IETF Logo Mail Archive

Re: [Sidrops] [routing-wg] misconceptions about ROV

Job Snijders <job@fastly.com> Thu, 24 February 2022 08:31 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFA8A3A0B5F for <sidrops@ietfa.amsl.com>; Thu, 24 Feb 2022 00:31:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PNu4E0sq1Us7 for <sidrops@ietfa.amsl.com>; Thu, 24 Feb 2022 00:31:36 -0800 (PST)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46C983A0B67 for <sidrops@ietf.org>; Thu, 24 Feb 2022 00:31:36 -0800 (PST)
Received: by mail-ej1-x62a.google.com with SMTP id p9so2713408ejd.6 for <sidrops@ietf.org>; Thu, 24 Feb 2022 00:31:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=GLU7+Yt0k7bnGguAqla07Ce5XVniYhzXNnlAa2zxo2k=; b=igGeOjGJ/9OdXf47axY2UYxJ1RFmmKN67fVzpmkqz4ZcWwg+npAFQkzT4vgl+dyUTR +F0DcWQ021OYDKerFKs0axvMPeubttxqDa7oVhOdfpdGKuj3K1ybBwawnE1CvOpcKeCz YjHgrpkfOTOneqjTKqOdnxFvIsgjkn7jCeN54=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=GLU7+Yt0k7bnGguAqla07Ce5XVniYhzXNnlAa2zxo2k=; b=pz0waMueJO7EbIdBawk/XdcEQZIZwVObpSNd5/ahy1+tYt1LS8djyFMGVvpqlIlGoi fMMZ2butK7ExP+L5qv1i+2ED6UcazIt/ungvrPg9DcSbwE5gq0Xkxw8qPaSgWCD7nBZb Fc5UGywaRiIz+IEeM1Ch+b4fBzvbTdIy+TUOfehR+lpo89OS8FxrrKSdq5XtEohZhMD4 S8y29R1d3iM2WOkiX+xGK2WMpTu1f8A6hYsQfbrTirLI/8h4T7K2NIVHq/aRWsgUrpvo nKE5eZpuQacUvS2MVIySck/8gWWWg/ShMivdCf/zsBoH/eE7Zrni1//5p8WdMBjiLYUO kCvg==
X-Gm-Message-State: AOAM531PAjsls1Z166I0+sQ2t6MD0n6dKRmxtsoph9vZ/DD/oe9JGs8j uX0UhCQBbPem3yxbC8j2lqEFtz+Spdtz1LGNSRtmrZv8FvairGCXJZe0GBaICv6jgNeUiTmgZXx /8r0gjRfCD6sThOr0OXJDSJ0n7UigmvZgrFIcDH+9KLJnY5cLy1k6bws=
X-Google-Smtp-Source: ABdhPJwbxPai6ocBI+GeFwpjFkBwWwaToBl/oh6aOOmaz0aiHh7islvJoP2hKWPKlw2D9Tojpv00VQ==
X-Received: by 2002:a17:906:6846:b0:6a7:671:33ea with SMTP id a6-20020a170906684600b006a7067133eamr1418615ejs.523.1645691493952; Thu, 24 Feb 2022 00:31:33 -0800 (PST)
Received: from snel ([2a10:3781:276:2:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id eq6sm934630edb.83.2022.02.24.00.31.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Feb 2022 00:31:32 -0800 (PST)
Date: Thu, 24 Feb 2022 09:31:30 +0100
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <YhdCYjS+yDVsFgNF@snel>
References: <015C9C28-4230-40D8-A9F2-7420B726C00F@juicybun.cn> <DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl> <YhS/WR3czIP3jNLF@snel> <ABE3FA29-6C9D-492B-A72A-68C20176E76D@nlnetlabs.nl> <949277FD-27AF-40E8-B557-AA58C62BFEA7@apnic.net> <E16290C1-77ED-4CB1-8712-F6163304ED45@nlnetlabs.nl> <m2k0dmmntj.wl-randy@psg.com> <6D314C7A-8CEC-4B9B-8F80-6B1AC48037E2@nlnetlabs.nl> <85D947F4-E2A4-4FFE-86AF-2D129C49FB9C@psg.com> <8413F0CA-F50A-42B7-B0DA-19A0A90ABE6F@nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <8413F0CA-F50A-42B7-B0DA-19A0A90ABE6F@nlnetlabs.nl>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/BU59jXBc-Q-Y05fo98e1E92RCXs>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2022 08:31:41 -0000

Hello Tim, others,

> What I meant here by "accept... on islands" is that the operator would
> have to know - somehow - where to enable BGPSec validation.
> 
> I believe that the idea was that this would be done on a BGP session
> basis. E.g. providers would insist on BGPSec from customers, or peers
> between each other etc.

"In order to indicate that a BGP speaker is willing to send BGPsec
 UPDATE messages (for a particular address family), a BGP speaker
 sends the BGPsec capability"
 source: https://datatracker.ietf.org/doc/html/rfc8205#section-2.2

Indeed, it is an operator choice whether to enable BGPsec or not, and it
is choosen per-session. Luckily most large operators have automated the
provisioning of BGP sessions.

> I wondered if (new) signed statements in the RPKI could be used to
> conclude that ASNs have pledged to use BGP Sec when possible. I.e.
> such ASNs would sign a path if they are the origin / or if the receive
> a signed path.
> 
> The receiving router could then conclude that IFF all ASNs in a path
> had made these signed statements - BGPSec validation on *that* path
> could be performed. It would be an error if signatures were missing or
> invalid.
> 
> This way operators would not have to enable this manually on a per
> session basis, and because it would be based on signed validated
> statements they could trust that it would be safe to apply for ASNs
> who issued those statements - without the need to know these ASNs
> first hand - e.g. across transit.
> 
> It would still allow for path spoofing and signature removal by
> injecting an ASN that did not sign a statement that they would do
> BGPSec. However, the options would become more limited as more ASNs
> participate - and ASPA validation would further limit the available
> choices.
> 
> As for how an ASN could sign such a statement.. one could overload
> existing router certificates but I think that is probably a bad idea -
> it could very well lead to timing issues when adopting. An alternative
> could be to have a new separate signed object for this, which would
> allow that BGPSec is tested first, before letting the world know.
> 
> Just an idea.. hoping it might help.

I am not sure it is helpful at this stage.

It seems you overlook some deployment aspects, for example: within a
given Autonomous System (during the incremental deployment of BGPsec -
which may take years) there will be ASBRs that support BGPsec and ASBRs
that are unable to negotiate support for BGPsec. For example, it is
entirely possible that at a given moment in time only half the
adjacencies for 206238_15562$ are BGPsec capable, and half are not (yet). 

See this posting for a similar story on RPKI ROV invalids:
https://mailman.nanog.org/pipermail/nanog/2021-April/213346.html

Frankly speaking, wouldn't it make far more sense to implement the
specifications AS SPECIFIED AND PEER-REVIEWED BY MANY PEOPLE,
*before* advocating new object profiles?

Especially since the CA side of BGPsec is so straight-forward and
simple to implement ... ?

Regards,

Job

ps. Since you asked, here are required reading materials:

BGPsec Protocol Specification
	https://datatracker.ietf.org/doc/html/rfc8205

BGPsec Considerations for Autonomous System (AS) Migration
	https://datatracker.ietf.org/doc/html/rfc8206

BGPsec Operational Considerations
	https://datatracker.ietf.org/doc/html/rfc8207

BGPsec Algorithms, Key Formats, and Signature Formats
	https://datatracker.ietf.org/doc/html/rfc8208

BGPsec Design Choices and Summary of Supporting Discussions
	https://datatracker.ietf.org/doc/html/rfc8374

Router Keying for BGPsec
	https://datatracker.ietf.org/doc/html/rfc8635

v2.8.7 | Report a Bug | By Email