Re: [Sidrops] ASPA verification questions
Claudio Jeker <cjeker@diehard.n-r-g.com> Mon, 19 December 2022 09:14 UTC
Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB46DC151703 for <sidrops@ietfa.amsl.com>; Mon, 19 Dec 2022 01:14:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.192
X-Spam-Level:
X-Spam-Status: No, score=-4.192 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ZDzJBIzztJh for <sidrops@ietfa.amsl.com>; Mon, 19 Dec 2022 01:14:47 -0800 (PST)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F10A5C14CF13 for <sidrops@ietf.org>; Mon, 19 Dec 2022 01:14:46 -0800 (PST)
Received: (qmail 41598 invoked by uid 1000); 19 Dec 2022 09:14:43 -0000
Date: Mon, 19 Dec 2022 10:14:43 +0100
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: Zhuangshunwan <zhuangshunwan=40huawei.com@dmarc.ietf.org>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Message-ID: <Y6Arg+npzCmPc7+s@diehard.n-r-g.com>
References: <Y5nh7YrUMjxOy1xA@diehard.n-r-g.com> <20221214181035.bydtb3nvtsklav4j@iolcus> <1ce683ebac624b9fa87ff32000f0aa40@huawei.com> <Y5saAzBLErhmwQM8@diehard.n-r-g.com> <d737248a3df94e73b14cff3e2b59bdf0@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <d737248a3df94e73b14cff3e2b59bdf0@huawei.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/HNX6DPJ4XJXUHmxJCJfqICToT_I>
Subject: Re: [Sidrops] ASPA verification questions
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2022 09:14:48 -0000
On Fri, Dec 16, 2022 at 11:41:42AM +0000, Zhuangshunwan wrote:
> Dear Claudio,
>
> On an actual running network, the business relationship of each EBGP neighbor is well known to the network administrator.
> In my opinion, we can simply add 2 configuration command for ASPA as follows:
>
> bgp 20221216
> peer x.x.x.x remote-as 20221217
> #
> ipv4-family unicast
> peer x.x.x.x enable
> peer x.x.x.x relationship { provider | customer | peering }
> peer x.x.x.x aspa-validation enable
> #
That is exactly what my question was about.
What about a config with missing relationship? like:
bgp 20221216
peer x.x.x.x remote-as 20221217
#
ipv4-family unicast
peer x.x.x.x enable
peer x.x.x.x aspa-validation enable
Will 'aspa-validation enable' fail because relationship is missing?
Will 'aspa-validation enable' fail silently?
Will there be some default relationship assumed?
Btw. I would not call this relationship. It is the 'role' and should
offer the RFC 9234 roles (which are also used by the ASPA draft). This way
you get two RFC with one stone. Also there are more than 3 roles defined.
Regards
--
:wq Claudio
> Kind regards,
> Shunwan
>
> > -----Original Message-----
> > From: Sidrops [mailto:sidrops-bounces@ietf.org] On Behalf Of Claudio Jeker
> > Sent: Thursday, December 15, 2022 8:59 PM
> > To: sidrops@ietf.org
> > Subject: Re: [Sidrops] ASPA verification questions
> >
> > On Thu, Dec 15, 2022 at 02:35:00AM +0000, Wanghaibo (Rainsword) wrote:
> > > Hi Ben,
> > >
> > > I agree with you.
> > >
> > > When an ISP wants to do ASPA verification, the ISP should sign its own
> > > ASPAs. Then the border router can calculate the peer's role according
> > > to that database.
> > > When we set a peer's role according to RFC9234, it also makes the
> > > calculating easier. But even if we do that, I think we may also check
> > > the peer's role configuration whether match the ASPAs, because of
> > > misconfiguration may happen.
> >
> > I desagree.
> >
> > Tying ASPA verification together with announcing ASPA objects will result in a
> > much higher bar to deploy ASPA verification at large. It also adds a
> > dependency of ASPA verification to specific ASPA objects and will cause
> > disruption if for whatever reason the ISP's ASPA object fails to validate.
> > Also it may be easier for bigger providers to enable ASPA verification well
> > ahead of adding official ASPA objects.
> >
> > I see the elegance of the proposal but I think the downsides of using
> > Validated ASPA Payloads to control ASPA verification are to big.
> >
> > --
> > :wq Claudio
> >
> > > |-----Original Message-----
> > > |From: Sidrops [mailto:sidrops-bounces@ietf.org] On Behalf Of Ben
> > > |Maddison
> > > |Sent: Thursday, December 15, 2022 2:11 AM
> > > |To: Claudio Jeker <cjeker@diehard.n-r-g.com>
> > > |Cc: sidrops@ietf.org
> > > |Subject: Re: [Sidrops] ASPA verification questions
> > > |
> > > |Hi Claudio,
> > > |
> > > |On 12/14, Claudio Jeker wrote:
> > > |> Hi all,
> > > |>
> > > |> I'm working on ASPA verification in OpenBGPD and while I have the
> > > |> basic validation algorithm working I have a question that is not
> > > |> covered by
> > > |> draft-ietf-sidrops-aspa-verification-11:
> > > |>
> > > |> What should happen with ebgp peers that have no role assigned?
> > > |
> > > |My personal view (which I have previously discussed, without
> > > |agreement, with some of the authors) is that the default
> > 'provider/non-provider'
> > > |status of an external peer should be derived from the ASPAs issued by
> > > |the local AS.
> > > |
> > > |This obviously needs a knob for override on a per-peer, per-afi basis.
> > > |
> > > |I would prefer not to have a tight coupling with RFC9234 roles in
> > > |implementations.
> > > |
> > > |Cheers,
> > > |
> > > |Ben
> > >
> > > _______________________________________________
> > > Sidrops mailing list
> > > Sidrops@ietf.org
> > > https://www.ietf.org/mailman/listinfo/sidrops
> >
> > _______________________________________________
> > Sidrops mailing list
> > Sidrops@ietf.org
> > https://www.ietf.org/mailman/listinfo/sidrops
>
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] ASPA verification questions Claudio Jeker
- Re: [Sidrops] ASPA verification questions Job Snijders
- Re: [Sidrops] ASPA verification questions Ben Maddison
- Re: [Sidrops] ASPA verification questions Randy Bush
- Re: [Sidrops] ASPA verification questions Wanghaibo (Rainsword)
- Re: [Sidrops] ASPA verification questions Claudio Jeker
- Re: [Sidrops] ASPA verification questions Zhuangshunwan
- Re: [Sidrops] ASPA verification questions Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] ASPA verification questions Claudio Jeker