Re: [Sidrops] [routing-wg] misconceptions about ROV

[Job Snijders <job@fastly.com>]

Hi Doug, others,

On Thu, Feb 24, 2022 at 11:53:25PM +0000, Montgomery, Douglas C. (Fed) wrote:
> We seem to create many security mechanisms (e.g., BGPsec, ROAs, MUD
> profiles, etc) that don’t have a safe means for individual users to
> globally test/pilot them before going into production mode.

I think the cake should be sliced up differently: the concept of "pilot
testing" shouldn't be in the protocol specs, but in the approach to
deployment.

In my experience operators are happy to request additional ASNs &
arrange separate IPv4/IPv6 space for pilot studies. Both AS and IPv6
INRs are extremely affordable, a fraction of the overall cost of
studying a new Internet technology. At least, this was my experience
with IPv6 a decade+ ago, and with RPKI ROV in recent years. I fully
expect that early adoptors of BGPsec are able to construct appropriate
pilot setups too. From that perspective I don't see the need to add new
object profiles to facilitate BGPsec, because doing so would set the
clock back.

> That increases the risk/barrier to entry to those who wish to enable
> the technologies.

At some point the conceptual "are you sure?" confirmation dialogue boxes
have to transform into something that is real. Cryptographic
attestations only have meaning when Relying Parties actually honor the
attestations: indeed, RPs have to exhibit willpower to discard invalid
objects or routes, otherwise the attestations become worthless (or
worse! read on below).

I think one of the unforeseen and accidental obstacles towards global
deployment of RPKI ROV was the following awkward dynamic:

(1) the propaganda machine was thundering on all cylinders to promote
    ROA creation
(2) many folks misconfigured their ROAs, resulting in the *crazy
    situation* that in its peak there were between 5,000 ~ 6,000
    invalids BGP routes in the DFZ [0]
(3) many folks didn't notice their ROA misconfigurations, because nobody
    was performing ROV invalid==reject. Also, there was no incentive to
    fix broken ROAs, because nobody was validating.
(4) people became afraid to enable ROV on ingress EBGP, because there
    were so many invalids "I can't just reject 5K routes!".

It is not hard to imagine how steps 1 -> 2 -> 3 -> 4 in an alternative
universe could've resulted in complete disaster and dismissal of RPKI
ROV.

It took significant community effort to overcome the above downward
spiral: people had to be taught what CA Intent is, that 'harsh'
rejection of invalid information is exactly what makes the security
mechanism work, and that the 5K invalids did not pose a risk to business
[1] [2].

As for the misconfigured ROA creators: many learned the surprisingly
positive consequences of making bad decisions. Sometimes operators have
to touch the hot stove. :-)

How the above observations potentially apply to BGPsec isn't certain
yet, but all of us definitely have to consider what we can learn from
the ROV experience when we collectively plan and labor the next phase of
routing security.

Kind regards,

Job

[0]: https://www.denog.de/media/DENOG11/day1_1_rpki-one-year-later_yPfR6rl.pdf
[1]: https://mailman.nanog.org/pipermail/nanog/2019-February/099522.html
[2]: https://storage.googleapis.com/site-media-prod/meetings/NANOG84/2488/20220214_Madory_Measuring_Rpki_Rov_v1.pdf