verification
[We are now talking about edits in the ASPA verification draft;
so I've changed the subject line;
it was "Re: [Sidrops] Which 8210-bis error code should be used?"]

Claudio,

It appears we are converging well. Thanks for your suggestions. I've incorporated them.

The paragraph in consideration is now simplified as follows (the "Note: ..." stuff is deleted):

   If, despite the above recommendations, the ASPA(s) of a CAS includes
   SPAS for one AFI but not for the other AFI (not even an AS 0), then
   for AS_PATH verification purposes, the CAS is considered to have no
   providers (i.e., absent VAP-SPAS) for the neglected AFI (see the hop-
   check function computation in Section 5).

I have improved the hop-check function description per your suggestion as follows:

                                             /
                                             |  "No Attestation" if there is no entry
                                             |     in VAP-SPAS table for CAS = AS(i)
                                             |     regardless of the AFI value
                                             |
   hop(AS(i), AS(j), AFI) =  /   Else, "Provider+" if a VAP-SPAS entry for
                                            \     CAS = AS(i) for the mentioned AFI
                                            |     is present and includes AS(j)
                                            |
                                            |  Else, "Not Provider+"
                                            \

Also made the following change for clarity regarding the "No Attestation" outcome (in Section 5 after the above equation):

OLD text:

    The hop-check function is AFI dependent because an AS may have
    different SPAS for different AFI.

NEW text:

   The "No Attestation" result is returned only when the CAS = AS(i) has
   no ASPA(s) registered or none of its ASPAs are cryptographically
   valid, resulting in no entry for the CAS in the VAP-SPAS table
   (regardless of the AFI value).  The hop-check function is AFI
   dependent because an AS may have different SPAS for different AFIs.

Thanks.

Sriram

==============================

From: Claudio Jeker <cjeker@diehard.n-r-g.com> Mon, 22 May 2023

On Mon, May 22, 2023 at 05:05:21AM +0000, Sriram, Kotikalapudi (Fed) wrote:
> Oliver and I have discussed the issue off-list. Requiring an artificial
> insertion of an AS 0 only VAP-SPAS for the neglected AFI for the CAS is
> not required. The verification algorithm (hop-check function in Section
> 5) inherently takes care of the neglected AFI (absent VAP-SPAS)
> situation.

I agree with this direction. I suggested a very similar change in a
previous mail.

> The previously proposed text change (
> https://mailarchive.ietf.org/arch/msg/sidrops/C5newCanz60yBNc6myoEZfQnMoc/
> ) is retracted.
>
> But a slight modification of the paragraph in consideration would be
> good as follows:
>
>
> OLD text:
>
>
>    If, despite the above recommendations, the ASPA(s) of a CAS includes
>    SPAS for one AFI but not for the other AFI (not even an AS 0), the
>    ASPA SHALL NOT be rejected just for that reason.  However, such an
>    ASPA(s) will be presumed to imply that the CAS has no providers
>    (equivalent to AS 0 SPAS) for the AFI that they neglected to include.
>
>
>
> NEW text:
>
>
>    If, despite the above recommendations, the ASPA(s) of a CAS includes
>    SPAS for one AFI but not for the other AFI (not even an AS 0), then
>    for AS_PATH verification purposes, the CAS is considered to have no
>    providers (i.e., absent VAP-SPAS) for the neglected AFI (see the hop-
>    check function computation in Section 5).  (Note: Artificial
>    insertion of an AS 0 only VAP-SPAS for the neglected AFI for the CAS
>    is not required.)

I think one should just remove this section and offload all of this into
Section 5. Especially the added Note: does not help at all and is just
confusing for a reader of the draft/RFC who does not know the backstory.
We need to write this for people not knowing all the discussions we had.

> The hop-check function is slightly tweaked as follows:
>
>                              /
>                              | "No Attestation" if there is no entry
>                              |   in VAP-SPAS table for CAS = AS(i)
>                              |
>    hop(AS(i), AS(j), AFI) =  / Else, "Provider+" if a VAP-SPAS entry for
>                              \   CAS = AS(i) for the mentioned AFI
>                              |   is present and includes AS(j)
>                              |
>                              | Else, "Not Provider+"
>                              \
>
>
> This is basically the same function definition as before but makes it
> clearer that since VAP-SPAS is absent for the neglected AFI, there would
> be no match in the VAP-SPAS for AS(j) and hence the outcome for that AFI
> would be "Not Provider+".

While already better I prefer if in the "No Attestation" case a clear
statement that this applies to all possible AFI values.
A possible option is:
                             | "No Attestation" if there is no entry
                             |   in VAP-SPAS table for CAS = AS(i)
                             |   independent of the AFI value

I really prefer the definition of the hop-check function to be explicit
to avoid any possible misinterpretation.

--
:wq Claudio

v2.23.0 | Report a Bug | By Email