Re: [Sidrops] ASPA duplicates

Tim Bruijnzeels <tim@nlnetlabs.nl> Tue, 05 May 2020 07:45 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 994603A15B8 for <sidrops@ietfa.amsl.com>; Tue, 5 May 2020 00:45:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QS6mIvcs8E0F for <sidrops@ietfa.amsl.com>; Tue, 5 May 2020 00:45:11 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A38A83A15B6 for <sidrops@ietf.org>; Tue, 5 May 2020 00:45:11 -0700 (PDT)
Received: from [IPv6:2001:981:4b52:1:dc54:11f4:4cf3:af71] (unknown [IPv6:2001:981:4b52:1:dc54:11f4:4cf3:af71]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 0489829BB6; Tue, 5 May 2020 09:45:09 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1588664709; bh=9uPFWhuiroEYECFwFpgOM6YrSAdjDcdjPG2HZ8PxMuU=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=dNI6VPxtGONfTr/JbyRgMs8RrjgJ5sKcD3pYgox5givGAX1Bsk2KBSPDEhhd51Pjd GuaWFTH99POyuDfKx60GRSpZX/YVLjLctc7Bk7ZObPyBDOZ3DQWhbQi8b6dZo4hvx9 ns0NsRScuc+U+Rc9HapuDBBlekIrnwq/ID1vpUmI=
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <m27dxrrf8p.wl-randy@psg.com>
Date: Tue, 5 May 2020 09:45:07 +0200
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <ED27E260-93D6-4C1C-A769-72E8473C552A@nlnetlabs.nl>
References: <87pnbrspdr.wl-morrowc@ops-netman.net> <24232.24434.41224.396200@oz.mt.att.com> <d7858280-d86f-4517-a7df-26fc64d3e7f7@www.fastmail.com> <12F90135-5597-490B-947F-F588C2ED3B48@nlnetlabs.nl> <CAEGSd=CUJ9WEUAtgdbghgbCWd6xW_KLr4_pCoWAAen_j+iW-iA@mail.gmail.com> <0BC5FAFC-A5A3-4B67-82C1-C1BE90335C95@nlnetlabs.nl> <m27dxrrf8p.wl-randy@psg.com>
To: Randy Bush <randy@psg.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/HeTa9hFoQ4mtkMuh3XjqDW7baVI>
Subject: Re: [Sidrops] ASPA duplicates
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 07:45:14 -0000

Hi,

> On 4 May 2020, at 15:39, Randy Bush <randy@psg.com> wrote:
> 
>> This might not be easy for existing RPs - with ROAs the thought has
>> also been that they are cumulative. Now you would need to keep much
>> more state, and even check between all configured TAs - which until
>> now could just be processed in parallel.
>> 
>> I understand your reasoning, but I think this warrants at least some
>> normative wording in the document and discussion in the security
>> section. And most importantly I am curious to learn what RP software
>> implementers think (nowadays I do the CA side, which is much easier in
>> this context).
> 
> from draft-ietf-sidrops-8210bis
> 
> 11.  ROA PDU Race Minimization
> 
>   When a cache is sending ROA PDUs to the router, especially during an
>   initial full load, two undesirable race conditions are possible:
> 
>   Break Before Make:  For some prefix P, an AS may announce two (or
>      more) ROAs because they are in the process of changing what
>      provider AS is announcing P.  This is is a case of "make before
>      break."  If a cache is feeding a router and sends the one not yet
>      in service a significant time before sending the one currently in
>      service, then BGP data could be marked invalid during the
>      interval.  To minimize that interval, the cache SHOULD announce
>      all ROAs for the same prefix as close to sequentially as possible.
> 
>   Shorter Prefix First:  If an AS has issued a ROA for P0, and another
>      AS (likely their customer) has issued a ROA for P1 which is a sub-
>      prefix of P0, a router which receives the ROA for P0 before that
>      for P1 is likely to mark a BGP prefix P1 invalid.  Therefore, the
>      cache SHOULD announce the sub-prefix P1 before the covering prefix
>      P0.

Thanks for the pointer! It's unfortunate that there are no transactions, but I accept (already did) that this is what it is.

However, my point which you quoted was about the suggestion that Alexander made that there MUST NOT be multiple ASPA objects for the same customer ASN in the RPKI, and that if there are they should all be ignored - even if they are all valid objects.

At least that was my understanding of his intent. So that there is a simple model to deal with ASNs being present on multiple CA certificates in the RPKI (delegated or different TAs even) and the confusion and race conditions that may arise from managing ASPA objects with that ASN as customer ASN all together. Ignoring the objects provides a soft landing then.

I am not against this per se, but I think *this* needs clarification in the ASPA doc, and possibly some more discussion here. I am sure that it's possible, but it requires that RPs keep more state than they do today.

Furthermore, I see some advantage here (it's a simple model), but as a downside this provides a sort of denial attack where a parent CA can issue an ASPA object to essentially invalidate the object issued by the operational holder of the ASN. Worse, this can happen between TAs, so only one TA would need to be subverted in order to invalidate ASPA objects under any of the other TAs.

For ROAs the RPs just build a complete list of all VRPs found on all valid ROAs anywhere, and only then a set is made and duplicates are excluded when talking to the router. So VRPs appearing elsewhere do not have the power to force other VRPs to the 'ignore list'. For ROAs the advice is that parent CAs have a responsibility NOT to invalidate their children's announcements, and for inter RIR transfers make before break is at least theoretically possible. A similar model could also apply to ASPA objects.

I know this is a political minefield as much as a technical issue. Nonetheless, I think we should make a clear decision which scenario is desired under today's operational reality.

Tim





> 
> randy
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops