IETF Logo Mail Archive

Re: [Sidrops] Minor comments on draft-ietf-sidrops-aspa-profile-00

Tim Bruijnzeels <tim@nlnetlabs.nl> Tue, 15 October 2019 09:12 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F11611200B3 for <sidrops@ietfa.amsl.com>; Tue, 15 Oct 2019 02:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.119
X-Spam-Level:
X-Spam-Status: No, score=-1.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs-nl.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GH-tNdVA0wa2 for <sidrops@ietfa.amsl.com>; Tue, 15 Oct 2019 02:12:28 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 107471200A4 for <sidrops@ietf.org>; Tue, 15 Oct 2019 02:12:28 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id r4so17293861edy.4 for <sidrops@ietf.org>; Tue, 15 Oct 2019 02:12:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs-nl.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=4RYisT/jnyS93GKNvSZkdGwKDJVOnUberiSW3eD6iUQ=; b=eS4P9pZk47XF+nTSrcE2A7A7yOoVdZeAkf9jrGdNvjn+LRqzZx0UOu38WmOdz9mejC zjzC1J/8rJ0PGiExzGCxfdYiV20NKTFbc5sU2NAbrbYWI/YysGgHaESq79R7d3nDFZOV APmM8mJ9eCv3hu6Jwk2fN4rj4v1btl82xVnb3/VLzXIC1J2/5WkC2RgynKJzRM8Sgg9N ogfRmCPBwvXposYukp+JoHpNEAMwC1lgjWc23jzdb3QhiHqmyF3XTt/qUldk/E3DGAMN /bzCjgdmCjLgEv+Cm4ITHhCzRxRYnvyqs4DsiAqwqx5h85d9Ab5InByGKUSUR2T4Q7yb rL3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=4RYisT/jnyS93GKNvSZkdGwKDJVOnUberiSW3eD6iUQ=; b=Q4mfj0fTjD47MuGJst+8CLymuYPxo4XeakHhgJOGLEGG2hhuxBql9QSJG0UnOHiTDe FOl5EEDqS7fJ//OTyiPgk21JnYJj2brnVxIXhxrkMgohxQVmLQhJzFN/mq56GdcBFKwA Pe7tqoPmfgnH0GQxkSI3VJ10P97LgeV4ro4MOnuwhfSZy38XM7/EYkptH8ONQyr74zfO MutcgBINWef6qJuLIymbbNreO+dGTEuO9w8/iZs74ja/FJDZphmU1F69wpmZQf0uClSy nnOS1JQH9kxpML1nhZmF04c+08TXlRk9RYtwRjqEPTG5hPhK6/S4qjbFocUpXVwEw/kG FYAQ==
X-Gm-Message-State: APjAAAVvcEJPOf3C5wscm17oqgoTbFDgLl7vpqPQ0S4z6ROLZyq4JJPj YMEIUGBzUXPRNlhJA61jzcb8qw==
X-Google-Smtp-Source: APXvYqxNzutyb25NQtpCNTMzE9rIBb9KCxyltIlB1F6lDUNOXnnVBKU4TqthJ+/d64FbzW+6MRExLQ==
X-Received: by 2002:a05:6402:154e:: with SMTP id p14mr11776700edx.274.1571130746423; Tue, 15 Oct 2019 02:12:26 -0700 (PDT)
Received: from ?IPv6:2001:981:4b52:1:6821:9913:675f:a444? ([2001:981:4b52:1:6821:9913:675f:a444]) by smtp.gmail.com with ESMTPSA id c6sm2655198ejz.79.2019.10.15.02.12.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Oct 2019 02:12:25 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_7D6F3736-1CE2-48C6-8B5D-0BD5ADA27019"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3594.4.19\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <CAEGSd=B90Kwnbfc_xd2stN4meUsXCTjhR3N6QmQWqhMHuGCEqQ@mail.gmail.com>
Date: Tue, 15 Oct 2019 11:12:24 +0200
Cc: "Jakob Heitz (jheitz)" <jheitz@cisco.com>, Jay Borkenhagen <jayb@braeburn.org>, SIDR Operations WG <sidrops@ietf.org>, Nick Hilliard <nick@foobar.org>
Message-Id: <670F2CA3-3C29-4BD7-9D37-A70943D9C331@nlnetlabs.nl>
References: <1CF3E143-98E7-4B66-AEE5-02617A639BCC@nlnetlabs.nl> <CAEGSd=AH5hNf4vm=f4ztcMnDDrPLxE-tZoHHjmcWDO7OVo5pxQ@mail.gmail.com> <m2sgo5zad3.wl-randy@psg.com> <9579DFEC-6653-4CD2-A4DE-2DC5B7427782@nlnetlabs.nl> <23963.10240.12287.137386@oz.mt.att.com> <29669e33-2ae9-1aab-0cf2-63e9d0f3857e@foobar.org> <BYAPR11MB375183DF6D321438827C39FCC09B0@BYAPR11MB3751.namprd11.prod.outlook.com> <39E6D50C-7112-4C0B-90BF-99C91665C193@nlnetlabs.nl> <CAEGSd=B90Kwnbfc_xd2stN4meUsXCTjhR3N6QmQWqhMHuGCEqQ@mail.gmail.com>
To: Alexander Azimov <a.e.azimov@gmail.com>
X-Mailer: Apple Mail (2.3594.4.19)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/BA0ZTRhP4rLMyOFmeXBQuFf4XUc>
Subject: Re: [Sidrops] Minor comments on draft-ietf-sidrops-aspa-profile-00
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 09:12:31 -0000

