IETF Logo Mail Archive

Re: [Sidrops] version negotiation

Job Snijders <job@fastly.com> Wed, 10 January 2024 21:22 UTC

Return-Path: <jsnijders@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 169A8C14CE52 for <sidrops@ietfa.amsl.com>; Wed, 10 Jan 2024 13:22:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lP-cJ-mFDIrA for <sidrops@ietfa.amsl.com>; Wed, 10 Jan 2024 13:22:17 -0800 (PST)
Received: from mail-oa1-x29.google.com (mail-oa1-x29.google.com [IPv6:2001:4860:4864:20::29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7297CC14CE4B for <sidrops@ietf.org>; Wed, 10 Jan 2024 13:22:14 -0800 (PST)
Received: by mail-oa1-x29.google.com with SMTP id 586e51a60fabf-203fe0e3fefso2287978fac.2 for <sidrops@ietf.org>; Wed, 10 Jan 2024 13:22:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1704921733; x=1705526533; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EtjCH+enwKGy7w8S686Uq6s5TKVUCU/4Zsh4Sg2VOK0=; b=CIUKfTj3Cd9OaYpCJxkUuHHZaWtBH9y+x4/9hbtEcZ0/r42o4j0l3DRrAJ/QUSjYmA X8/DVLap4XDDxehpNFs8upAuPE3fqJ6yed5Hd5GZ3cnoxw+J6CcyBKvZv0L0AxRkuyhi L/FH2ckl+q5eztQ6t+7Uez+fJS2+nuFM8KYY4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704921733; x=1705526533; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EtjCH+enwKGy7w8S686Uq6s5TKVUCU/4Zsh4Sg2VOK0=; b=xR9dhk4F0T7X7Uy0jaK97niseIdsgN6oBBmq5SCQunXdQQi3Lh+0Xd/AS4Fi875+KD 99mvl2WZD0lt+GHPhfHT3y7abPrZj6SvYV5W/ulbvemBVNYXQ5yRjbbmHF9UKGzFXls0 LRT72IN7n/PR+xZHtP3JUGZdpyc5sLnqePTaZnzwjGguxD9quxfQAnPQbAoShd+18F4V SgDbvQVm+gzs2QdGJzZ7d94mKNeoFxD2Vy/VZ762+wziTl5a/wlGfnk3ftezTnaO/E1Z /09tS/hxoKJl9nt804l4uZKEriWxZi2zAxJra56Ic+iWN0/bgCw7DFzfymA2yHOGuIwA 9y1A==
X-Gm-Message-State: AOJu0YyFkTvJsfqmF0hQ5j7izkTucQ92KSWfm+Aar3ATnPInOmCh4bFK kW3LIZlHeQ73rlLDpPXi25XKIAYa0d2zR7jDaHs1OxqyaTD4n+KDtQ9AUMv5
X-Google-Smtp-Source: AGHT+IEKtBo+bb8KF0yAuChQQAQDQxZed/jbbVuo6TX3gkiocLLfJz54Ql9PPzs4wiaRJ1PwVRFJiL5QGDjiITGqv3o=
X-Received: by 2002:a05:6870:164a:b0:1fb:75a:7798 with SMTP id c10-20020a056870164a00b001fb075a7798mr208751oae.73.1704921733589; Wed, 10 Jan 2024 13:22:13 -0800 (PST)
MIME-Version: 1.0
References: <m2il4zbecl.wl-randy@psg.com> <5DCA686A-8BA9-43FF-9675-4C6804C8208D@nlnetlabs.nl> <8F3E272D-9358-4A63-B156-8C768D46CC7D@nlnetlabs.nl> <C6809556-2957-4E50-93FF-E392B69EE19C@vigilsec.com> <43e9a8461d05470190ee7d3a7bb46cf4@huawei.com> <ZYFq8we3BMBji6jb@diehard.n-r-g.com> <ZYM9bEdeZOdidSU1@dwc-desktop.local> <CAMFGGcD-hAprxBBoz2dL7wzoq1j187B6XNHQURtRN85GgpgjqA@mail.gmail.com> <ZYQNxzeMl2uhweBu@diehard.n-r-g.com> <m2ttnv5kbh.wl-randy@psg.com> <ZZ1hwM7qCDsjSmU8@diehard.n-r-g.com> <m2cyu86gi6.wl-randy@psg.com>
In-Reply-To: <m2cyu86gi6.wl-randy@psg.com>
From: Job Snijders <job@fastly.com>
Date: Wed, 10 Jan 2024 22:22:02 +0100
Message-ID: <CAMFGGcA9Mpw_o-+BCzEAJX=tHiJYG1ZDf35-MWr=j7Z=gKSLTA@mail.gmail.com>
To: Randy Bush <randy@psg.com>
Cc: Claudio Jeker <cjeker@diehard.n-r-g.com>, sidrops <sidrops@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004d0275060e9e0649"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/A4oVRP-D-CJAIudjfbPgLFfgP40>
Subject: Re: [Sidrops] version negotiation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jan 2024 21:22:21 -0000

