Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefixlist-00 (chapter #2 of what does IRR have that RPKI doesn't?)
Job Snijders <job@fastly.com> Tue, 06 June 2023 20:18 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08878C152F17 for <sidrops@ietfa.amsl.com>; Tue, 6 Jun 2023 13:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFG2gnaAE0Ak for <sidrops@ietfa.amsl.com>; Tue, 6 Jun 2023 13:18:50 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21079C152F1A for <sidrops@ietf.org>; Tue, 6 Jun 2023 13:18:50 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-977c72b116fso575619566b.3 for <sidrops@ietf.org>; Tue, 06 Jun 2023 13:18:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1686082728; x=1688674728; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=yI+Jooy60tjQNOW4IKjgRQwDpeFF/Tr42db545cS2JI=; b=UdbXi4cq1PBqLMtkeiHi7QoS4b2CmnJzZ7kavJ3jRvUGn9XTIDRkR/zR0J5oJ/ekQg +J5pJ4Y6SeXHmbh+GzT9+L0OJ2cR/sLRJllCu4NQu5go9MWCH0hkl+Cc2wZSopNccFVQ QgM7nJpty/gIFlZuKXKvOYyX+pI0dqTzzQmxU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686082728; x=1688674728; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yI+Jooy60tjQNOW4IKjgRQwDpeFF/Tr42db545cS2JI=; b=VJmR8Bmc93Xvh3rmWwt/LkGwYC3YqW/J5QCc3MUa056IMacKQRsXWHM/Q9RUr9oLh1 AJ7bssKGiTafvPr8BE5c06iUkeFwuUxxm+NfosZL6oYBXXeo07njaFT/GujIVsh72/1h qfxWaWJaJ1wSaR12DdeEExHTFnINFxp2p72TSfp+dWLEaA1ClFPSig8Z5MeXOYVykjKG dc7uBlHWHEiwZ+8s8BMShGu3HrqUD4gL1rzwAP4hqL3jX0udvhBvrdPCJsdOx2TE1hqP qw6XzoJSvLzHQx8oIVTBsQCW9kmI23ZeKptpQ4PE1X2CkYnROSlFtwV8/jNk74/4oyEg OfiQ==
X-Gm-Message-State: AC+VfDxfcXrupgVEj/HttXZPm7CdzffgCRTXSW6ZeHj49pBoatBlHE1r Ss+viNFgfi3dLo4tvOYfW3X0jA==
X-Google-Smtp-Source: ACHHUZ6EwPX3wYib95lcrZsZSPrzLpkqv8SVrf/iJ/Sb4IbSA9q9umB1sNiOSPSbyWyVyd09KkBn4Q==
X-Received: by 2002:a17:907:3f8f:b0:969:f54c:dee2 with SMTP id hr15-20020a1709073f8f00b00969f54cdee2mr3892318ejc.26.1686082728083; Tue, 06 Jun 2023 13:18:48 -0700 (PDT)
Received: from snel ([2a10:3781:276:1:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id f19-20020a1709067f9300b00977c7566ccbsm4471311ejr.164.2023.06.06.13.18.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jun 2023 13:18:47 -0700 (PDT)
Date: Tue, 06 Jun 2023 22:18:45 +0200
From: Job Snijders <job@fastly.com>
To: "Dale W. Carder" <dwcarder@es.net>
Cc: Geoff Huston <gih@apnic.net>, "sidrops@ietf.org" <sidrops@ietf.org>
Message-ID: <ZH+UpZpcim9PpnQ2@snel>
References: <ZCVHnAWWUuDJOPRX@feather.sobornost.net> <2A883945-4482-4BF2-8959-5DA6F30CF503@apnic.net> <ZH5RomQDWUVzb-gR@dwc-desktop.local> <ZH5b38cNkaMB5n9I@snel> <ZH93vgljjtuldqpi@dwc-desktop.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ZH93vgljjtuldqpi@dwc-desktop.local>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/7ccAJVgZH2G_Pea-_dGgrRRuh3I>
Subject: Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefixlist-00 (chapter #2 of what does IRR have that RPKI doesn't?)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jun 2023 20:18:54 -0000
Hi Dale, On Tue, Jun 06, 2023 at 01:15:26PM -0500, Dale W. Carder wrote: > > I believe AS 293 is an autonomous system you have a relationship to? > > You had no say in me creating the ROA. (I consider this a good > > thing) > > > > So with that in mind, perhaps you (and others in the same position) > > should have the ability to reliably communicate to the public what > > set of IP prefixes you intend to originate. > > Yep, this helps clarify things. I also have to wrap my mind around > route-sets vs as-sets as an analogy, but have to ask why are IRR > route-sets so underutilized? I would just want be sure the roadblocks > are not the same. Is it that we expect user-facing tooling to be > better, or the increased granularity of the roa+rpki-prefixlist > combined attestations to be compelling? Sorry this is a bit out of > scope for the draft, but I think we're building towards an ecosystem. User-facing tooling would be better: with IRR route-sets are plain-text and lack object security, you have no idea if the AS holder was the one who created the route-set. Additionally, you don't know the purpose of the route-set: is it a list of prefixes that they found visually pleasing? A list of networks to drop packets from? A random list? In roa+rpki-prefixlist we can address such shortcomings