IETF Logo Mail Archive

Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefixlist-00 (chapter #2 of what does IRR have that RPKI doesn't?)

Job Snijders <job@fastly.com> Tue, 06 June 2023 20:18 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08878C152F17 for <sidrops@ietfa.amsl.com>; Tue, 6 Jun 2023 13:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFG2gnaAE0Ak for <sidrops@ietfa.amsl.com>; Tue, 6 Jun 2023 13:18:50 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21079C152F1A for <sidrops@ietf.org>; Tue, 6 Jun 2023 13:18:50 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-977c72b116fso575619566b.3 for <sidrops@ietf.org>; Tue, 06 Jun 2023 13:18:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1686082728; x=1688674728; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=yI+Jooy60tjQNOW4IKjgRQwDpeFF/Tr42db545cS2JI=; b=UdbXi4cq1PBqLMtkeiHi7QoS4b2CmnJzZ7kavJ3jRvUGn9XTIDRkR/zR0J5oJ/ekQg +J5pJ4Y6SeXHmbh+GzT9+L0OJ2cR/sLRJllCu4NQu5go9MWCH0hkl+Cc2wZSopNccFVQ QgM7nJpty/gIFlZuKXKvOYyX+pI0dqTzzQmxU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686082728; x=1688674728; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yI+Jooy60tjQNOW4IKjgRQwDpeFF/Tr42db545cS2JI=; b=VJmR8Bmc93Xvh3rmWwt/LkGwYC3YqW/J5QCc3MUa056IMacKQRsXWHM/Q9RUr9oLh1 AJ7bssKGiTafvPr8BE5c06iUkeFwuUxxm+NfosZL6oYBXXeo07njaFT/GujIVsh72/1h qfxWaWJaJ1wSaR12DdeEExHTFnINFxp2p72TSfp+dWLEaA1ClFPSig8Z5MeXOYVykjKG dc7uBlHWHEiwZ+8s8BMShGu3HrqUD4gL1rzwAP4hqL3jX0udvhBvrdPCJsdOx2TE1hqP qw6XzoJSvLzHQx8oIVTBsQCW9kmI23ZeKptpQ4PE1X2CkYnROSlFtwV8/jNk74/4oyEg OfiQ==
X-Gm-Message-State: AC+VfDxfcXrupgVEj/HttXZPm7CdzffgCRTXSW6ZeHj49pBoatBlHE1r Ss+viNFgfi3dLo4tvOYfW3X0jA==
X-Google-Smtp-Source: ACHHUZ6EwPX3wYib95lcrZsZSPrzLpkqv8SVrf/iJ/Sb4IbSA9q9umB1sNiOSPSbyWyVyd09KkBn4Q==
X-Received: by 2002:a17:907:3f8f:b0:969:f54c:dee2 with SMTP id hr15-20020a1709073f8f00b00969f54cdee2mr3892318ejc.26.1686082728083; Tue, 06 Jun 2023 13:18:48 -0700 (PDT)
Received: from snel ([2a10:3781:276:1:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id f19-20020a1709067f9300b00977c7566ccbsm4471311ejr.164.2023.06.06.13.18.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jun 2023 13:18:47 -0700 (PDT)
Date: Tue, 06 Jun 2023 22:18:45 +0200
From: Job Snijders <job@fastly.com>
To: "Dale W. Carder" <dwcarder@es.net>
Cc: Geoff Huston <gih@apnic.net>, "sidrops@ietf.org" <sidrops@ietf.org>
Message-ID: <ZH+UpZpcim9PpnQ2@snel>
References: <ZCVHnAWWUuDJOPRX@feather.sobornost.net> <2A883945-4482-4BF2-8959-5DA6F30CF503@apnic.net> <ZH5RomQDWUVzb-gR@dwc-desktop.local> <ZH5b38cNkaMB5n9I@snel> <ZH93vgljjtuldqpi@dwc-desktop.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ZH93vgljjtuldqpi@dwc-desktop.local>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/7ccAJVgZH2G_Pea-_dGgrRRuh3I>
Subject: Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefixlist-00 (chapter #2 of what does IRR have that RPKI doesn't?)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jun 2023 20:18:54 -0000

