IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-verification-16.txt

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 29 August 2023 15:41 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CA6CC1519A8; Tue, 29 Aug 2023 08:41:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.107
X-Spam-Level:
X-Spam-Status: No, score=-3.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.999, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbJ98h5x4pUP; Tue, 29 Aug 2023 08:41:21 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on2101.outbound.protection.outlook.com [40.107.89.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD885C14CF1C; Tue, 29 Aug 2023 08:41:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g2J98+TA4TBJKTc+nVI4uw3g9lNdsKLYzLg1OQhhR/v1bTEezCRDM5sXy5qoQfMD3ZQIt3Wc4S9vnJH4zMZosuZm+VyeYiZV+pfgvhSkzUvaHd8WfcH27Vlx9wfJdo7cM1JQnAuJLidjJDeh93OR+YuJXZjlEczssT4RrRriRo2mlKKtDZ9Pjt4rbFdaYwzfc7WhCBiRQB/qhClYA/SyFazhJpD9FHaO1juxr/or2C38auHRXVbj55HUjoZ4ERNk7xf7/BWd+ed2fKUV7FRTzVuwpmRKSS4axbq6vY/0M5KcsA1xfMDLPUDYwraSfFI12Fzw9xKG64mzezxUlGplIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FiyYpUaaaYOWGFrY3AnB8uXWjD/8OTkjOk8Dv9kHVR8=; b=TkEtGWw4HvMZ+72LTmRAVZEE1Tf4gwCUfw+cY7T235s5R0ckInlBBGhl2hipyfADgq6Dsu4Wz7gXqqnVjI9/a0VmxjEckoc6XYTmpsJxaA1u3ZvKOHe9Iy6gJ/0375PvVMLt5LJmp9lf/pfPGkwsrgcMvDxZ8XyvfkkAq8Q4sb757bDsTpaE/ZFq46sMHEJsp3+JLSV53UM8sPJW0BTM3NvNZIEFvFozTPkDgrG2GM8xeU8CmEqE4f7Wk8lPOs9N7i1UhmriEKhketjbjpgP4ZqBQ7maG8H5tR0PpPP8lWbGzpW3pLuGrtZUKeNCmgRkm7Wo+KLAtO/bdgQKjVWSFA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FiyYpUaaaYOWGFrY3AnB8uXWjD/8OTkjOk8Dv9kHVR8=; b=KPaz9EkwMUlzxAk0D4ru4ZJgvsSCNAqe7ONstCfyS5n3iFI21FIDcYV/vIwosvCHdmb2yufRgVekQXB7v4L6swXkF2Zp419BDH2mBbBTkEEl95mXEZphplD/96foTIOJ6JODsmCHKuNULLXNPp6xFXSQlE7BCq2O9e4POO0X8fsOQkgj4m9xz/i3R/beoNMpGELNBg2umAgSHcQ0PVnUGHUwEMzsWoAEnBYjdLGvYQavX+Cag6Qpy6CdMLFo2i+tMB84EYItwwOuxdc11zUBpDyvCDBbTY4Km3IBLIkwmyILAFSQom2erD3tQnS/Kcovbw2Aa5o1hXwwcPqM0bAvTA==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by PH8PR09MB10174.namprd09.prod.outlook.com (2603:10b6:510:187::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.18; Tue, 29 Aug 2023 15:41:17 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::e94c:25d9:4f59:7846]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::e94c:25d9:4f59:7846%6]) with mapi id 15.20.6699.035; Tue, 29 Aug 2023 15:41:16 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "sidrops@ietf.org" <sidrops@ietf.org>
CC: "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>
Thread-Topic: Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-verification-16.txt
Thread-Index: AdnaiyfxvIU0utHNTEKritzC+4G8ew==
Date: Tue, 29 Aug 2023 15:41:16 +0000
Message-ID: <SA1PR09MB81422900A0E561D40FF1F63F84E7A@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|PH8PR09MB10174:EE_
