IETF Logo Mail Archive

Re: [Sidrops] [GROW] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt

Christopher Morrow <christopher.morrow@gmail.com> Sat, 14 January 2017 17:19 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B553129C5B; Sat, 14 Jan 2017 09:19:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6OCIKXchH688; Sat, 14 Jan 2017 09:19:09 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F7AA129C5F; Sat, 14 Jan 2017 09:19:02 -0800 (PST)
Received: by mail-qk0-x232.google.com with SMTP id s140so83933113qke.0; Sat, 14 Jan 2017 09:19:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ATuLprx0pGRMGno84Nu4z6O616h+gHM/YnYGsuXHGjM=; b=aVuARJkWto5dW0sCiFYWCyVddPItvWIy/yaR5EnoHm84IRcpBv3i0sApgYTrsCIa1K gHx3uGK+i7y0iMHaHjluafHLX3oxpg4AgDgBUspKanlf+P1NwvyBKg/GU2E3o2xHr+Dk wIuPVcYBRqA4n1EhXpZyRSZCCepYnoNIDuO0FfWwiugRmKLNlg0x+6Fd6UrZ7Hc+FOpb Zh5ijP2ReLcrSBDDlGTwh2HgOR1CFqFVgBSB2Mc6ZuqVNQhiiD1LiC9TGPkpJh7GHdpT Uw28kcEuZWhcLTRmLhrqUWCswvJBPxd0n+O/SamuiwC8JuRKIxM6EbgpXBH9wf7kt8Fp LQ8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ATuLprx0pGRMGno84Nu4z6O616h+gHM/YnYGsuXHGjM=; b=Z/ltaCxYMWdvZ+HUnudIeGlQvz4WzHqtiOieadBnH+FnI9bgbuZs0DtQBKWsmIV2kI lFrEoVnnraRHBKm6LdiHjGjX82w1kWV3h+yXNAVCueXV7N4mnEn8MCFm1+6qFqlB+i5o c85vzQnOutkgzwyF/7N0X059s0TP0xBXY4T11vQEI0bRWMN1XbtKgm+bucBgHC33McvL 6xeSo+QSrvKQR3047ezzGZ12HbhhgyCr05vqVQ+/5goi9pZUk0OyeE0vYyJsv/cZ0ToH o+9B2Id9E9fkIycx9RpgDDaPeCLZKIVExdApMqQNVa4uEmN1mWrO/jppoeTjO8AInrwZ +5dg==
X-Gm-Message-State: AIkVDXLWFqVdR9HNU7J0hG63025GSqXKkNlsHZY0vw53I4FYX3eLAspVCCtqIZM9l8im/ylhWSsL8Pop28f3jg==
X-Received: by 10.55.7.2 with SMTP id 2mr27058170qkh.228.1484414341654; Sat, 14 Jan 2017 09:19:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.23.228 with HTTP; Sat, 14 Jan 2017 09:19:00 -0800 (PST)
In-Reply-To: <CAO367rX=a1dbr=hWCZk=L1jDCOzbfB5dhTGxM4COSxyLKO1iSg@mail.gmail.com>
References: <148433210469.9788.12815016683609966013.idtracker@ietfa.amsl.com> <20170113184009.GC1055@Vurt.local> <7C35D47D-6605-4D6D-A97E-BD7139F36DBA@gmail.com> <7f08f967-247e-4060-b643-52bc45d8ab29@Spark> <1E278B10-A5BF-40BE-95C4-7A9B6AF6C817@gmail.com> <c55845cc-ca06-45c8-9b2e-075421d0447c@Spark> <m2lgueejxr.wl-randy@psg.com> <CAO367rX1jjOdenqgouzbTRBfeaWz+TFoUjGFJVtUr9tifwAw3g@mail.gmail.com> <CAL9jLaZYtS9788WOYVgh3zHRRj_BhJ1vTxSqpoC_MP7kWpxxuA@mail.gmail.com> <CAO367rX=a1dbr=hWCZk=L1jDCOzbfB5dhTGxM4COSxyLKO1iSg@mail.gmail.com>
From: Christopher Morrow <christopher.morrow@gmail.com>
Date: Sat, 14 Jan 2017 12:19:00 -0500
Message-ID: <CAL9jLaYQRhezGCPvxEGc0_bpCL1ZSjaCv_5WutA5vCRQ4Q9V5A@mail.gmail.com>
To: Marco Marzetti <marco@lamehost.it>
Content-Type: multipart/alternative; boundary="001a114c877c88b08705461125a4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/F-bjEL08iGT0zujilpNOI3-vWiw>
Cc: Randy Bush <randy@psg.com>, sidrops@ietf.org, GMO Crops <grow@ietf.org>, Job Snijders <job@ntt.net>
Subject: Re: [Sidrops] [GROW] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2017 17:19:18 -0000

backup up a tad... somehow *(probably late-work-night clicking) I added
joel/marco to the 'reject mail' list :( (note that both are now subscribed
to the list.. if you do not want that you should go unsubscribe)

