Re: [Sidrops] Minor comments on draft-ietf-sidrops-aspa-profile-00

Alexander Azimov <a.e.azimov@gmail.com> Mon, 14 October 2019 20:59 UTC

Return-Path: <a.e.azimov@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EC1C120045 for <sidrops@ietfa.amsl.com>; Mon, 14 Oct 2019 13:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W39g57iGw_v2 for <sidrops@ietfa.amsl.com>; Mon, 14 Oct 2019 13:59:33 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE0D312003E for <sidrops@ietf.org>; Mon, 14 Oct 2019 13:59:32 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id i16so14937168oie.4 for <sidrops@ietf.org>; Mon, 14 Oct 2019 13:59:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K5+VvszGJcDbIu2yWDYEqnl+PiEit4UKeclVNReNhq4=; b=Fqcv8aGxQpTGjAbU2lT22JJtZfiQOVicJhRPmUmjlLiBEtEo8PrdaBJEjg7773JFkp GWfZ/Qh0hiVpu2ic02KKlhFYSXhHLJHYlPWREFQZCOruX3zG3oQSERhA50O/NOUMwPAG wODVYQwtT0hlC7P/oziZDuDr1x/1L90Xebkg9aiDX6wBMD22ZHLjUgjxeBxIilDjFDDN DRZVvsjq10+7IXFUukcfLZH+4aZI+D5EyjPiR1njsijz9+ign9Zow54w/oZwa4+lATY3 8VfUM2bZLLxPVprIOh+hD3UQipZ98RPzcHjzpzYrGOWEJMo3RWeyKABS+SjJM5zBWp+H 5yIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K5+VvszGJcDbIu2yWDYEqnl+PiEit4UKeclVNReNhq4=; b=NarDVEdUKBgKyg09gf9Ah6oHGXwqWD4520ATRbZVpj8mMUQ+uqRZyAaepPFzX8eq0R 5tSQWGvNvxSRi/hRQRAmnU7ILIsIicRSF+wrh2AJcgWwp8DMoB40MD7Nymnf0TtGRrHj CglSHaHZHozyrtStIKrf0hG9thwwleVdtNyxlI7h/reX35scE0wkDJ7DVZ20+AT2foCR X3TyLnazGC0ApfnjdKGcXsuXI2rJUIA1EbuKxNyABn9oQFo1yb5w5UV5TT2oONRrdz8l Pt9FoJhRW59u6+Dx7JEdiZ0IIv9wSEJmOsEOKeCQj/RPHE1IRFJ247JAVD/oORDig1i8 zLcg==
X-Gm-Message-State: APjAAAXB4tcEWW1ovIwdCsxKowhADWu1Qzo3EwupQl92ww2/bN3XBY9R OVNog6/eJKCIaweK9IaHtXVJUF6rNDq8glL8QiE=
X-Google-Smtp-Source: APXvYqzYYEd1e0bAt2V/mBlmm1Zkr7bzb8I8ktXjrWhAvSSE5fK4lUkpa0wfE/FlYTv8ZoVt6v8o10M2T9WosDw43/Y=
X-Received: by 2002:aca:3a55:: with SMTP id h82mr26454784oia.128.1571086771902; Mon, 14 Oct 2019 13:59:31 -0700 (PDT)
MIME-Version: 1.0
References: <1CF3E143-98E7-4B66-AEE5-02617A639BCC@nlnetlabs.nl> <CAEGSd=AH5hNf4vm=f4ztcMnDDrPLxE-tZoHHjmcWDO7OVo5pxQ@mail.gmail.com> <m2sgo5zad3.wl-randy@psg.com> <9579DFEC-6653-4CD2-A4DE-2DC5B7427782@nlnetlabs.nl> <23963.10240.12287.137386@oz.mt.att.com> <29669e33-2ae9-1aab-0cf2-63e9d0f3857e@foobar.org> <BYAPR11MB375183DF6D321438827C39FCC09B0@BYAPR11MB3751.namprd11.prod.outlook.com> <39E6D50C-7112-4C0B-90BF-99C91665C193@nlnetlabs.nl>
In-Reply-To: <39E6D50C-7112-4C0B-90BF-99C91665C193@nlnetlabs.nl>
From: Alexander Azimov <a.e.azimov@gmail.com>
Date: Mon, 14 Oct 2019 23:59:18 +0300
Message-ID: <CAEGSd=B90Kwnbfc_xd2stN4meUsXCTjhR3N6QmQWqhMHuGCEqQ@mail.gmail.com>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: "Jakob Heitz (jheitz)" <jheitz@cisco.com>, Jay Borkenhagen <jayb@braeburn.org>, SIDR Operations WG <sidrops@ietf.org>, Nick Hilliard <nick@foobar.org>
Content-Type: multipart/alternative; boundary="000000000000f35e9a0594e5243b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/7h3rXmxxi8m4BrwMQJG4KkvE5iY>
Subject: Re: [Sidrops] Minor comments on draft-ietf-sidrops-aspa-profile-00
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2019 20:59:36 -0000

Hi all,

I would try to summarize the points that were presented in this thread.