Randy,

Related to RTR being “trinary”, and it being desirable for the protocol
negotiation to be generalized - would it make sense to add a text that in
order to facilitate protocol upgrades, the cache should start a new
session, or perhaps introduce a new non-fatal Error Code “Upgrade
Available”? Or some other signal?

Some router implementations doing ISSU (potentially making for extremely
long-lived RTR sessions), I imagine it’s valuable if there is explicit
guidance on how protocol upgrades work.

It would be suboptimal if both cache and router support newer versions of
RTR, but because of a past negotiation, neither uses the newer version.

Kind regards,

Job

On Wed, 10 Jan 2024 at 22:11, Randy Bush <randy@psg.com> wrote:

> >>    If the router query has version Q> N, the cache MUST send an Error
> >>    Report (Section 5.11) with Protocol Version N and Error Code 4
> >>    ("Unsupported Protocol Version"), and the router SHOULD send another
> >>    query with a Protocol Version Q of the version N in the Error Report,
> >>    unless it has already failed at that version.  This MAY repeat with
> >>    the router attempting to negotiate lower and lower versions until
> >>    they agree.
> >
> > Coming back to session downgrades (router query Q> N). RFC8210 has this:
> >
> >    2.  The cache may reply with a version 0 response.  In this case, the
> >        router MUST either downgrade to version 0 or terminate the
> >        connection.
>
> the 8210 text is
>
>    If a router which supports version 1 sends a query to a cache which
>    only supports version 0, one of two things will happen:
>
>    1.  The cache may terminate the connection, perhaps with a version 0
>        Error Report PDU.  In this case, the router MAY retry the
>        connection using protocol version 0.
>
>    2.  The cache may reply with a version 0 response.  In this case, the
>        router MUST either downgrade to version 0 or terminate the
>        connection.
>
> > This is in direct conflict with the above. It is also in
> > draft-ietf-sidrops-8210bis-11. Also the rtr caches I checked use this
> > implicit downgrade for sessions. So I don't think this method can be
> > removed.
>
> agree that this is problematic in a number of ways.
>
> i think we would want /terminate the connection/terminate the session/
>
> but further, 8210 is a one or zero negotiation.  and we're now trinary,
> and next year we'll be quaternary :(  so hard coding the 1 to 0 downgrade
> seems ill advised and should be generalized.
>
> so 'implicit' downgrade to zero or terminate should probably be phrased
> as a N-ary process, which the proposed text attempts to do.
>
> for ref, our current working text is as follows:
>
>    If a cache which supports version C receives a query with Protocol
>    Version Q < C, and the cache does not support versions <= Q, the
>    cache MUST send an Error Report (Section 5.11) with Protocol Version
>    C and Error Code 4 ("Unsupported Protocol Version") and disconnect
>    the transport, as negotiation is hopeless.
>
>    If a cache which supports version C receives a query with Protocol
>    Version Q < C, and the ache can support version Q, the cache MUST
>    downgrade to protocol version Q, [RFC6810] or [RFC8210], and respond
>    with a Cache Response (Section 5.5) of that Protocol Version, Q, and
>    the RPKI-Rtr session is considered open.
>
>    If the the cache which supports C as its highest verion receives a
>    query of version Q > C, the cache MUST send an Error Report with
>    Protocol Version C and Error Code 4.  The router SHOULD send another
>    query with a Protocol Version Q with Q == the version C in the Error
>    Report; unless it has already failed at that version, which indicates
>    a fatal error in programming of the cache which SHOULD result in
>    transport termination.
>
>    If the router requests Q == 0 and it still fails with the cache
>    responding with an Error Report with Error Code 4, then the router
>    MUST abort the transport connection, as negotiation is hopeless.
>
> we think this should interop with v0 and v1 devices.  but we would
> definitely appreciate specific text where it could be improved.
>
> randy
>
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops
>

v2.46.0 | Report a Bug | By Email | System Status