Hi Dale,

On Tue, Jun 06, 2023 at 01:15:26PM -0500, Dale W. Carder wrote:
> > I believe AS 293 is an autonomous system you have a relationship to?
> > You had no say in me creating the ROA. (I consider this a good
> > thing)
> > 
> > So with that in mind, perhaps you (and others in the same position)
> > should have the ability to reliably communicate to the public what
> > set of IP prefixes you intend to originate.
> 
> Yep, this helps clarify things.  I also have to wrap my mind around
> route-sets vs as-sets as an analogy, but have to ask why are IRR
> route-sets so underutilized?  I would just want be sure the roadblocks
> are not the same.  Is it that we expect user-facing tooling to be
> better, or the increased granularity of the roa+rpki-prefixlist
> combined attestations to be compelling?  Sorry this is a bit out of
> scope for the draft, but I think we're building towards an ecosystem.

User-facing tooling would be better: with IRR route-sets are plain-text
and lack object security, you have no idea if the AS holder was the one
who created the route-set. Additionally, you don't know the purpose of
the route-set: is it a list of prefixes that they found visually
pleasing? A list of networks to drop packets from? A random list?

In roa+rpki-prefixlist we can address such shortcomings and provide a
fully automated workflow (for example by extending RPKI-To-Router)

> > > Operationally, I think I would worry about the list getting out of
> > > sync.
> > 
> > But that's the point exactly - if such a list gets out of sync - the
> > out-of-syncness property is an information event which in turn could be
> > help make better informed routing decisions / BGP best path selection.
> 
> Got it!
> 
> Let's see if I can summarize section 6, figuring on an end-game RP policy
> of drop-invalid.  
> 
> scenario |   ROA    | rpki-prefixlist | Action
> ---------| ---------|-----------------|-------
>     1    | valid    | valid           | accept
>     2    | valid    | invalid         | drop
>     3    | valid    | unknown         | accept
>     4    | invalid  | valid           | drop
>     5    | invalid  | invalid         | drop
>     6    | invalid  | unknown         | drop
>     7    | unknown  | valid           | accept
>     8    | unknown  | invalid         | drop
>     9    | unknown  | unknown         | accept
> 
> Does this seem right?  

You are spot on. 

> For BGP UPDATE processing, scenarios (2) and (8) which I think would
> be new would definitely be of value. 

Yes! Thanks for summarizing the end-game.

> I think it does still fit in RTR (rfc8210)?

Yes, this can be made to work in RTR.

> For generation of RFC7454 style prefix route-policy filters, there's 
> some utility, but I think will we still might have the larger gap of 
> wanting an IRR as-set analog to define downstream ASN's.  Like, would
> we want the opposite of ASPA ASProviderAttestation.

That is a great question, I've authored two (in my opinion flawed)
proposals in that context:

https://datatracker.ietf.org/doc/html/draft-ietf-grow-rpki-as-cones
https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-asgroup

In a nutshell: AS-Cones is underspecified and relies on some hopium, and
I made asgroups far too complex.

I think there are three questions I need to answer in order to produce a
third simple approach (which perhaps would have some viability).

1) Should the RPKI-based 'as-set' equivalent directly support recursion?
   (I'm starting to think 'no', because you'd be able to chain together
   non-recursive RPKI as-sets using ASPAs. We've also seen time after
   time that IRR as-sets expand to nearly infinite sizes when someone by
   accident references a gigantic as-set from their own as-set, this can
   be avoided if we simply don't allow referencing to anything other than
   ASNs. But what would the implications be for a partial-adoption
   world?)

2) Should a given referenced ASN 'actively opt-in' into being listed in
   the 'as-set' equivalent? The equivalent of the IRR 'member-of:'
   attribute.
   One could argue that being listed as Provider in an ASPA is a
   positive attestation that can be compared to the 'RPKI as-set' (the
   opposite of the ASPA ASProviderAttestation.)

3) What to call the thing? Between IRR 'as-set' and BGP 'AS_SET', I'm
   hesitant to do an additional overload of the letters 'asset'.

> Structurally the current draft mostly defines the profile, but presuming
> it's adopted, would we want to break out the verification process / usage
> considerations into a separate draft or keep it all together? (for example
> ASPA profile and verification are separate). 

Yes, it likely would end up becoming 3 documents:

1) profile
2) verification process for BGP implementations
3) RTR extension

I didn't write 2 + 3 as those are mostly mechanical, and not worth
spending time on if the profile / concept aren't adopted.

Kind regards,

Job

v2.23.0 | Report a Bug | By Email