IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Wed, 08 March 2023 16:08 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CD0AC151556; Wed, 8 Mar 2023 08:08:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0KFPNKThmEx; Wed, 8 Mar 2023 08:08:12 -0800 (PST)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on20712.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d04::712]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AD20C151546; Wed, 8 Mar 2023 08:08:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gX/TDo6+b/m6Xt9cQ8Do8jhigiNQF0Ly9t9snDVvmaiJ00zKkvF8xA7jwhRdNsV1qPKwvnQXl6GFY9psuTFoVOARbWatbyvfUyhjRH7xTySNUdlZMKXcw8MJN1qeHv1H8/5cBC1ePGWPtitSYsUtZNKqzGNDuV/1FhRym6MhF8EIt/U1aa98Zjwkapc0w5kRgVI+xKq3kFPkTlMEDb5XoO3w4j4gLsiDMkYXWU1vf5vo8F2YpyTpBq2wSugjhTGW8S4TTRkn9MQvmsteq/fX3dBBW2L3tfrB6PQXvcDIv5CPMPquvndEHV2xgPs9kUoKObo9DrZ9MCqoVcc84hCozw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MtkhyNjn1bEHSCnQt/Qx52IxtMJIO3YrewEC0rMCiKs=; b=iImpRV5CtGfbJ6RH1wHsz56Wa9QXynQrTWS+TqiacfrGH4Cdh9bSyO8M5T3bxR+9GcND0ToCM+Vu/Pm7RGhwcI5S7DJpHiX4EwhKHMHHmtQyZWLZ9tY7+AXsXwo1ZGxuQ40HlaLDptfP+cdeuUyvY3iRlVUWR+iTxneFfIBUvgRI5b5MVgSHJ85vorwPCbFBLDD8vckVb+9U5rW/uC8tCtPb5wqHbtnPh/UNaQX8pX1C6QJDXwM9/JS70yXHU+hECoK5RnTZ0jv5lUjE5ZDcs7I79gyL0nqwRi1Bu47kSsD4e55RtasT0rG4KdK75YPXjDuWvgNv8GCP/tO3p4MDVA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MtkhyNjn1bEHSCnQt/Qx52IxtMJIO3YrewEC0rMCiKs=; b=xK/E2dDk0g328FXPSNivd11l1rwOz6dgVz+Zt3ods+VXvRVrOsBV5LPuBEJx/BG6BhiogvYwDX6RH5rndJbZhEaTpU7Fxv3lqbwxFUbd+oBv8QFnNckZn4vkcngpHOQNVKhNuPLTgE9TKROK/8E9yhEr5zAgs7KrTUNq0qbMjScPLnfQNll2xjJGVgzOCy1zUratazehtKTiPUKzI2Y1iW3IpuLGYqtYLukUyc1Q4LXZj7aXCssBxceqAA2uwNojDvnD/8TDS1g3meldFTI4PPoyuBvt+eGyIFY4MKmDItfYzNuJW714eHpQf3zcUPowN9qdBpqqru0qx6r10jtY8w==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by BLAPR09MB6258.namprd09.prod.outlook.com (2603:10b6:208:2a0::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.18; Wed, 8 Mar 2023 16:08:08 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::5a71:2eb6:5ff8:eb4f]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::5a71:2eb6:5ff8:eb4f%6]) with mapi id 15.20.6156.029; Wed, 8 Mar 2023 16:08:08 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "sidrops@ietf.org" <sidrops@ietf.org>
CC: "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>, Claudio Jeker <cjeker@diehard.n-r-g.com>, 'gengnan' <gengnan@huawei.com>
Thread-Topic: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
Thread-Index: AdlRynWj91NT9TiATz2XabHW+kaKogAA/R0gAAIrIBA=
Date: Wed, 08 Mar 2023 16:08:08 +0000
Message-ID: <SA1PR09MB814246CCEC40A9A5D157187784B49@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB814243FD29C35FBE4B21153884B49@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142A8E3804BE539A7A5790E84B49@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB8142A8E3804BE539A7A5790E84B49@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|BLAPR09MB6258:EE_
