Re: [Sidrops] WGLC - draft-ietf-sidrops-validating-bgp-speaker - ENDS 09/07/2018 - Sept 7th 2018

Daniel Kopp <daniel.kopp@de-cix.net> Fri, 31 August 2018 12:01 UTC

Return-Path: <daniel.kopp@de-cix.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55146130E30 for <sidrops@ietfa.amsl.com>; Fri, 31 Aug 2018 05:01:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-nYjo_Yo3Vq for <sidrops@ietfa.amsl.com>; Fri, 31 Aug 2018 05:01:44 -0700 (PDT)
Received: from de-cix.net (relay4.de-cix.net [46.31.121.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B40B130E34 for <sidrops@ietf.org>; Fri, 31 Aug 2018 05:01:43 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="5.53,311,1531778400"; d="p7s'?scan'208"; a="2304094"
Received: from smtp.de-cix.net ([192.168.65.10]) by mailgw014.de-cix.net with ESMTP; 31 Aug 2018 14:01:42 +0200
Received: from MS-EXCHANGE.for-the-inter.net (MS-EXCHANGE.for-the-inter.net [192.168.49.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.de-cix.net (Postfix) with ESMTPS id 6298BB00B8 for <sidrops@ietf.org>; Fri, 31 Aug 2018 14:01:41 +0200 (CEST)
Received: from MS-EXCHANGE.for-the-inter.net (192.168.49.2) by MS-EXCHANGE.for-the-inter.net (192.168.49.2) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 31 Aug 2018 14:01:41 +0200
Received: from MS-EXCHANGE.for-the-inter.net ([fe80::9449:4d85:69bf:3d4c]) by MS-EXCHANGE.for-the-inter.net ([fe80::9449:4d85:69bf:3d4c%12]) with mapi id 15.00.1367.000; Fri, 31 Aug 2018 14:01:41 +0200
From: Daniel Kopp <daniel.kopp@de-cix.net>
To: SIDR Operations WG <sidrops@ietf.org>
Thread-Topic: [Sidrops] WGLC - draft-ietf-sidrops-validating-bgp-speaker - ENDS 09/07/2018 - Sept 7th 2018
Thread-Index: AQHUQSJg39wsMRvEgEGxfjXE/5oKMw==
Date: Fri, 31 Aug 2018 12:01:40 +0000
Message-ID: <7BA3B99A-CB8E-4A0F-AC3C-9EFF7A888B62@de-cix.net>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.6.18)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.168.140.254]
Content-Type: multipart/signed; boundary="Apple-Mail=_BA93A52E-ABCD-4CDC-B216-793E9BD663A5"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/FoiZVlN7s_7GDaapkHiahdgocEw>
Subject: Re: [Sidrops] WGLC - draft-ietf-sidrops-validating-bgp-speaker - ENDS 09/07/2018 - Sept 7th 2018
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 12:01:47 -0000

Hello again,

I want to follow up and hopefully revive the discussion by reviewing the motivation for the draft.

The idea is to signal the RPKI status from the route server, originally we wanted to have this limited to the domain of an IXP.
From our point of view we see this as a soft start to use RPKI at IXPs and 
the trigger to work on this came from the IXP member side.

Core discussion points on the mailing list are:

1. Route servers should filter out ROA invalid prefixes. That’s what we want as well. 
The draft is just an addition to signal the results and we also have different modes of operation. 
However, I think every IXP should be allowed to decide by themselves how strict they setup their route server filtering. 

2. Some concerns where about that this approach might pollute the DFZ with validation results. 
I don't think that is the case if we want the tagging to be limited to the IXPs network.

3. About the comment that forwarding ROA invalids is useless without BGP ADD-PATH, I think this was mentioned by Nick several times.
The draft foresees the usage of ADD-PATH, *if* that becomes available widely to EBGP. In that sense, the case for dropping
ROA invalids becomes even weaker.

4. It was said that RPKI deployment is easy nowadays so why provide another less secure method. 
The draft is intended for networks that can't (technically) or won't (politically) implement RPKI in their own networks, 
but would use of the singling from the route server at an IXP. 
If people can deploy RPKI themselves this is the best solution and we strongly would encourage such deployments.

Looking forward to have a discussion around this and maybe we can find a way to make this work.

Best regards,
Daniel