Re: [Sidrops] [WG ADOPTION] Adoption call: draft-timbru-sidrops-publication-server-bcp - ENDS 02/08/2024
Job Snijders <job@fastly.com> Mon, 05 February 2024 21:03 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28165C14F6B7 for <sidrops@ietfa.amsl.com>; Mon, 5 Feb 2024 13:03:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TDKvf6uMkEfh for <sidrops@ietfa.amsl.com>; Mon, 5 Feb 2024 13:03:53 -0800 (PST)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 818A4C14F69E for <sidrops@ietf.org>; Mon, 5 Feb 2024 13:03:53 -0800 (PST)
Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-55790581457so6842451a12.3 for <sidrops@ietf.org>; Mon, 05 Feb 2024 13:03:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1707167032; x=1707771832; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Wyqnhzb2bYJfEMKHscydmJAoSw9ynvBkln24T3OyAxA=; b=ac6ab76+TngDaqKsTAjIajZvCUEos2ZFL1rhWrpfRQfoxik7WA3bmLc60y9XjZ8k+4 liAUfQU9dVt0YF6SeBFdRvyreCrfrhhXfHckEQb7RrM2gVoWIOEfxXUzCGTRqZ1za0nb 6i9WZhxXwn6iujlHqIMAFCRbSl/Dn4ILmBGNw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707167032; x=1707771832; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Wyqnhzb2bYJfEMKHscydmJAoSw9ynvBkln24T3OyAxA=; b=Lu3SLE50MHu+5dApP9vXsvFKx7MvRyA7GOyUNax3zKFgf7JnguDnqexznoUi3PvM1o ZWgKviesydMbg1Saj+xLpxcrQRt6Otm87325WVG5Xwb3xXMU56R2T2TcVwOyyJEpG2n0 V7/2icVAbsJyLIRt6PjUENhkNfSV9z1zn6ivT5IHsD+F2RyL2xcX4YfPHZNe7edT1132 BOy/eXsn7f8b46vjflOOtHKmwLnPR6e8GePFSK4jFpGdagpojMJnGv9pQZ0WswDFWRBU uuY89fPI62kAAH1TUlMU5F4LCISZLKiKEVM2Fs6CZ5wi/4l8JslyLiiyBGXDf+n0KF6m qnUQ==
X-Gm-Message-State: AOJu0Yx5zvleT6Idqgi1NLEUS6YnS9oCWyMJfLaomv5Wh/nYPuNL5Y// S4ULXITzjT9Mh8HS2Kr5rkh5GFpLS1NKkFG5b7zGyH/8qtQ3GyAuOpBXttpoCtc=
X-Google-Smtp-Source: AGHT+IHnaG6Tn4knzmbIcU/aAkBYGCp4cTK02C2dI9XjxmRlrVlT4O0aX/PhfN+i3i72zfjLy0n3og==
X-Received: by 2002:a17:906:ccd9:b0:a35:3ce3:c490 with SMTP id ot25-20020a170906ccd900b00a353ce3c490mr413849ejb.6.1707167031729; Mon, 05 Feb 2024 13:03:51 -0800 (PST)
X-Forwarded-Encrypted: i=0; AJvYcCUCOzKDK4FJwd7EyJAs4yvpnV6uPFjEQQYiNku+eAwNUQ7tsSnuEkfLFq/9l6qkO9NSnN0ApvfNGWsGG/TTuFGffVK3llM+ik4fSyQWWPGQnKAaom0trnKFc3IXPdWQ8NLtllfsmwwaWTguxuDsHDr8xPC9goyaF7Av46h/28mj
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id dc11-20020a170906c7cb00b00a36ffe7656esm249116ejb.198.2024.02.05.13.03.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Feb 2024 13:03:51 -0800 (PST)
Date: Mon, 05 Feb 2024 22:03:49 +0100
From: Job Snijders <job@fastly.com>
To: Russ Housley <housley@vigilsec.com>
Cc: IETF SIDRops <sidrops@ietf.org>, IETF SIDRops Chairs <sidrops-chairs@ietf.org>, sidrops-ads@ietf.org, Keyur Patel <keyur@arrcus.com>
Message-ID: <ZcFNNfrkMFxKf5hN@snel>
References: <87h6j1kug1.wl-morrowc@ops-netman.net> <B60D7B39-FA81-45AF-BCBD-2784F91B43C3@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B60D7B39-FA81-45AF-BCBD-2784F91B43C3@vigilsec.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/G9xpLWz3Mm92ypkJsyP_bzD5G9Y>
Subject: Re: [Sidrops] [WG ADOPTION] Adoption call: draft-timbru-sidrops-publication-server-bcp - ENDS 02/08/2024
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2024 21:03:57 -0000
Dear all, On Fri, Jan 26, 2024 at 02:55:55PM -0500, Russ Housley wrote: > <no_hats> > > I this the WG should adopt this document. I am of the same opinion. In a previous message on this topic, Di Ma seemed to suggest that it would be mighty helpful to have a guide capturing operational lessons learned in recent years for the publication side of the house, and I concur. Let's blamelessly look back at all 'RPKI incidents' in the last few years and see if there were lessons learned to distribute via this proposed BCP. In some sections the document repeats what's already specified in Standards Tracks RFCs, but I don't necessarily see that as a bad: the proposed BCP is well positioned to elaborate on what might happen if the suggestions in original specifications are not followed. Some suggestions for draft-timbru-sidrops-publication-server-bcp-02: - Make a recommendation to Publishers to not regenerate RRDP content for every request, nor