IETF Logo Mail Archive

Re: [Sidrops] New Version Notification for draft-sriram-sidrops-drop-invalid-policy-00.txt

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Mon, 12 March 2018 19:06 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 091751241F8; Mon, 12 Mar 2018 12:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJzvSLIdmhxb; Mon, 12 Mar 2018 12:06:02 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0118.outbound.protection.outlook.com [23.103.200.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D73F3126C3D; Mon, 12 Mar 2018 12:06:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ntwpKdAEFlf4//dFgDqJ/1/GK6HxtCmIclPIgi9QW3M=; b=qiJ7dwznBRDG/s4K1EWkwHYpyu6Qkp+7eMmhq5ZbnYi+80i2lGFPMnO9zZVlFDG88O7dSVLwdEy/lz4Se+czgCoXqtI+haX9b8dRcSaAlz0c12Owt0CG8XgrsPmARNxk9tH6QDU3E5+QyxEa6/b4fCSVvFJVbzpb7IR+FCIfc2U=
Received: from BYAPR09MB2773.namprd09.prod.outlook.com (52.135.224.26) by BYAPR09MB2773.namprd09.prod.outlook.com (52.135.224.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Mon, 12 Mar 2018 19:06:00 +0000
Received: from BYAPR09MB2773.namprd09.prod.outlook.com ([fe80::d015:9eb2:757:ba95]) by BYAPR09MB2773.namprd09.prod.outlook.com ([fe80::d015:9eb2:757:ba95%13]) with mapi id 15.20.0548.021; Mon, 12 Mar 2018 19:06:00 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Tim Bruijnzeels <tim@ripe.net>
CC: "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] New Version Notification for draft-sriram-sidrops-drop-invalid-policy-00.txt
Thread-Index: AQHTtNWhXGiptyuPFE2FzpnwC7YBGqPDZQDegAMD+gCAAv5sAIABBZeGgAJl0QA=
Date: Mon, 12 Mar 2018 19:06:00 +0000
Message-ID: <BYAPR09MB277387883770941BD85F995B84D30@BYAPR09MB2773.namprd09.prod.outlook.com>
References: <152029076512.12908.14537578849320525718.idtracker@ietfa.amsl.com> <BYAPR09MB2773819AB3961189CDA9B4D784D90@BYAPR09MB2773.namprd09.prod.outlook.com> <074D75CB-7D34-4838-BEAA-88AE5E044F6C@ripe.net>, <20180310120844.GC35705@vurt.meerval.net> <BYAPR09MB27737CE855DAF3B51632F4F884DC0@BYAPR09MB2773.namprd09.prod.outlook.com>
In-Reply-To: <BYAPR09MB27737CE855DAF3B51632F4F884DC0@BYAPR09MB2773.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.140.122]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR09MB2773; 7:k8VTYM7qr7LvRRgFekjc2TGhpLRMnfXgOvE+OZdAW0XRJHK+EjwPA+rKusB9xc4yE4tN5c9mOYISXNetLJLPmBhiFPNRRdrrN0wqX8YezFZ9GZyjPcRQYq1qcGJ6GUoU5K7zQqJwrftU6Nm0CCRfxIRSCr6HmZECp92jfUozhrfxEDdychxM03xxhCiMjrdibhEtU2IY3TZRKVnGUJnwt+KJy4/W7MxG/0DlOQPTbWbLqYeD2c1JzaP3VfD0Ns7R
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: e843e83d-283f-4498-f9f5-08d5884c4b40
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BYAPR09MB2773;
x-ms-traffictypediagnostic: BYAPR09MB2773:
x-microsoft-antispam-prvs: <BYAPR09MB277308ADB721A67ECD8D026484D30@BYAPR09MB2773.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(232451576963924);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(3231220)(944501244)(52105095)(6055026)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(20161123558120)(6072148)(201708071742011); SRVR:BYAPR09MB2773; BCL:0; PCL:0; RULEID:; SRVR:BYAPR09MB2773;
x-forefront-prvs: 06098A2863
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39380400002)(396003)(346002)(39860400002)(376002)(189003)(199004)(3660700001)(86362001)(6436002)(2950100002)(6916009)(6246003)(55016002)(15650500001)(8676002)(14454004)(7696005)(316002)(105586002)(76176011)(93886005)(102836004)(186003)(99286004)(54906003)(26005)(5250100002)(66066001)(33656002)(53936002)(81166006)(81156014)(9686003)(5660300001)(2900100001)(74316002)(59450400001)(6506007)(68736007)(8936002)(3846002)(6116002)(106356001)(229853002)(25786009)(4326008)(7736002)(478600001)(97736004)(2906002)(3280700002)(305945005); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR09MB2773; H:BYAPR09MB2773.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-microsoft-antispam-message-info: tc+7IvhTRzLSvitbn/l/IWH3qQiFzW5KaLN9TZuS9pheTLgR8K3Q12Q1dvBq8qFEorAoUP6d6kf+6/TQO64E++Mw2daTyUIuHo+4KFJ6YJAdHauNLjeYazCXeuKZnrhganKwK+7es8cYLbQdsNqPsi/rxNUkS1APQ7yL5yoaaDRIoqcBr/WgQ3mgwJtF6fznWuaRcuSg7o/lg8/pEy/Ki1j4F0OhqB48y4ASm4vgh2icZeO5E07frkbYvO50Fa3Cw6K3KOPaAmY7if+7kJLXfHdp5X0efn24ctIgNE0Bt1Px10yXN+C+xmjkxow2c/tKRXINFPpfHlrI6u0njB3WKA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: e843e83d-283f-4498-f9f5-08d5884c4b40
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2018 19:06:00.2515 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR09MB2773
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/BnIxvh8PFL50rfc52MZALkZB5Mc>
Subject: Re: [Sidrops] New Version Notification for draft-sriram-sidrops-drop-invalid-policy-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2018 19:06:04 -0000

Tim:

>For BOAs / AS0 ROAs to work here the semantics would have to be changed to something like: if *any* of the address space in a prefix is covered by a BOA / AS0 ROA *only* then consider it *invalid* - or *forbidden* even if we want to recognise this as a different flavour of invalid.

I agree with the spirit of your suggestion. But I feel we need to be 
careful about the meaning of "Covered by ROA."

I can think of a scenario:
ROA 1: 10.1.0.0/16   AS 0    
ROA 2: 10.1.0.0/18   ML=20   AS 64511
ROA 3: 10.1.0.0/22  AS 0
Update: 10.1.0.0/24   with some origin AS (other than AS 0)

Update for the /24 is Invalid due to any of the three ROAs.
I am pretty sure you want this Update dropped. Right?
The definition of "Covered by ROA" matters.
Especially, as I am thinking about your emphasis on *only*.
"Covered by ROA" is not defined in RFC 6811.
Instead "Covered by VRP" is defined (page 5):

   o  Covered: A Route Prefix is said to be Covered by a VRP when the
      VRP prefix length is less than or equal to the Route prefix
      length, and the VRP prefix address and the Route prefix address
      are identical for all bits specified by the VRP prefix length.
      (That is, the Route prefix is either identical to the VRP prefix
      or more specific than the VRP prefix.)

So I would suggest:

... for the Invalid route in consideration, consider the list of ROAs 
which make the route Invalid. From this list, consider 
the subset of ROAs (this may be one ROA or more)  with the *most specific prefix*.
If any of the ROAs in this subset contains an AS number that is not AS 0,
then proceed to the next step in the algorithm;
else, the Invalid route MUST be dropped.

Does this work for you? (We can discuss this further in London.)

Thank you.

Sriram

v2.23.0 | Report a Bug | By Email