Re: [Sidrops] The Horizontal INR Conflict-Detection Algorithm:Revealing INR Reallocation and Reauthorization in RPKI
zouhui <zouhui@zdns.cn> Fri, 09 July 2021 17:24 UTC
Return-Path: <zouhui@zdns.cn>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA253A287D for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 10:24:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.327
X-Spam-Level:
X-Spam-Status: No, score=-1.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_EXCESS_BASE64=0.001, HTML_MESSAGE=0.001, INVALID_MSGID=0.568, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vOqlOu6uKRck for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 10:24:32 -0700 (PDT)
Received: from smtpbgeu1.qq.com (smtpbgeu1.qq.com [52.59.177.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDF1A3A2877 for <sidrops@ietf.org>; Fri, 9 Jul 2021 10:24:31 -0700 (PDT)
X-QQ-mid: bizesmtp35t1625851464t2ssxsmd
Received: from zouhuidembp-2 (unknown [120.244.216.2]) by esmtp6.qq.com (ESMTP) with id ; Sat, 10 Jul 2021 01:24:22 +0800 (CST)
X-QQ-SSF: 00400000002000F0T000B00A0000000
X-QQ-FEAT: RHxfOB/fCkTG4iiqNJNQ5BSg8NsWqeRQ/LBIje32YjS1hB5DKcafjhGv3slzC bWjIB3hlt49lIl8JpO/V/IfvweC3auIwd0pEqnCgGwfiF9rafJzEkHLMNk8Eqs2YSc2N2QB 6IjZW2jKLDU9+pwn46qCJq6rtEsRFXj8NaeU3fjZYWVE4+ScoeltXpjyi7yxoOW/iXcKYvl 6aRbJvqL2KxAvxHIXdhT1XjgoDzEuBCanFn7gmzPPqsnY9U7jr3/eOLcwzs3mEyxhJjVLAS K5E8Ak4GUIrU+5Q+cl7uJYkDe4uU1DhSRzm8CUYe3zWQiikdR+MSBSpBdsgAKj0Mn5ZKgJt 4GBI1k6odO8SnGeoySAVUl+wXcmDZj/uwSHZe/CuU44swVQf+E=
X-QQ-GoodBg: 2
X-GUID: 91632175-C5BE-7E82-AEC5-FB724B0C9D13
From: zouhui <zouhui@zdns.cn>
To: 邵晴 <shaoqing@zdns.cn>, 'Job Snijders' <job=40fastly.com@dmarc.ietf.org>
Cc: 'SIDR Operations WG' <sidrops@ietf.org>, 'Di Ma' <madi@rpstir.net>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_60E88646_02D18000_1495860F"
Content-Transfer-Encoding: 8bit
Date: Sat, 10 Jul 2021 01:24:22 +0800
X-Priority: 3
Message-ID: <tencent_C794CB2928979F411FB6AB01@qq.com>
X-QQ-MIME: TCMime 1.0 by Tencent
X-Mailer: Foxmail_for_Mac 1.5.3.14542
X-QQ-SENDSIZE: 520
Feedback-ID: bizesmtp:zdns.cn:qybgforeign:qybgforeign1
X-QQ-Bgrelay: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Hq7DMHBcYKys8krviR4dcikgx60>
Subject: Re: [Sidrops] The Horizontal INR Conflict-Detection Algorithm:Revealing INR Reallocation and Reauthorization in RPKI
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2021 17:24:37 -0000
Dear Job, Thanks for your comments. Please find my responses in lines. 在 2021年7月9日 18:48,'Job Snijders'<job=40fastly.com@dmarc.ietf.org> 写道: Dear 邵晴, On Fri, Jul 09, 2021 at 11:54:32AM +0800, 邵晴 wrote: > I am one of the coauthors of this paper, and this paper is as > attached,which can be accessed via > http://dl.ifip.org/db/conf/im/im2021mini/211035.pdf Thank you, I've read the paper with great interest. note 1: On page 3 there is a small error: "Up to now, APNIC [12], RIPE NCC [13] and AFRINIC [14] have published AS0 ROAs covering the undelegated IPv4 and IPv6 spaces under their management [snip]” At this moment RIPE NCC and AFRINIC do NOT publish AS0 RAOs for undelegated space. It is my hope it will remain that way, as the introduction of so-called 'AS0 Trust Anchors' adds considerable brittleness and fragility to the ecosystem :-( Sorry to not reflect the status quo of AS0 issuance by RIRs. We aimed to show that APNIC、RIPE NCC and AFRINIC already support the AS0 ROA mechanism. note 2: How would it be possible for "INR conflict A" to exist, if the superior CA has not listed the resource as subordinate. Such objects are 'uncovered' and RPs reject those objects. Second, there is a paragraph in B. INR Allocation Conflict of the Section II The INR Conflicts: “Although conflict A is included in the INR conflict model, it is not within the detection scope of the horizontal algorithm. The reason is that this type of conflict can be filtered out by the vertical algorithm, ensuring that RCs and ROAs that dissatisfy the INR encompassing relationship are not taken as inputs of the horizontal algorithm.” In other words, we consider that the conflict A is also a type of INR allocation conflict, but it is not the detection target of the horizontal algorithm, because it can be filtered by RPs. note 3: "INR conflict B" is an interesting case, because one can argue that different TAs are completely unrelated *different* PKIs, as each TA has their own Certification Policy (CP). In such an interpretation there is no conflict. So rather than considering it a 'conflict', one can argue it is a duplication of information (a coincidence) and exists to support redundancy across multiple different PKIs. I for one would welcome discussion in the RIR community to understand if the RIRs can set up a service in which they 'mirror' certain delegations under certain conditions for the resource holder in the other RIR. I would feel safer if I can publish ROAs via both RIPE NCC and ARIN, while the INR remains administratively managed by RIPE NCC. These need not be entirely automated or 'free' (gratis) services. Duplication of information can be a robustness feature. Finally, I also very much agree with your view in note 3 that duplication of information can indeed improve robustness. Our work is to provide a method of detecting duplication of information, that is, early warning, and how to deal with it later can be negotiated according to the wishes of the conflicting parties. conclusion: Thank you for putting in this work! Whether conflicts should be considered detrimental 'conflicts', or are productive ‘coincidences remains an open question, but whatever the name of the thing, monitoring the global RPKI to spot duplication of information is a worthwhile activity. I appreciate the hands-on approach in Section E to help resolve issues. Kind regards, Job _______________________________________________ Sidrops mailing list Sidrops@ietf.org https://www.ietf.org/mailman/listinfo/sidrops