I'm sorry there were 4 messages, copied here, which didn't make it to
sidrops@

---------------- msg 1 --------------------

On 1/13/17 2:53 PM, Job Snijders wrote:
> On Fri, Jan 13, 2017 at 02:28:23PM -0800, joel jaeggli wrote:
>> On 1/13/17 1:54 PM, Marco Marzetti wrote:
>>> <rant>
>>> Every time one suggests a change related to the IXPs world we spend
>>> days arguing if it affects the neutrality and how. Do we really
>>> need that?
>>> </rant>
>>>
>>> Anyway, i can't see why IXPs can blackhole traffic (if the
>>> destination requests it), but cannot do the same with prefixes.
>>> After all if a prefix is invalid the owner requested it to be
>>> verified by the other parties.
>> In general the consequences for IX operator that either allows it
>> customers to attack each other over the exchange route-server or does
>> so itself seems severe. Loss of confidence in the disposition of one's
>> own routes seems like immediate grounds for depeering. If the routes
>> remain afterwards with the short as path; the operator is engaged in
>> prefix hijakcing.
>>
>> I personally find it dubious that I would choose to honor a third
>> parties efforts at origin validation if I did not myself validate them
>> but a signal from the exchange that it did validate the origin or that
>> there an invalid roa floating around is at a minimum very interesting.
> I still don't understand how there can be a justification as to why it
> would be OK for route servers to redistribute poisonous routes and say
> "trust me its OK i added a community!", and we expect some different
> behaviour from 'the rest of the AS's'?
>
> In a case like this
http://mailman.nanog.org/pipermail/nanog/2017-January/089823.html,
> assuming a ROA had existed for 206.125.164.0/22, what would've been the
> appropiate response from any AS involved (including route servers)?
>
>     A) "its fine, i tagged it with a community and amplified the problem
>     by propagating it to all my peers"
>
>     B) "the buck stops with me, the invalid route will not be propagated
by me"
>
> At the very least, i'd prefer the default mode should be a secure mode,
> not a 'scientifically interesting' mode.
I do wonder about the rational for saying "this is invalid, but here you go"

if I'm validating ROAs and my posture is that I don't accept routes with
invalid ROAS then I'm not taking any action on the basis of this
community. If I don't  validate, I'm not taking any action on the basis
of this community.
> Kind regards,
>
> Job
>

---------------- end msg 1 -----------------------
---------------- msg 2 -----------------------------

From: Marco Marzetti <marco@lamehost.it>
Subject: Re: [GROW] [Sidrops] I-D Action:
draft-ietf-sidrops-route-server-rpki-light-00.txt
To: joel jaeggli <joelja@bogus.com>
Cc: Randy Bush <randy@psg.com>, sidrops@ietf.org, GMO Crops <grow@ietf.org>,
 Job Snijders <job@ntt.net>
Date: Sat, 14 Jan 2017 12:58:14 +0100

Joel,

So you don't want your upstreams to honor RPKI just because they're
3rd parties between you and the other end?
In the context of IXPs: instead of peering with the RS you should
setup direct sessions with your partners if you really want to do
prefix/path validation by yourself.

Regards

--------------- end msg 2 ----------------------
-------------- msg 3 -----------------------------
From: Marco Marzetti <marco@lamehost.it>
Subject: Re: [GROW] [Sidrops] I-D Action:
draft-ietf-sidrops-route-server-rpki-light-00.txt
To: Christopher Morrow <christopher.morrow@gmail.com>
Cc: Randy Bush <randy@psg.com>, sidrops@ietf.org, GMO Crops <grow@ietf.org>,
 Job Snijders <job@ntt.net>
Date: Sat, 14 Jan 2017 13:03:56 +0100

Christopher,

As Nick has already pointed out as soon as you peer with the RS you've
already delegated some part of the decision process to the IXP.
Why RPKI can't be part of that?

