Re: [Sidrops] [GROW] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt

["i3D.net - Martijn Schmidt" <martijnschmidt@i3d.net>]

Hi all,

Invalid is invalid: it means that someone is hijacking the prefix,
because the owner of the resource is telling us through RPKI that the
route should be originated by a different ASN. If your BGP
implementation is able to detect that it should not propagate the
hijacked route. If your BGP implementation is not able to understand
RPKI (hi Brocade), then it would be nice to receive at least some form
of protection via the route-server if you choose to use it.

The argument that it should just be another parameter for the best path
election on the route-server is weak at best, many networks wouldn't
advertise their valid prefix with correct origin to that specific
route-server - or not to any route-server at all. And that'd
automatically mean that the invalid prefix is going to be propagated by
the route-server.. which is undesirable.

Best regards,
Martijn Schmidt

On 01/16/2017 12:03 AM, Matthias Waehlisch wrote:
> I don't know if we are losing sight. The argument that RS is doing best 
> path selection was stated several times.
>
> However, I still don't buy the argument "route servers and rpki are an 
> uncomfortable fit."
>
> I buy the argument that fine-grained policy configuration challenges RS 
> operation. And for sure the principle is indepdent of RPKI. In the most 
> boring case, the decision results in "Prefer the route received from the 
> lowest peer address." Ups, is this the IP address of the peering LAN, 
> given by the IXP.
>
> What is specific to RPKI is proxying of security-related meta data 
> (i.e., easier deployment of new protocols via RS).
>
> For example, in the case of policy prefer-valid-over-invalid AND there 
> is no valid, RS would announce the (invalid) prefix to peer P. P also 
> established private peering and receives announcement for the invalid 
> prefix. Without deploying RPKI, this BGP speaker could benefit from RS 
> meta data, dropping both.
>
>
>
> Cheers
>   matthias
>
> On Sat, 14 Jan 2017, Nick Hilliard wrote:
>
>> Matthias Waehlisch wrote:
>>> the current discussion makes clear that documentation of 
>>> origin-validation-signaling in IXP context is needed
>> rpki is conceptually no different to any other type of signaling
>> mechanism: it's simply another input into the BGP decision engine
>> process, just like communities or meds or as-path.
>>
>> What we're losing sight of here is that it's the route server which
>> calculates the best path for each route using the routing decision
>> engine, and then sends a _single_ best path to the client. Conceptually,
>> it doesn't matter whether the tie-breaker on the route server is
>> communities, meds, as-path or rpki: the point is that the policy
>> decision mechanism needs to be configured on the route server itself,
>> because the route server is the device which is calculating the best
>> path.  If the route server operator doesn't do this, the clients will
>> end up with path hiding (see 2.3.1 in rfc7947).  I.e. it's nothing
>> specific to rpki.
>>
>> This is already extensively documented in rfc7947 and rfc7948.
>>
>> Nick
>>
>