IETF Logo Mail Archive

Re: [Sidrops] Opsdir last call review of draft-ietf-sidrops-ov-egress-01

Linda Dunbar <linda.dunbar@futurewei.com> Wed, 18 March 2020 04:28 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B30A33A106C; Tue, 17 Mar 2020 21:28:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S--dmjS2IWVo; Tue, 17 Mar 2020 21:28:18 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2131.outbound.protection.outlook.com [40.107.220.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 981D13A1066; Tue, 17 Mar 2020 21:28:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FdpJvgx8/kKLZLNhInPHeURfc9QB2MdR3xE4vRVOcTBJ/xYyXiH/aFnxqZ9+f1NIDyp7mEW0GM1K1U47UyMBiNL/gbHTpsfpgg9HMMUFsQYrEIHoQHr4pishNWjqBuv7BpwqtPKIbLHVHGaU1EdnvxbEQUu4dpecjTbVmvJB6FqfufUi4OCqEOuR+LqLIn1KxQ+dm8RsZrpKNLI83EyHxBAmB85iSW47kQZg0OrH7N1wsaWIGw2jgbeNQzgDxBiyOi92hK5SpGs0Kgucpevz0YVwkkxAB5Jw5+WKpLGQxLFaNwcPuWQ2TO9MyQHBK8TJZ+9dORAZ4Wk0cJhc9dUDvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=KynJSnZ48srVISmtqizHo73MvQEvk1zQD3ZVOWeqoxw=; b=GmwCWs/UaIkS9pcx8SiF2UL0eIL8YDWOHGHhhpraKos4nXnWjpReg9a0CukS6LimQ9x6scXYKuEh64xJOYIAcPJGaf5eU7RJvkHMdkMCsKESu1sHWcJBZcnSj3gUzjswd0mtQDzwbPZSWL3tuvz2tb7x05KXHOHQGdR/YnxtI6EY9lbZPb9OOQp8TFfVPky1vyVdDk6EzeOTcgFiv/X+fbl3lY9lUjsxJ1faQFKRH3HdfULP3Wlf5zvsp7nRTuPYNJ/Yq16gxcrlyFBGAfoS5OoyxacTfXgSbMWMbmtoUtOz5eXSzKcCYxyEaHKIChonbgvxNhowpPI7oyI0SXqXKw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=KynJSnZ48srVISmtqizHo73MvQEvk1zQD3ZVOWeqoxw=; b=ULgADkiAI9DMQv28ukZVPneTFSMsPa9vLp+7VyUph7xJVgbWJJ4cBZ+HifWtVq1BlVu0sYs3XubkXAzcM+fNmABvz3NTReZ9+SkODYmdbdV8MdH2cc+C/fTzNEmXtUobnpFY5Rvd7NxwvfAzA2UqFc3G5BQlNe2Hl8XjgBXtxIQ=
Received: from MWHPR1301MB2096.namprd13.prod.outlook.com (2603:10b6:301:34::35) by MWHPR1301MB2206.namprd13.prod.outlook.com (2603:10b6:301:35::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.15; Wed, 18 Mar 2020 04:28:11 +0000
Received: from MWHPR1301MB2096.namprd13.prod.outlook.com ([fe80::e893:a912:1d3a:5a33]) by MWHPR1301MB2096.namprd13.prod.outlook.com ([fe80::e893:a912:1d3a:5a33%6]) with mapi id 15.20.2835.013; Wed, 18 Mar 2020 04:28:11 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Chris Morrow <morrowc@ops-netman.net>
CC: "ops-dir@ietf.org" <ops-dir@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-sidrops-ov-egress.all@ietf.org" <draft-ietf-sidrops-ov-egress.all@ietf.org>
Thread-Topic: Opsdir last call review of draft-ietf-sidrops-ov-egress-01
Thread-Index: AQHV/LnTh9GYXgnyT0iT7Ib/ZTnNZKhNwJ8Q
Date: Wed, 18 Mar 2020 04:28:11 +0000
Message-ID: <MWHPR1301MB20963870BE1726391F4166AF85F70@MWHPR1301MB2096.namprd13.prod.outlook.com>
References: <158448201565.32201.9748655174984394118@ietfa.amsl.com> <87d09av7wd.wl-morrowc@ops-netman.net>
In-Reply-To: <87d09av7wd.wl-morrowc@ops-netman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=linda.dunbar@futurewei.com;
x-originating-ip: [2605:6000:1526:d41e:b826:e203:150e:5d1e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 23f8966a-dcb2-413c-7ab6-08d7caf4c4a0
x-ms-traffictypediagnostic: MWHPR1301MB2206:
x-microsoft-antispam-prvs: <MWHPR1301MB22062A4BDF082A8BB1FB8BAD85F70@MWHPR1301MB2206.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 03468CBA43
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(376002)(366004)(346002)(39850400004)(396003)(136003)(199004)(9686003)(55016002)(71200400001)(6506007)(53546011)(66574012)(19627235002)(52536014)(5660300002)(8936002)(66556008)(81156014)(66446008)(81166006)(64756008)(8676002)(66476007)(76116006)(7696005)(66946007)(54906003)(86362001)(316002)(186003)(44832011)(478600001)(6916009)(4326008)(33656002)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR1301MB2206; H:MWHPR1301MB2096.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yBbyPuJSUPr5JOAzztXU6UpOUtU0T312/1xcwKOcrTPWfC/zd5LRUZYFAvnHnxS4JDHzze72wm3Ckg/R10kjyAPKj8m/TWC/Sz5/cfIGuQH9AOWw7/utmW60/r/m/wo0F+AE4b9umNLv2bnuC96yvSgUHk1KIGqHT5/TqNYgP6z1TwEHpbHpav89Vju0r1Q89tSamuNXI2YconxzLWR2lRh/8swvfATjnrQ1VXd7QQH0yxs4TR5dCO9uCFmKmGYVboV1duE2hlpDIOUB1fUwsm1ezt2IaNbJ2LZ7swCus3wOrQliQr5Ymk6J2wccWPHgMwloTU3efs+ueOFuYP1t46YWi4Ju4NVr6ngv2RbgwFr8TLRMpJG/LmOkm8Q6e1iW+EU0UauID3Mzom49JR3wn33LS1hL28v1DOUhde4VG0K/1F0Oc1SuapCycw4LEMe5
x-ms-exchange-antispam-messagedata: eenwIzv7sj9lQ1mQkSu6GnNl1j9Uge577tENOlVW0JeCXJJ/xESBR1ZiyL4ugtTsZpZ8RKkNloGX75C4kHCIfdOaqJ4sN4Kdr2nEsr+GOaaGEi/RPBCwka0IRekbKYB+RHmI6zzFvppvrl5BxqMF7J4RWEidNaEFVI6WTKXWDWoTbnTJJj5dEB69+Q8G0MysqVID/voHhT9F5OibVbc8ZQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 23f8966a-dcb2-413c-7ab6-08d7caf4c4a0
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2020 04:28:11.5377 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IAl9OYMJOuCpUniC6ZEFy/zIfIXt3fdZn1FInkBhij6TZXftGj/IGreP9V5XjLGxO6CE6S2t1pLSacU/ZAvtvw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1301MB2206
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/b3YtHD6xlTEuMp8Ie9EUWqK6VXY>
X-Mailman-Approved-At: Tue, 17 Mar 2020 22:10:08 -0700
Subject: Re: [Sidrops] Opsdir last call review of draft-ietf-sidrops-ov-egress-01
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 04:28:22 -0000