Hi Alexander,

> On 14 Oct 2019, at 22:59, Alexander Azimov <a.e.azimov@gmail.com <mailto:a.e.azimov@gmail.com>> wrote:
> 
> Hi all,
> 
> I would try to summarize the points that were presented in this thread.
> 
> The question is whether we should define ASPA like it was done for ROAs or should we do it in a slightly different and slightly more reliable manner. 
> The data structure that we need at the router to verify ASPATH is a simple {customer: set of providers}. And to have a reflection of such tuple it in one RPKI object seems to be native (+ all points that were listed above). If we unbound ASPA object structure from ROA-like structure we may also get rid of ASPA0 - empty set is a simple form to signal that ASN does not have any transit providers. So, the spec should say:
> 
> providerASID  SEQUENCE (SIZE(0..MAX)) OF ASID
> 
> In this case, to signal that prefix should not be seen in the BGP default-free zone ROA0 should be issued; to signal that ASN is provider-free ASPA-EMPTY (instead of ASPA0) should be issued. If we believe that this will not add ambiguity for the users I'm ok to change it.


I am leaning towards (ab)using AS0 again. I can live with empty sets, but then we need to be okay with the impact on the RTR protocol (which is still to be defined).

The empty set makes sense to me from the perspective of the ASPA profile. But it begs the question: what if multiple ASPA objects exist for the same customer AS. And one uses the empty set, and others don't. I would expect that the union of all provider ASNs from all objects are accepted. I.e. the empty set on one object cannot negate other objects. I don't expect that people will disagree with this (but please speak up if you do!) - but, this will need to be spelled out explicitly.

We still need an RTR extension to communicate the data to routers. If this is done similar to ROAs then I would expect data structures like:


   0          8          16         24        31
   .-------------------------------------------.
   | Protocol |   PDU    |                     |
   | Version  |   Type   |         zero        |
   |    2     |    X/Y   |                     |
   +-------------------------------------------+
   |                                           |
   |                 Length=16                 |
   |                                           |
   +-------------------------------------------+
   |                                           |
   |      Customer Autonomous System Number    |
   |                                           |
   +-------------------------------------------+
   |                                           |
   |      Provider Autonomous System Number    |
   |                                           |
   `-------------------------------------------'

Where X indicates 'announce', and Y indicates 'withdraw', similar to the flags in RFC8210 section 5.6. (Or.. an explicit flag is introduced in the header - no strong opinion on that..)

Question then is how to communicate the empty set. You would probably need a new PDU for that with its own PDU type (~Z) where there is no Provider ASN, like:

   0          8          16         24        31
   .-------------------------------------------.
   | Protocol |   PDU    |                     |
   | Version  |   Type   |         zero        |
   |    2     |    Z     |                     |
   +-------------------------------------------+
   |                                           |
   |                 Length=12                 |
   |                                           |
   +-------------------------------------------+
   |                                           |
   |      Customer Autonomous System Number    |
   |                                           |
   +-------------------------------------------+

And if there were 'announce' tuples sent earlier, then the cache would have to send a 'withdraw' for each of those as well.

In that regard using AS0 may be easier. AS0 is just another AS that you will never see in the wild for other reasons. Using it in RTR eliminates the need for an extra PDU type, and if we use it there then I think we should also use it in the ASPA profile for consistency and easier reasoning between what you see in a router, and what is published.



