Re: [Sidrops] WG ADOPTION - draft-madi-sidrops-rush - ENDS 10/12/2020 (Oct 12th)

Di Ma <madi@rpstir.net> Wed, 28 October 2020 12:50 UTC

Return-Path: <madi@rpstir.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87C4A3A0A42; Wed, 28 Oct 2020 05:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RpTiPs0YEPuj; Wed, 28 Oct 2020 05:50:26 -0700 (PDT)
Received: from out20-50.mail.aliyun.com (out20-50.mail.aliyun.com [115.124.20.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A3903A0A47; Wed, 28 Oct 2020 05:50:23 -0700 (PDT)
X-Alimail-AntiSpam: AC=CONTINUE; BC=0.06483812|-1; CH=green; DM=|CONTINUE|false|; DS=CONTINUE|ham_system_inform|0.326121-0.154525-0.519354; FP=0|0|0|0|0|-1|-1|-1; HT=ay29a033018047192; MF=madi@rpstir.net; NM=1; PH=DS; RN=9; RT=9; SR=0; TI=SMTPD_---.Ipao-Mx_1603889411;
Received: from 192.168.8.2(mailfrom:madi@rpstir.net fp:SMTPD_---.Ipao-Mx_1603889411) by smtp.aliyun-inc.com(10.147.40.200); Wed, 28 Oct 2020 20:50:11 +0800
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Di Ma <madi@rpstir.net>
In-Reply-To: <132DD2FB-C6D7-4F41-B532-3786C129CDA6@rpstir.net>
Date: Wed, 28 Oct 2020 20:49:51 +0800
Cc: SIDROps Chairs <sidrops-chairs@ietf.org>, "sidrops-ads@ietf.org" <sidrops-ads@ietf.org>, Guyunan <guyunan@huawei.com>, SIDR Operations WG <sidrops@ietf.org>, Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>, Chris Morrow <morrowc@ops-netman.net>, Melchior Aelmans <melchior@aelmans.eu>, Christopher Morrow <christopher.morrow@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <12B9F3F2-13AD-48DF-8773-BBE498DDE5FE@rpstir.net>
References: <CAL9jLaZAC9soiJKy856dWexjAmh5=brBnnUOrUjeSHLR_CKJTQ@mail.gmail.com> <8B99CEB3-7CBC-4D12-89BB-8AEE65DE63DA@verizon.net> <20201022161740.GT58295@bench.sobornost.net> <CCA4C0DF-00E3-4ED2-81A6-BC7AFE1BC532@rpstir.net> <20201023134459.GE32039@bench.sobornost.net> <132DD2FB-C6D7-4F41-B532-3786C129CDA6@rpstir.net>
To: Job Snijders <job@ntt.net>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/F3X71DjS3uHgaQAaR9cLvw17yiQ>
Subject: Re: [Sidrops] WG ADOPTION - draft-madi-sidrops-rush - ENDS 10/12/2020 (Oct 12th)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 12:50:29 -0000

Job,

We authors are fine with removing AS0 usecase in RUSH after some discussions.