Chris, 

Thank you very much for the explanation.
Your explanation is what I was looking for. 
It would be very nice to have your examples included (as Use Cases) in the document. 

Linda Dunbar
-----Original Message-----
From: Chris Morrow <morrowc@ops-netman.net> 
Sent: Tuesday, March 17, 2020 7:12 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>
Cc: ops-dir@ietf.org; sidrops@ietf.org; last-call@ietf.org; draft-ietf-sidrops-ov-egress.all@ietf.org
Subject: Re: Opsdir last call review of draft-ietf-sidrops-ov-egress-01

Just sniping a reply... which may be out to left (or right!) field :)

On Tue, 17 Mar 2020 21:53:35 +0000,
Linda Dunbar via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: Linda Dunbar
> Review result: Not Ready
> 
> I have reviewed this document as part of the Ops area directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the Ops area directors.
> Document editors and WG chairs should treat these comments just like 
> any other last call comments.
> 
> The document claims that it highlights an important use case of origin 
> validation in eBGP egress policies, explaining specifics of correct 
> implementation in this context. But I don't see where the "Use Case" 
> is described. It seems to me that the document should have more 
> sections to describe the Use Case and the procedure of Egress Export 
> of the RPKI validated Origins.
> 
> Section 3 Egress Processing only has one sentence stating that "When 
> applied to egress policy, validation state MUST be determined using 
> the effective origin AS of the route as it will (or would) be announced to the
> peer." What other choices there are ?   Are there any routers that support  RFC
> 6480 RPKI  not performing this step? how?
>

I think the sense of this sentence is really:

  "Your router may have configured ASXXX and present itself
  (confedaration) as ASYYY to peer1 and ASBBB to peer2
  (merger/acquisition issues). Please make sure that you validate the
  origin accordingly"


There are a few example networks in the real world where this sort of thing could be super relevant. Particularly look at recent 'network that merges a bunch' Level3/CenturyLink/Savvis/GlobalCrossing/etc...
AS3356/AS209/AS<iforget>/AS3459/AS3549. A single edge device terminating customers on the 3356 backbone may plausibly have customers that haven't swapped over to 3356 and are actually expecting the remote peer to be any of 6 or more ASN.

It's important that the 'i originated this prefix, I'm 3356, wait 3549, want 3459...' decision is backed up in ROA content as well as validation logic.

Looking at the abstract to maybe dig a little deeper:
  "For egress policy, it is important that the
   classification uses the effective origin AS of the processed route,
   which may specifically be altered by the commonly available knobs
   such as removing private ASs, confederation handling, and other
   modifications of the origin AS."

So somewhere deep in my network, bb01.pop01 has:
  192.0.2.0/24

staticly routed, redistributed in BGP and marked for external announcement (community/etc). That route, internally has an origin-AS of:
  65507

because that's one of the several private ASN that make up my
confederation: ASBAR. So, when I announce:
  192.0.2.0/24 - origin 65507

I need to both swap the origin in the bgp announcement and validate against the local-as the peer sees me as.
   192.0.2/0/24 - origin 3356
   192.0.2.0/24 - origin 3549
   ...etc...

This will require me to make ROA for all of these origins, as well.

I think anyway that's the goal of the document, really.
though, also, I could have missed the forest for the trees here.

-chris

> My two cents.
> 
> Linda Dunbar
> 
>

v2.23.0 | Report a Bug | By Email