x-ms-office365-filtering-correlation-id: 7d64b977-d387-4d12-9556-08db1fef4ef9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mIRphgc1mi9x1uVR5Nd2lnkEazlSKwQtLqcqaz1O9ejiAoJ8H7Q/ZYFxEu6hKQV3wDeY6kgVcq+jQ5reHT3sz05GemclO4zC4WXT57QH0kUnemRVX6uwzj7dMQIXQxKX6wXxGnM+nUQQ1gCohi9Y4wnqyJolwxRMJE8p5PU/4kGyusE+ZSCZCCIYRz09qKHpTmJTngx2UVlo9Zhk48DRUmYdi9MrzFdCl/rHfwjDpBrl9IuytudF1ZvekAiLjgDSNjWhnc+kFeQriUQqDu+79xaaGExi1JZjgU4Cf04wtxP8WBaM2AK7vba2nD6wOZIdzqLnx0QM+kyyrvdMZBXfrHgLQpRxM/zbjffMmsqdM5i8bZIyhry2IX6w7dbp1o/Pta6Ie1ClUg/AqhPOOLJfMRFsLdzmOlzqszIZWOjwpsTrgqbybhbJJ0pJ8DYOEeETn7mV1voxwlwMvv36JVAssckpcuceNwcHY+oK/DQpYy4I7yLNqNCRg86lo+e2SImINUzmbZSeixuhnnapi1tSMvEFKzJ2/E8BnPadtYqt5wEpxAC4FY0mJmB8PeMqCD5ROUml3TjXLajWqX4wBQg5JWWuOsJOPKVwbO/3AY08nk7zTt2tMemUkYcLzWLctj4zfHX4M+MAMixp9Itff12/CU0etkg3t1D/zXf9k5nWvm83/BZkR1E/1ulPWbw2Hp4l
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(366004)(451199018)(66899018)(82960400001)(83380400001)(66574015)(33656002)(498600001)(55016003)(54906003)(122000001)(38070700005)(38100700002)(71200400001)(966005)(9686003)(2940100002)(6506007)(7696005)(26005)(186003)(5660300002)(15650500001)(64756008)(66446008)(66476007)(66556008)(66946007)(76116006)(8936002)(52536014)(2906002)(4326008)(6916009)(86362001)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: vbf2BLvMPAnhjU5ES07sHHUG6esz+Des4F0xP5JeCPgLuqrBTHQvPzXW7gJBEFIhNJZsVFq8WsKV+kBcJOmb1Z6+yug3I/OXJ5/eHnKO7GPGUs1Ia2UshtgKwPXVuoeHBi5jYuNYq0Q/YZJa3r7l0ulWCdn71bb/1Yp/dWwUloVHvAISOOlIpsUvP/9Dey1hhF17/6hencVqJl+ymCGhh5HSZs9BbfxbdrTShGskOBqeExOSEZYu7A13Bnh8DBU8KaxkXy4WBgtwUUn0tUEkNoLoyHdbGiya2rMnIgh0QmYkCJG4bMxGaSXTtCF1rH6ELfc8ybZyDDlNMbYoCjxclyb1rxgz9QSCfLsErE/wbhgtUxIraLIpT28gEg+YFjbN/cB01TM+epkm8h6ayA4pKgeKHevgPPtTbiK+1R4Nlwo3l8snS+9yk9S1YEWUHVrv5rUsF5IwPsY9xXDuXm9QOA9/B7Gjj0K74eHqVnF9QYxfIToUC4/WQ8zGc2HZcJ2400CH18gy8SmaEku/PCt0kNghhGcoIeVy9k5DZYZwYMO9xTZVfOA4zsipfwcfF9PIP33O8aGMtG7VXIjVfVtg64WEQ8WPFRNAe9clRMsAWmB2gW/ekMHeI5dhtd4aqjBmHGQVMnpT4T5wVO8t6ap9ayKjoWar4TOLqM+zxqxogmuxZvAn/Ms7mGaChb+P3Kk9D8266aWhlVgtjBwDO1fvJqEvMJbJ/OA0Jn+uWK5Vj74GQYI/aatRgPRBej0F2mkOuVNuKYDmskzZffcC/3ds0prX+cS+qoyw4umh7b1I1z20+mKYNz01/hDN01HV+bVI5mQa+9tFH4iRoTbYcunGisKjwor+I9cVaR5JTFVTLrUfvZ33o7hdWQrGr33tIRevTSlvVoPgThIcU2sn+mc2RQfHBx8GZ9TukU3WhVq4h4oXVY01RD5DH6F3g7exwzJ1YiPaY0CEFxHPVlT2cGxX7G6FydSBT794g32YKjUu+bdMBwAGbrDHQYiO3wojWKz/Crz6jlyj39oyTjQvCrjraoccV5SzkM9lJWVuFYzVcA+06HXncxOqhfn0Qwhmj04KQW6sjq514ITjXt+zdlDTTv4dn0nHnK2aITMOU6UX0rKCyeC7TTUTvdRdBnu3frlymi9txKDWvXt1jgNHx8/Re7o2wJ7xvmVxY3yIjQb94Qi8ZpAAbs7tewgzrQ5m5+hDzQZRnJgFoUXcMNN3qPEzwyTXiqsPoT7V+ao/ke9RWKGB04wYXwnInt8fWh7UjuQO1KJ0TZ3SjzGrSlJ8Jr2BA2q5NbfxxzJJUK+d++XqB66m8NaANSZtX+sZdnOr+iMkJ+TLukB7DswoLPFPbkCsG7u/cQImNlYr5nLBZSR9STbkAM3/bnBVvfYtixZv8eHt6oP1iLEUuzEIXR1u8YJsXiYZ7nSJHI18ujrQyBW3cFDV7HU29oCnWo1I4whX2/d49uHGv4p7apRTkm6fJEa1DMaYaqCx2e2V92sNIPPFByVux0SsOKkes4gE8mv5MRvWv0Kqv0lTUmaLiNjd+A6bfz5kG1kZHsj4X+DP50b0g8A=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7d64b977-d387-4d12-9556-08db1fef4ef9
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2023 16:08:08.5212 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR09MB6258
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/9p0-W8zUjR730iDHVi_PsND30n4>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2023 16:08:16 -0000