Di


> 2020年10月28日 14:32,Di Ma <madi@rpstir.net> 写道:
> 
> Job,
> 
> Sorry for my late response.
> 
> 
>> 2020年10月23日 21:44,Job Snijders <job@ntt.net> 写道:
>> 
>> Hi Di,
>> 
>> On Fri, Oct 23, 2020 at 09:18:21PM +0800, Di Ma wrote:
>>>> 2020年10月23日 00:17,Job Snijders <job@ntt.net> 写道:
>>>> I am hesitant to support adoption as I feel this opens yet another
>>>> not-at-all-validated channel into pandora's box. I don't think this
>>>> draft in its current form is ready for adoption.
>>>> 
>>>> If this work is to proceed, I'd like RUSH to *strictly* limit itself to
>>>> transportation of VRPs within a *single* trust domain. If you are not
>>>> willing to give the operator of the RUSH endpoint absolute unrestricted
>>>> 'enable' access on your BGP routers, they are outside your trust domain
>>>> and one should not talk RUSH with them.
>>> 
>>> You have got the essence of RUSH: TRUST.
>> 
>> RUSH seems the opposite of TRUST. All validation steps from which we can
>> derive a degree of trust have been removed?
> 
> The trust in the RPKI roots in the public key that an RP uses to validate a X.509 certificate or a signed object. 
> 
> The trust in RUSH basically is the key bound to the cache server to do authentication which by the way is out of band of the RPKI.  Or the trust can also be the shared-key pre-configured between cache server and cache client of a RUSH connection in question.
> 
> 
>> 
>>> But, trust is not necessarily limited into the *single* trust domain.
>>> If I am allowed to exaggerate, RUSH even can used between two tier 1
>>> ISPs as long as one trusts the other. 
>> 
>> Interesting point, indeed we could iterate over all permutations of
>> possibilities, but what you mention is simply not how things are done in
>> practise between tier 1s (or other networks). I fail to see how the
>> exaggregation supports the Internet-Draft.
>> 
> 
> An exaggerated example might not implemented in practice but helps make the statement more straightforward.
> 
> 
>>> I think we authors have articulated the essential usecase.
>> 
>> Please see below.
>> 
>>>> The offending paragraph is this one:
>>>> 
>>>>  "o AS0 SLURM File Delivery The Regional Internet Registries (RIRs)
>>>>  need to publish assertions with origin AS0 ([RFC6491]) for all the
>>>>  unallocated and unassigned address space (IPv4 and IPv6) for which
>>>>  it is the current administrator.  RUSH is able to deliver those
>>>>  assertions to RPKI relying parties if so called AS0 SLURM file are
>>>>  generated by the RIR."
>>>> 
>>>> Here is an *explicit* example of the detrimental effects of so-called
>>>> RIR 'AS 0' policies https://www.ripe.net/ripe/mail/archives/routing-wg/2020-June/004131.html
>>>> Do we really want to create big red buttons that can be pressed to nuke
>>>> *countries* off the global Internet Routing system? Surely that is not
>>>> our intention. I'm a pacifist, I do believe that if we don't develop
>>>> machine guns, machine guns can't be used against other human beings.
>>> 
>>> AS0 is only a potential usecase and it is a policy issue whether the
>>> community decide to use RUSH to implement AS0. 
>>> 
>>> But we just want to offer the tool. 
>> 
>> Yes, you want to offer a tool, but as I mentioned the existence of some
>> tools is not without consequences to the global routing system. When a
>> big red dangerous button is created, at some point someone somewhere
>> will want to push it.
>> 
>> I'll note for full transparency to this group that one of the co-authors
>> of the RUSH Internet-Draft is also the co-author of a "RIR AS0" policy,
>> which was rejected by the RIR community in which it was submitted.
>> 
>> From my perspective the many discussions all over the globe (which so
>> far have taken place in APNIC, AFRINIC, RIPE, and LACNIC), is now just
>> spilling over to SIDROPS. Just like in all those RIR policy forums, it
>> should come as no surprise it will meet some resistance in this forum
>> too. As one of the use cases explicitly references 'AS 0' policies, it
>> no longer can be positioned as a neutral tool but has become part of a
>> wider (contentious) discussion.
> 
> I did note the discussions in RIPE Routing WG where AS0-slurm proposal did not reach consensus.
> 
> But I have not got the similar observation in APNIC, LACNIC, ARIN and AfriNIC community. I would like to hear from them.
> 
> Anyway, AS0-slurm is just one of the usecases.  Should it not be proper to be a RUSH usecase, RUSH should not be denied on the whole.
> 
>> 
>>> As I mentioned,  trust is not necessarily limited into a *single*
>>> trust domain.
>> 
>> Interesting, I am not sure I understand your definition of trust
>> domains. I am not even sure what my definition is, but I will point out
>> that the RIRs generally are *not* considered something to blindly trust.
>> The channel from RIR to Network Operator for RPKI related data is -
>> right now - one that strictly flows through a X.509 verifyable chain,
>> and RUSH is a novel way which sidesteps an existing more secure
>> mechanism. Why water that channel down?
> 
> I think the first two usecases described in the draft are easy to be implemented in a commonsense trust domain.
> 
> 
> o Cache Distribution
>   RUSH can be used to distribute a RPKI validated cache within a single
>   ASN or network, for example a confederation composed of a number of
>   ASes.  A small site or enterprise network MAY also use RUSH by
>   synchronizing with a third-party RPKI cache provider over external
>   networks.
> 
>   o Local Control over Networks
>   Network operators MAY want to inject SLURM Assertions/Filters via an
>   API offered by RPKI validator/cache.  RUSH is therefore able to carry
>   out such local control signals inside an administrative bailiwick in
>   a secure manner.
> 
> 
> Di
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops