Re: [Sidrops] [GROW] Any credence to AS_SET in the *middle* between AS_SEQUENCEs?

Nick Hilliard <nick@foobar.org> Thu, 21 July 2022 11:26 UTC

Return-Path: <nick@foobar.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E80C6C13C53A; Thu, 21 Jul 2022 04:26:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T3VgiU81r7Vt; Thu, 21 Jul 2022 04:26:42 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10537C157B33; Thu, 21 Jul 2022 04:26:40 -0700 (PDT)
Received: from crumpet.local (unknown [89.101.70.74]) by mail.netability.ie (Postfix) with ESMTPSA id 31B659CF12; Thu, 21 Jul 2022 12:26:37 +0100 (IST)
To: Job Snijders <job@fastly.com>
Cc: GROW WG <grow@ietf.org>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
References: <SA1PR09MB8142D357A98BFAAF206C387C848F9@SA1PR09MB8142.namprd09.prod.outlook.com> <66814cfa-8425-8063-9193-272bc8b28291@foobar.org> <CAMFGGcDRhaLVi9ESK3+C-pB7rdts2-WTKXFhMSCjuvFFGQ=Cqw@mail.gmail.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <185958bf-ddfd-8e69-a086-a29290ec13e7@foobar.org>
Date: Thu, 21 Jul 2022 12:26:35 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:52.0) Gecko/20100101 PostboxApp/7.0.56
MIME-Version: 1.0
In-Reply-To: <CAMFGGcDRhaLVi9ESK3+C-pB7rdts2-WTKXFhMSCjuvFFGQ=Cqw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/HWB_eTmTvzhBzxQ73v0dVt49kjk>
Subject: Re: [Sidrops] [GROW] Any credence to AS_SET in the *middle* between AS_SEQUENCEs?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 11:26:45 -0000

Job Snijders wrote on 21/07/2022 10:37:
> In the spirit of RFC6472, any route with an AS_SET in it should not be 
> considered valid (by ASPA-based validation).

An AS_SET inside an AS_SEQUENCE only makes sense from the point of view 
of the organisation issuing the route wanting to do weird EBGP loop 
detection. This is their problem though.  No-one wants to see the inside 
of other peoples' sausage factories.

Apart from the deprecation in rfc 6472, there's also rfc6907, which has 
a complex set of rules for handling routes with an origin which is an 
AS_SET.  This complexity is already not good, and of dubious practical 
use.  Replicating something similar to this in ASPA seems like a bad 
idea overall.

The current approach in -09 of marking the route as Unverifiable seems 
reasonable.  5.3 states that "Unverifiable" SHOULD be treated as 
semantically equivalent to "Invalid".

So yeah, why not just mark as "Invalid" and be done with it?

Nick