x-ms-office365-filtering-correlation-id: 15f7b63a-f00a-4884-0d3d-08dba8a6621d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ALtjTtUlH0H/WgTK4EOlAm+lAB/ZYfhLBmugD/Rlzvz2rUQSWA8vQUrp6Mdb7BoXrLTDs0Eo17e+mlgLO27jHj9m2B/0lJl/3HFjH6t1NoBw31DUhr9b7TKskmmIGIwxxFDRzglb98WyrjHsCikRO8fMZjLpmhx2qJOPqrPAHRWaLOR77QFjDiXtwgkZ4isvDSatj9gjHgDGTWbhqwJLFeccs8pHPavHx222Q5SHX6scbUDXkcHiOn+TTHhF0XAlj03btP4GSUGB5PoA0g+n9DfHpO+A2edjPj+OKN3TTSWP5K1M8T9FNzoemLDgqD7RrCTcDBovNVlgceJB/D87wgfBjsP8gDrF75lY2qyWA1Za0HQzR31rHiOvFO6hXSkObrI2ybP5TpKWmfCxFBv/1ryD271EKpnmQZelhySqVsGhSLtx2YE9FfNYHKrj9jGW+oANq2ljRf3XPoYtITQDUr/2K60iFZTNW1y1iBKWTRRGaRZIYIryQci1Y2uQe+LuylqG6+BPhCR9G3gJNz3rSrN0OuYZDiNU4DTTIFTR+kXxyjGSfiV3t4mb+CNf0yOsj5icoy7YTJAirJuMFbLBYnJxFbYLImyPEESj40G5ZoE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(1800799009)(451199024)(186009)(9686003)(38100700002)(38070700005)(6916009)(66899024)(82960400001)(4326008)(33656002)(66574015)(2906002)(83380400001)(86362001)(52536014)(15650500001)(26005)(5660300002)(8676002)(55016003)(8936002)(450100002)(71200400001)(6506007)(7696005)(966005)(66556008)(64756008)(66446008)(66476007)(66946007)(76116006)(122000001)(498600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yrNHCVpq0/RLXXsyZq4PRM6B0OFxJnbNhsmkbonDBjjm7uQggJr6QCprCXbF9FoZKs98AeOlr/AjPI/CmitNQTm1cGEyn4Ga2IacfuHB3CS933Z6dv5FipnC6yBy3HYBNa1GnNOczt6pWpZJJWr5aN9Laml/svNkFAXOYI0YIwcK5ksj45K0FOwu4w4CQrkhqnGZJ9GxatPRxkfrOxxgsSk1xlododwyj76jGOiuT7JnDKhKuDI9uB8411BbXQe2vf94MwAGzavrmQO8caci4hwdWdx71JzIiLK3YtgXYhWb7cPX9YkXon5CvUHwHTpi4LCZKCVf6SLupQ20JUftPlPoKkRxOZSFnTjIJ//stwKLgjWc607/RyWTj9G2HfzYPuOL37Y4Evl1/ohsHAq9djg0/4J5xHL7HsEOTSq77eOLVyMmK7A74mgjE3mzH5d3xV+mZu2LyFL6LibQPx6B+jV0P88EAD0Dy40N7QUjf1b6k9u/2tIXh91A/cWfyEaQZHQf3hc8LEM9MfjrJtIyS8jxTo+Fe/T/5Wa1GoIrySskJUFgftE5rGz9U+Nf5levBsf6yQza7I7KlrZUtTN7Lg2/22LcTR2EO3f+p3E2Twgn5YmlP1BXW4zHk5+QYldnz2DDfmA6e3weJJHIockibXZuyXAsF4TyCptLmYmC0FSYMzCm07CXBBXsX9AkRwaYkEzD09xIk0EQ/W93C7LP5hGMvUwLBwPft8hPBlyWdT0HI5OtcepJD5U4JaxkCG3ncao+qdDml7dJnsY4DVDlIQn/dxX1wpyxks+g0fiYeuNzAkm03+RWas4xJP5hWjcU6a1a8Uc8/YmH4spsdUoYKEloPDMLNnPFdsjBqCehO3BBoSdU5GPG850vhkT1GA0TItUFPXH8wxnrdbnz/kVne41ZxF0eSAy2gUAvGYE19tzp9Tq5zZwOhYEncI7GI/cHYkYMJ9OAyfz0WEb+05XYbJUFtBL/MkHWJI2/xoH6WlMMB/2WsT/tt6Uf1Hvdmpr2gajPpunvmdaXnEYsv/2dvUgc650p7eM409HDacH4WIKKsubf1WSymXyx17PF1j2OvTEIGDqYiNx5cbKrgYH/ygUm9xAYdXy63O+DAMuufEaDAupSnOKfFiJXMYoW2xuuShpsP7IbTTE0zXMF2JBYEmiRsi/4AIrjvDxUOLEwuL0/b7cjghN8ah+nMPZJVIIg2PP5OHPQNI9AJpKrEmeeBf1GdIbpnmxTuU+N/Db5gWN0NrIhpRhXOiI49io3iSqpYShEpFTri6Y+9UBBx2Vy5NamFXgsQ9lK8HG+w8yGIVAiBDcYJnDFoHQhbl1m0MCB120NU8wlylCwMXUmquJWPVSpCvE5XDYeAzwSVvZLjFl9ubO7knAxewku6kt2+BU2OX+LiYXXgy0Hs/BZaRLpvGXtY7TpjnxIy3I9Z7ngNZ9x3/NP7EOPhoMhW6Uw3DTQ2xqQ/y4Fk4pwwNtciFVvL0ydAQ5OME6TZ6K+fUNt2UQWRJ9DqYyaORz2w3tWzLuuFvRx9BsaT0/+VmsYi+Sx1dWMB/ITc6y1eqxrVXZGuv8=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 15f7b63a-f00a-4884-0d3d-08dba8a6621d
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2023 15:41:16.7028 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR09MB10174
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/EYXvisBp5ArORsMv_mMRIkmMqzA>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-verification-16.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Aug 2023 15:41:25 -0000