After all there are IXPs that filter advertisements not covered by IRR
route objects.

Regards

--------------- end msg 3 ---------------------
--------------- msg 4 ---------------------------
From: Marco Marzetti <marco@lamehost.it>
Subject: Re: [GROW] [Sidrops] I-D Action:
draft-ietf-sidrops-route-server-rpki-light-00.txt
To: Nick Hilliard <nick@foobar.org>
Cc: Christopher Morrow <christopher.morrow@gmail.com>, sidrops@ietf.org,
 GMO Crops <grow@ietf.org>, Job Snijders <job@ntt.net>
Date: Sat, 14 Jan 2017 16:49:02 +0100

Nick,

You know the IXPs's world better then me so i take your analysis as valid.

But there's something that i would like to point out.
The concept of IXP has changed and we cannot longer consider them as
simple LANs run on top of a bunch of switches.
Of course there are small entities that fit into the original
definition, but there are also *very* large networks that move your
packets between distant locations over MPLS.
And that's much like what transit networks do.

So i can't understand why we should not encourage (in a very strong
way) RSs to run RPKI.
That doesn't mean the RS MUST drop the prefixes: They should lower the
LOCAL_PREF and as Joel has suggested add a prepend (or 2 or 3).

Regards

------------------ end msg 4 ----------------------


On Fri, Jan 13, 2017 at 5:22 PM, Marco Marzetti <marco@lamehost.it> wrote:

> Christopher,
>
> I have to admit that i am not aware of the ongoing work on sidrops, so
> i may lack the needed background, but this draft only suggests to
> re-advertise all the prefixes. No matter what.
> Am i wrong? In that case i apologize.
>
> About the forged AS_PATHs: why is this important only when it comes to
> IXPs?
>
> Regards
>
>
> On Fri, Jan 13, 2017 at 11:05 PM, Christopher Morrow
> <christopher.morrow@gmail.com> wrote:
> >
> >
> > On Fri, Jan 13, 2017 at 4:54 PM, Marco Marzetti <marco@lamehost.it>
> wrote:
> >>
> >> <rant>
> >> Every time one suggests a change related to the IXPs world we spend
> >> days arguing if it affects the neutrality and how.
> >> Do we really need that?
> >> </rant>
> >>
> >> Anyway, i can't see why IXPs can blackhole traffic (if the destination
> >> requests it), but cannot do the same with prefixes.
> >> After all if a prefix is invalid the owner requested it to be verified
> >> by the other parties.
> >>
> >
> > I think part of job's point (and randy's in a way) is that you actually
> > don't know if:
> >   192.168.0.0/23 AS1 AS3 AS8
> >
> > is valid, even if you see a ROA:
> > 192.168.0.0/16 AS8 max-len /23
> >
> > ... because there's nothing that keeps AS-ME from sending AS-JOB a route
> > with AS8 prepended on the as-path.
> >
> >>
> >> I suggest to default to drop and, if possible, to switch to announce
> >> with community if the peer requests it (for instance someone may want
> >> to collect invalid routes for analysis).
> >>
> >
> > i think you are describing implementations that the IXP may choose... I
> > don't know that this draft needs to specify that at all.
> >
> > -chris
> >
> >>
> >> On Fri, Jan 13, 2017 at 10:20 PM, Randy Bush <randy@psg.com> wrote:
> >> >> Adding grow@ietf.org for reality check.
> >> >
> >> > no comment :)
> >> >
> >> > when you choose to use a route server [0], you have out-sourced much
> of
> >> > your policy and operational responsibilities.  seems to me that
> whether
> >> > this includes security decisions is a contract between the user and
> the
> >> > route server.
> >> >
> >> > so i might tell the server to drop invalids.  if i do not take that
> >> > (configurable, i presume) option, having the server mark them seems
> >> > helpful.
> >> >
> >> > randy
> >> >
> >> > --
> >> >
> >> > 0 - i suspect none of job, carlos, or i do.  so this is the experts
> >> >     telling other people what they should do. :)
> >> >
> >> > _______________________________________________
> >> > GROW mailing list
> >> > GROW@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/grow
> >>
> >>
> >>
> >> --
> >> Marco
> >>
> >> _______________________________________________
> >> GROW mailing list
> >> GROW@ietf.org
> >> https://www.ietf.org/mailman/listinfo/grow
> >
> >
>
>
>
> --
> Marco
>

v2.23.0 | Report a Bug | By Email