Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022
Tim Bruijnzeels <tim@nlnetlabs.nl> Mon, 07 March 2022 09:49 UTC
Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBB223A0D3B for <sidrops@ietfa.amsl.com>; Mon, 7 Mar 2022 01:49:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuQQ3noDqI1X for <sidrops@ietfa.amsl.com>; Mon, 7 Mar 2022 01:48:52 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.126.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F94C3A0D25 for <sidrops@ietf.org>; Mon, 7 Mar 2022 01:48:51 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 6E8872C1 for <sidrops@ietf.org>; Mon, 7 Mar 2022 09:48:46 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net []) by soverin.net
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.40.0.1.81\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <BYAPR18MB26961DE9F15501CCA12ECCF1C13D9@BYAPR18MB2696.namprd18.prod.outlook.com>
Date: Mon, 07 Mar 2022 10:48:44 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <851649A5-9075-4956-8B57-E51F612DF6BD@nlnetlabs.nl>
References: <BYAPR18MB26961DE9F15501CCA12ECCF1C13D9@BYAPR18MB2696.namprd18.prod.outlook.com>
To: "sidrops@ietf.org" <sidrops@ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/GCKIMaYyVEqSpZvdymUoO83bvp0>
Subject: Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Mar 2022 09:49:03 -0000
Hi, I agree with the general sentiment that one VRP per ROA should be used. But I think this text is not correct: > The potential influence of operations of ROAs containing multiple IP > prefixes on BGP routers must be considered. For the ROA containing > multiple prefixes, once increase or delete one <AS, ip_prefix> pair > in it, this whole ROA must be withdrawn and reissued. Through > sychronization with repository, Relying Party (RP) fetches a new ROA > object and then notify and send all the <AS, ip_prefix> pairs in this > ROA to BGP routers. That is to say, the update of the ROA containing > multiple IP address prefixes will lead to redundant transmission > between RP and BGP routers. So frequent update of these ROAs will > increase the convergency time of BGP routers and reduce their > performance obviously. This is an issue if, per Randy's example, the entire ROA is withdrawn first, the RPs fetches and revalidates and sends withdraws for VRPs to the router, and then the new ROA is published later, validated, etc Taking the RIPE NCC system, and krill, as examples operators don't get to do this. They get to specify which *VRPs* they want and the system then takes care of republishing.. It will publish a new ROA in the same delta where the previous ROA is either withdrawn or replaced by name. The added language on failed fetches in the manifest bis further ensures that RPs will see the complete delta. RPs will work out what the diff in *VRPs* is. And it's this diff that is sent to routers. So replacing a ROA with 319 prefixes with one that has those 319 + 1 new prefix results in a 1 VRP diff. Similarly if an RP encounter multiple ROAs with the same VRP, then it will exclude duplicates when talking to the routers. Another example here.. key rolls.. When a key roll happens all ROAs are re-issued under a new key. But the VRP set is unchanged. Re-issuance of a ROA object before it would expire, essentially replacing it with a new object of the same semantic content: no VRP change. That said, the following *is* an issue, and in my opinion reason enough: > In addition, the validity period of ROA is a long time in default, > the prefix ownership change is more possible during this period, this > will cause the withdraw or re-issurance of the whole set of prefixes > containing within the same ROA Indeed, resource shrink is troublesome. (I don't think validity period matters here, as the shrink can happen at any time) If VRPS are combined then this could result in the following scenario: a ROA for 319 is suddenly invalid because of 1 overclaiming VRP - leading to a drop in 319 VRPs and router churn. Later the child discovers the shrink and issues a ROA for the remaining 318 VRPs. Resulting in router churn again. This is also why krill prefers one VRP per ROA. So, with single VRP ROAs, a shrink by the parent may cause a child to temporarily have one, or a couple of single VRP ROAs which are overclaiming, and then clean them up as soon as it finds out. Still - this is not the same for the RIPE NCC system. Their hosted system contains both the parent *and* the child. Context matters. In their case the child can re-issue ROAs before the parent changes the CA certificate issued to them - preventing overclaims. They also publish in the same repository so both changes would be seen together. Regarding: > The extreme case (a single ROA can only contain one IP address > prefix) may lead to too many ROA objects globally, which may in turn > become a burden for RPs to synchronize and validate all these ROA > objects with the fully deployment of RPKI. So it seems that a > tradeoff between the number of ROAs and the number of IP prefixes in > a single ROA should be considered. However, considering the > stability and security of RPKI and BGP routing system is the most > important target, containing one IP address prefix in a single ROA is > recommended if the CA wants to avoids the potential instability and > risks. An example to consider where multi-VRP ROAs may be applicable are the AS0 ROAs for unallocated space that some RIRs publish. There is almost no risk wrt overclaim - while publishing separate objects would result in excessive numbers. Currently krill has a strategy for this trade-off. By default it will start aggregating when a CA has more than 100 VRPs defined. And it will start de-aggregating (i.e. start using one ROA per VRP again) when this number drops below 90. The defaults can be changed in future releases based on feedback and research.. users can also override them. If we are to stop using multi-VRP ROAs altogether then this could also be done, but in my opinion there are contexts where they are not an issue but a useful optimisation. To conclude: - I think the text on router churn needs to be changed. - I interpret the trade-off discussion to mean that implementers can make a decision that in their context multi-VRP ROAs are not an issue. - I am happy to change the default strategy in krill if RP implementers are fine with potentially more objects. Tim > On 24 Feb 2022, at 23:47, Keyur Patel <keyur@arrcus.com> wrote: > > Hi Folks: > > A working group last call has been issued for draft-ietf-sidrops-roa- considerations-01, “Problem Statement and Considerations for ROA containing Multiple Prefixes”. Please reply to the list with your comments. The WGLC will end on March 10th, 2022. > > The draft can be found at: https://datatracker.ietf.org/doc/draft-ietf-sidrops-roa-considerations/. > > Regards, > Nathalie, Chris & Keyur > > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] [WGLC] draft-ietf-sidrops-roa-considera… Keyur Patel
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Rob Austein
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… George Michaelson
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Tom Harrison
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Tim Bruijnzeels
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Di Ma
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… chku
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Ties de Kock
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Ties de Kock
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Ties de Kock
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Geoff Huston
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Geoff Huston
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Stephen Kent
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Tim Bruijnzeels
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Tim Bruijnzeels
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… YAN Zhiwei
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Christopher Morrow
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… YAN Zhiwei
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Ties de Kock
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Keyur Patel
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Ties de Kock