Hello WG members,

Some of the authors of the aspa-verification draft (Keyur, Job, Sriram) joined by Ben M. and Oliver B. met in San Francisco (IETF 117) to bring closure on some loose ends in the draft. Later we received inputs from Doug Montgomery, Russ Housley, and Claudio also.

The discussion converged to carrying out the following actions with the draft and then uploading v-16 (which is uploaded now):

(1) Eliminate the v-15 Section 7.2 (Verification and Mitigation at Egress eBGP Router). 
Reasons: Avoid unnecessary complexity. See slide 8 of the IETF 117 presentation: https://datatracker.ietf.org/meeting/117/materials/slides-117-sidrops-aspa-draft-update . 
The OTC Attribute sufficiently helps to prevent route leaks from occurring at the local AS (see #3 below).

(2) Do not include ASPA path verification in IBGP either. 
Reasons: Performing ASPA path verification and rejection of routes with Invalid AS path at eBGP ingress is sufficient. The AS is expected to maintain a consistent view of RPKI data across all its border routers.

(3) Add the following (new Section 7.2 in v-16):

7.2.  Only to Customer (OTC) Attribute

   While the ASPA-based AS_PATH verification method (Section 7.1)
   detects and mitigates route leaks that were created by preceding ASes
   listed in the AS_PATH, it lacks the ability to prevent route leaks
   from occurring at the local AS.  The use of the Only to Customer (OTC)
   Attribute [RFC9234] fills in that gap.  The procedures utilizing the
   OTC Attribute set out in [RFC9234] complement those described in this
   document.  Implementation of those procedures in addition to ASPA-
   based AS_PATH verification is encouraged.

Comments welcome.

Thank you.

Sriram

v2.20.3 | Report a Bug | By Email