and provide a fully automated workflow (for example by extending RPKI-To-Router) > > > Operationally, I think I would worry about the list getting out of > > > sync. > > > > But that's the point exactly - if such a list gets out of sync - the > > out-of-syncness property is an information event which in turn could be > > help make better informed routing decisions / BGP best path selection. > > Got it! > > Let's see if I can summarize section 6, figuring on an end-game RP policy > of drop-invalid. > > scenario | ROA | rpki-prefixlist | Action > ---------| ---------|-----------------|------- > 1 | valid | valid | accept > 2 | valid | invalid | drop > 3 | valid | unknown | accept > 4 | invalid | valid | drop > 5 | invalid | invalid | drop > 6 | invalid | unknown | drop > 7 | unknown | valid | accept > 8 | unknown | invalid | drop > 9 | unknown | unknown | accept > > Does this seem right? You are spot on. > For BGP UPDATE processing, scenarios (2) and (8) which I think would > be new would definitely be of value. Yes! Thanks for summarizing the end-game. > I think it does still fit in RTR (rfc8210)? Yes, this can be made to work in RTR. > For generation of RFC7454 style prefix route-policy filters, there's > some utility, but I think will we still might have the larger gap of > wanting an IRR as-set analog to define downstream ASN's. Like, would > we want the opposite of ASPA ASProviderAttestation. That is a great question, I've authored two (in my opinion flawed) proposals in that context: https://datatracker.ietf.org/doc/html/draft-ietf-grow-rpki-as-cones https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-asgroup In a nutshell: AS-Cones is underspecified and relies on some hopium, and I made asgroups far too complex. I think there are three questions I need to answer in order to produce a third simple approach (which perhaps would have some viability). 1) Should the RPKI-based 'as-set' equivalent directly support recursion? (I'm starting to think 'no', because you'd be able to chain together non-recursive RPKI as-sets using ASPAs. We've also seen time after time that IRR as-sets expand to nearly infinite sizes when someone by accident references a gigantic as-set from their own as-set, this can be avoided if we simply don't allow referencing to anything other than ASNs. But what would the implications be for a partial-adoption world?) 2) Should a given referenced ASN 'actively opt-in' into being listed in the 'as-set' equivalent? The equivalent of the IRR 'member-of:' attribute. One could argue that being listed as Provider in an ASPA is a positive attestation that can be compared to the 'RPKI as-set' (the opposite of the ASPA ASProviderAttestation.) 3) What to call the thing? Between IRR 'as-set' and BGP 'AS_SET', I'm hesitant to do an additional overload of the letters 'asset'. > Structurally the current draft mostly defines the profile, but presuming > it's adopted, would we want to break out the verification process / usage > considerations into a separate draft or keep it all together? (for example > ASPA profile and verification are separate). Yes, it likely would end up becoming 3 documents: 1) profile 2) verification process for BGP implementations 3) RTR extension I didn't write 2 + 3 as those are mostly mechanical, and not worth spending time on if the profile / concept aren't adopted. Kind regards, Job
- [Sidrops] draft-spaghetti-sidrops-rpki-prefixlist… Job Snijders
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Geoff Huston
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… gengnan
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Dale W. Carder
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Job Snijders
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Geoff Huston
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Tim Bruijnzeels
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Tony Tauber
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Job Snijders
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Tim Bruijnzeels
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Dale W. Carder
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Job Snijders
- Re: [Sidrops] draft-spaghetti-sidrops-rpki-prefix… Geoff Huston