The question is whether we should define ASPA like it was done for ROAs or
should we do it in a slightly different and slightly more reliable manner.
The data structure that we need at the router to verify ASPATH is a simple
{customer: set of providers}. And to have a reflection of such tuple it in
one RPKI object seems to be native (+ all points that were listed above).
If we unbound ASPA object structure from ROA-like structure we may also get
rid of ASPA0 - empty set is a simple form to signal that ASN does not have
any transit providers. So, the spec should say:

providerASID  SEQUENCE (SIZE(0..MAX)) OF ASID


In this case, to signal that prefix should not be seen in the BGP
default-free zone ROA0 should be issued; to signal that ASN
is provider-free ASPA-EMPTY (instead of ASPA0) should be issued. If we
believe that this will not add ambiguity for the users I'm ok to change it.

вт, 8 окт. 2019 г. в 09:49, Tim Bruijnzeels <tim@nlnetlabs.nl>nl>:

> Hi,
>
> So, to re-iterate: I don't think the problem of getting only a sub-set of
> ASPA objects is very likely to occur, especially when using RRDP. With RRDP
> there are deltas that provide transactionality in publication, which at
> least allows operators to publish multiple objects as a single delta. But,
> of course, their CA software has to support this idea, rather than publish
> objects (+mft + crl) one by one.
>
> However, having the option of multiple provider ASNs in a single object
> allows for a publication strategy (using a fixed named object) that avoids
> the issue altogether, as a bonus I find it a bit easier to manage for my
> particular implementation, and it saves a bit of space (CMS wrapping, EE
> cert 2048 with bit key). And on the other hand, I don't think that having:
>
>         providerASID  SEQUENCE (SIZE(1..MAX)) OF ASID
>
> Instead of:
>
>         providerASID  ASID
>
> adds much in terms of complexity, and I do not see any other clear
> drawbacks (e.g. fate sharing).
>
>
> If multiple provider ASNs are allowed I would go on to RECOMMEND that a
> single object is used, but in principle implementations can still have
> multiple ASPA objects, each with a SEQUENCE OF 1 ASID. I expect that RPs
> will validate ASPA objects and build up a list of 'Validated Customer
> Provider Relations', and that this list/deltas - excluding duplicates - is
> communicated to routers in a new version of the RPKI-RTR protocol. So, it
> should not matter if the relations were found on 1 or more objects.
>
> In ROAs we can only have one ASN, so multiple are needed in case a prefix
> is multi-homed. Although, in retro-spect multiple ASNs could have been a
> nice idea here too, but I don't think the problem is anywhere near big
> enough to warrant a re-design of the ROA spec.
>
> Tim
>
>
>
> > On 8 Oct 2019, at 00:27, Jakob Heitz (jheitz) <jheitz@cisco.com> wrote:
> >
> > If the customer-provider objects are individual, then a relying party
> > may have a partial list of providers for one customer.
> >
> > If all the providers for one customer are in a single object,
> > then, upon a change, the RP can have either the old object
> > or the new object, but never a partial view.
> >
> > A partial view, IMO is worse that having the old view a little longer
> > than possible. A partial view can cause some AS-paths to be considered
> > invalid when they are not.
> >
> > Regards,
> > Jakob.
> >
> > -----Original Message-----
> > From: Sidrops <sidrops-bounces@ietf.org> On Behalf Of Nick Hilliard
> > Sent: Monday, October 7, 2019 5:32 AM
> > To: Jay Borkenhagen <jayb@braeburn.org>
> > Cc: SIDR Operations WG <sidrops@ietf.org>
> > Subject: Re: [Sidrops] Minor comments on
> draft-ietf-sidrops-aspa-profile-00
> >
> > Jay Borkenhagen wrote on 07/10/2019 12:56:
> >> It's critical that users of ASPA data operate using a complete set of
> >> an ASN's authorized upstream ASNs.  The simplest way to communicate
> >> such a verifiably-complete set is to use a single object.
> >
> > bits of me agree with this, but other bits not.  It's shifting the
> > problem from an RPKI database synchronisation problem to a
> > human-oriented data synchronisation problem.  Both are hideously
> > difficult problems to solve, but the one which involves human input is
> > almost certainly less reliable.
> >
> > Nick
> >
> > _______________________________________________
> > Sidrops mailing list
> > Sidrops@ietf.org
> > https://www.ietf.org/mailman/listinfo/sidrops
> >
> > _______________________________________________
> > Sidrops mailing list
> > Sidrops@ietf.org
> > https://www.ietf.org/mailman/listinfo/sidrops
>
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops
>


-- 
Best regards,
Alexander Azimov