Tim




> 
> вт, 8 окт. 2019 г. в 09:49, Tim Bruijnzeels <tim@nlnetlabs.nl <mailto:tim@nlnetlabs.nl>>:
> Hi,
> 
> So, to re-iterate: I don't think the problem of getting only a sub-set of ASPA objects is very likely to occur, especially when using RRDP. With RRDP there are deltas that provide transactionality in publication, which at least allows operators to publish multiple objects as a single delta. But, of course, their CA software has to support this idea, rather than publish objects (+mft + crl) one by one.
> 
> However, having the option of multiple provider ASNs in a single object allows for a publication strategy (using a fixed named object) that avoids the issue altogether, as a bonus I find it a bit easier to manage for my particular implementation, and it saves a bit of space (CMS wrapping, EE cert 2048 with bit key). And on the other hand, I don't think that having:
> 
>         providerASID  SEQUENCE (SIZE(1..MAX)) OF ASID 
> 
> Instead of:
> 
>         providerASID  ASID
> 
> adds much in terms of complexity, and I do not see any other clear drawbacks (e.g. fate sharing).
> 
> 
> If multiple provider ASNs are allowed I would go on to RECOMMEND that a single object is used, but in principle implementations can still have multiple ASPA objects, each with a SEQUENCE OF 1 ASID. I expect that RPs will validate ASPA objects and build up a list of 'Validated Customer Provider Relations', and that this list/deltas - excluding duplicates - is communicated to routers in a new version of the RPKI-RTR protocol. So, it should not matter if the relations were found on 1 or more objects.
> 
> In ROAs we can only have one ASN, so multiple are needed in case a prefix is multi-homed. Although, in retro-spect multiple ASNs could have been a nice idea here too, but I don't think the problem is anywhere near big enough to warrant a re-design of the ROA spec.
> 
> Tim
> 
> 
> 
> > On 8 Oct 2019, at 00:27, Jakob Heitz (jheitz) <jheitz@cisco.com <mailto:jheitz@cisco.com>> wrote:
> > 
> > If the customer-provider objects are individual, then a relying party
> > may have a partial list of providers for one customer.
> > 
> > If all the providers for one customer are in a single object,
> > then, upon a change, the RP can have either the old object
> > or the new object, but never a partial view.
> > 
> > A partial view, IMO is worse that having the old view a little longer
> > than possible. A partial view can cause some AS-paths to be considered
> > invalid when they are not.
> > 
> > Regards,
> > Jakob.
> > 
> > -----Original Message-----
> > From: Sidrops <sidrops-bounces@ietf.org <mailto:sidrops-bounces@ietf.org>> On Behalf Of Nick Hilliard
> > Sent: Monday, October 7, 2019 5:32 AM
> > To: Jay Borkenhagen <jayb@braeburn.org <mailto:jayb@braeburn.org>>
> > Cc: SIDR Operations WG <sidrops@ietf.org <mailto:sidrops@ietf.org>>
> > Subject: Re: [Sidrops] Minor comments on draft-ietf-sidrops-aspa-profile-00
> > 
> > Jay Borkenhagen wrote on 07/10/2019 12:56:
> >> It's critical that users of ASPA data operate using a complete set of
> >> an ASN's authorized upstream ASNs.  The simplest way to communicate
> >> such a verifiably-complete set is to use a single object.
> > 
> > bits of me agree with this, but other bits not.  It's shifting the 
> > problem from an RPKI database synchronisation problem to a 
> > human-oriented data synchronisation problem.  Both are hideously 
> > difficult problems to solve, but the one which involves human input is 
> > almost certainly less reliable.
> > 
> > Nick
> > 
> > _______________________________________________
> > Sidrops mailing list
> > Sidrops@ietf.org <mailto:Sidrops@ietf.org>
> > https://www.ietf.org/mailman/listinfo/sidrops <https://www.ietf.org/mailman/listinfo/sidrops>
> > 
> > _______________________________________________
> > Sidrops mailing list
> > Sidrops@ietf.org <mailto:Sidrops@ietf.org>
> > https://www.ietf.org/mailman/listinfo/sidrops <https://www.ietf.org/mailman/listinfo/sidrops>
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org <mailto:Sidrops@ietf.org>
> https://www.ietf.org/mailman/listinfo/sidrops <https://www.ietf.org/mailman/listinfo/sidrops>
> 
> 
> -- 
> Best regards,
> Alexander Azimov

v2.23.0 | Report a Bug | By Email