Hi all,

Nan Geng also reviewed a pre-publication version of v-12 ( https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/ ).

His comments are copied below. They have been carefully considered and changes incorporated.

Thank you, Nan.

Sriram

===================================

Nan Geng's Comments Set #1:

From: gengnan <gengnan@huawei.com> 
Sent: Wednesday, March 1, 2023 7:40 AM

Hi Sriram,

Here are some comments on the ASPA verification draft v11. Hope they are helpful. 
Since I did not participate in the discussion of the draft from the beginning, something may be missed. If it does happen, please tell me what I missed. Thanks. 

1. Sec.5: How about discussing the process of AS_SET in section 5, together with the discussion of AS_PATH and AS_PATH4?

2. Sec. 5: Consider a case where i) a router enables ASPA verification but ii) there is no ASPA data. Suppose a BGP update is received but the AS path length is zero or AS_SET exists or neighbor AS is wrong. When conduct ASPA verification for the AS path, which verification result will be return? Unknow (because no data) or invalid (because the rules in sec. 5)? In the implementation of openbgpd, the result seems to be unknown. Can we make the point clear in section 5 or somewhere?

3. Sec 5.1.1: how do we know the peer AS is transparent RS or non-transparent RS so that the AS path can be pre-processed before the verification?

4. Sec. 5.3: “The upstream ramp stops (reaches its apex) when the ASPA validation to check customer-to-provider relationship of the AS-pair corresponding to the next AS hop gives Invalid or Unknown result.” The apex is reached if either invalid or unknown is returned or if only invalid result is returned? (The latter is taken by https://github.com/QratorLabs/ASPA/blob/master/aspa_logic.py)

5. Sec 5.4: If Tier-1 is present as an RS-client, it must register an ASPA showing the RS AS as a provider. But in the ASPA profile draft v12, sec. 1 said transparent RS is not listed as PAS in ASPA. So, do you mean Tier-1 must register an ASPA showing the non- transparent RS AS as a provider?

6. Sec 5.5: The title “AS_PATH Verification Recommendation”  “AS_PATH Verification Recommendations”, to keep consistent with the title of sec. 5.4

7. Sec. 7: What is the relationship between ASPA and RFC 9234? Can we give some operational considerations on the configuration of local AS role? RFC 9234 does not support the direct configuration of complex relations. How to deal with the configure issue when we have ASPA data for siblings. And, when we conduct ASPA verification at a sibling hop, downstream check should be carried out I think. But there is not related description.

8. Suppose AS X configures itself as a customer of AS Y by RFC9234. But the ASPA data of AS Y considers AS X as Y’s provider. Do we need to have a check to avoid such wrong configurations or wrong registers?

9. Sec. 10: I think the deprecation of AS_SET can be mentioned, because some networks may possibly use AS_SET. And, legitimate non-valley-free AS paths may exist. ASPA verification may drop such BGP updates by mistake.

Best,
Nan

v2.23.0 | Report a Bug | By Email