Re: [Sidrops] ASPA verification questions
Claudio Jeker <cjeker@diehard.n-r-g.com> Thu, 15 December 2022 12:59 UTC
Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35F73C14CE36 for <sidrops@ietfa.amsl.com>; Thu, 15 Dec 2022 04:59:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.893
X-Spam-Level:
X-Spam-Status: No, score=-6.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3JrDptX9l3cv for <sidrops@ietfa.amsl.com>; Thu, 15 Dec 2022 04:59:23 -0800 (PST)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C314BC1516EA for <sidrops@ietf.org>; Thu, 15 Dec 2022 04:58:46 -0800 (PST)
Received: (qmail 69467 invoked by uid 1000); 15 Dec 2022 12:58:43 -0000
Date: Thu, 15 Dec 2022 13:58:43 +0100
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: sidrops@ietf.org
Message-ID: <Y5saAzBLErhmwQM8@diehard.n-r-g.com>
References: <Y5nh7YrUMjxOy1xA@diehard.n-r-g.com> <20221214181035.bydtb3nvtsklav4j@iolcus> <1ce683ebac624b9fa87ff32000f0aa40@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1ce683ebac624b9fa87ff32000f0aa40@huawei.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/6azu6t9s8xEreIbCsl4TNC7B7Mo>
Subject: Re: [Sidrops] ASPA verification questions
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2022 12:59:27 -0000
On Thu, Dec 15, 2022 at 02:35:00AM +0000, Wanghaibo (Rainsword) wrote: > Hi Ben, > > I agree with you. > > When an ISP wants to do ASPA verification, the ISP should sign its own > ASPAs. Then the border router can calculate the peer's role according to > that database. > When we set a peer's role according to RFC9234, it also makes the > calculating easier. But even if we do that, I think we may also check > the peer's role configuration whether match the ASPAs, because of > misconfiguration may happen. I desagree. Tying ASPA verification together with announcing ASPA objects will result in a much higher bar to deploy ASPA verification at large. It also adds a dependency of ASPA verification to specific ASPA objects and will cause disruption if for whatever reason the ISP's ASPA object fails to validate. Also it may be easier for bigger providers to enable ASPA verification well ahead of adding official ASPA objects. I see the elegance of the proposal but I think the downsides of using Validated ASPA Payloads to control ASPA verification are to big. -- :wq Claudio > |-----Original Message----- > |From: Sidrops [mailto:sidrops-bounces@ietf.org] On Behalf Of Ben Maddison > |Sent: Thursday, December 15, 2022 2:11 AM > |To: Claudio Jeker <cjeker@diehard.n-r-g.com> > |Cc: sidrops@ietf.org > |Subject: Re: [Sidrops] ASPA verification questions > | > |Hi Claudio, > | > |On 12/14, Claudio Jeker wrote: > |> Hi all, > |> > |> I'm working on ASPA verification in OpenBGPD and while I have the > |> basic validation algorithm working I have a question that is not > |> covered by > |> draft-ietf-sidrops-aspa-verification-11: > |> > |> What should happen with ebgp peers that have no role assigned? > | > |My personal view (which I have previously discussed, without agreement, with > |some of the authors) is that the default 'provider/non-provider' > |status of an external peer should be derived from the ASPAs issued by the local > |AS. > | > |This obviously needs a knob for override on a per-peer, per-afi basis. > | > |I would prefer not to have a tight coupling with RFC9234 roles in > |implementations. > | > |Cheers, > | > |Ben > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] ASPA verification questions Claudio Jeker
- Re: [Sidrops] ASPA verification questions Job Snijders
- Re: [Sidrops] ASPA verification questions Ben Maddison
- Re: [Sidrops] ASPA verification questions Randy Bush
- Re: [Sidrops] ASPA verification questions Wanghaibo (Rainsword)
- Re: [Sidrops] ASPA verification questions Claudio Jeker
- Re: [Sidrops] ASPA verification questions Zhuangshunwan
- Re: [Sidrops] ASPA verification questions Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] ASPA verification questions Claudio Jeker