regenerate previous RRDP deltas when creating a new snapshot. This might help implementers of RRDP publication software perceive and treat older RRDP content as immutable. See https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rrdp-desynchronization/ for more details about mutations in previously published RRDP content. - Section 6 could perhaps (in addition to the phrase 'consistent') describe the desired outcome using the phrase 'atomic'. I think within our community we often describe the cause of 'failed fetches' as the repository being updated in a non-atomic fashion. - The draft might benefit from a "Recommended Reading" section (in addition to the Glossary) to help the reader understand the context. - The proposed BCP could perhaps include a section on "Monitoring Publication Points", because I am not sure all stakeholders are aware that it's massively beneficial to deploy multiple instances of different RPKI Cache implementations at a given publication point, and have monitoring software compare various entrypoint permutations: - rsync only - rrdp first, rsync second - rrdp snapshot only - rrdp only (following deltas) The above of course for multiple distinct implementations and versions of implementations. - Continuing in context of the previous suggestion - especially at the RIR-level - publication point operators should strive to support all commonly deployed validator implementations (within reason) by making those part of smoketests before deployment. No big website got big by *only* testing with Internet Explorer. I imagine Publication Point operators want to be compatible with a wide range of potential RP implementations, so testing with a wide range is helpful to help find the lowest common denominator: if one RP implementation is stricter than other RP implementations, the Publication Point adhering to the higher standard helps all deployed clients. - Perhaps also a section about common hosting problems: if you offer your publication point over IPv6, make sure that port 443 + 873 are open on IPv6. Monitor the validity of TLS HTTPS certificates (for both address families). - Perhaps a note could be added about temporarily disabling RRDP being a viable option to conserve bandwidth in (rare) scenarios where the Publication Point operator's network is congested. In low-bandwidth scenarios rsync performs far better than RRDP (a particular race condition in RRDP is avoided, rsync synchronization trivially is resumed). Notwithstanding that both PP and RP side of the house would do well to implement bandwidth conservation strategies such as implementation of HTTP content encoding compression. I do think it is helpful to remind interested readers that ultimately the objective is to /somehow/ serve RPKI data (be it via RRDP or RSYNC) in a timely fashion. Tiny tiny nits: - s/Certificate Authorities/Certification Authorities/ - s/next update time/nextUpdate time/ - s/Unique Hostname/Distinct Hostname/I Kind regards, Job
- [Sidrops] [WG ADOPTION] Adoption call: draft-timb… Chris Morrow
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Tim Bruijnzeels
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Russ Housley
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Di Ma
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Ties de Kock
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Hollyman, Michael
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Tim Bruijnzeels
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Tim Bruijnzeels
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Lukas Tribus
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Ties de Kock
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Ties de Kock
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Claudio Jeker
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Tim Bruijnzeels
- [Sidrops] Re: [WG ADOPTION] Adoption call: draft-… Job Snijders
- [Sidrops] Re: [WG ADOPTION] Adoption call: draft-… Tim Bruijnzeels
- [Sidrops] Re: [WG ADOPTION] Adoption call: draft-… Christopher Morrow