IETF Logo Mail Archive

[Sidrops] Re: ASPA Provider List size limit (draft-ietf-sidrops-8210bis-16.txt)

Claudio Jeker <cjeker@diehard.n-r-g.com> Tue, 03 December 2024 10:08 UTC

Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1339C18DB9E for <sidrops@ietfa.amsl.com>; Tue, 3 Dec 2024 02:08:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6a3IJo21pXcX for <sidrops@ietfa.amsl.com>; Tue, 3 Dec 2024 02:08:19 -0800 (PST)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87C40C180B61 for <sidrops@ietf.org>; Tue, 3 Dec 2024 02:08:17 -0800 (PST)
Received: (qmail 54449 invoked by uid 1000); 3 Dec 2024 10:08:16 -0000
Date: Tue, 03 Dec 2024 11:08:16 +0100
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: Tim Bruijnzeels <tbruijnzeels@ripe.net>
Message-ID: <Z07YkCoukr5Cyypc@diehard.n-r-g.com>
References: <172748435867.188816.16892099936894428483@dt-datatracker-7bbd96684-zjf54> <Z0bwOfoiDPRAF2hZ@livanecnik.jmq.cz> <Z0b2RSI9gkT8r-aj@fast> <1E824D00-75C0-4D1C-AC8B-EC15B6581DAE@ripe.net> <Z0b7zRq6kdzlDB36@fast> <Z0cVzkOqH5vYFtYI@diehard.n-r-g.com> <Z0cc3SI2bMdLccbL@fast> <DS0PR09MB11828B5D9C979F22B86A47B3598352@DS0PR09MB11828.namprd09.prod.outlook.com> <6F4F89BE-0842-46CB-A168-EE546C9381B5@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <6F4F89BE-0842-46CB-A168-EE546C9381B5@ripe.net>
Message-ID-Hash: 4FIC7BADJ3T3IBL2DIG7UPRSUKW7BA6Z
X-Message-ID-Hash: 4FIC7BADJ3T3IBL2DIG7UPRSUKW7BA6Z
X-MailFrom: cjeker@diehard.n-r-g.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>, Job Snijders <job=40fastly.com@dmarc.ietf.org>, Maria Matejka <maria.matejka@nic.cz>, "sidrops@ietf.org" <sidrops@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Sidrops] Re: ASPA Provider List size limit (draft-ietf-sidrops-8210bis-16.txt)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/IXEw4xW8hL2ZYAqjtjxazOekzYY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

On Tue, Dec 03, 2024 at 10:48:15AM +0100, Tim Bruijnzeels wrote:
> Hi,
> 
> > On 2 Dec 2024, at 22:44, Borchert, Oliver (Fed) <oliver.borchert@nist.gov> wrote:
> > 
> > I do not believe we should restrict the number of providers in 8210-bis. The proper location is the ASPA profile draft. It is easier to in the future update the ASPA profile than modifying 8210bis. A modification of whatever RFC the current RFC 8210-bis becomes will require a new protocol version.
> >  The proper way going forward is to modify section 6 of the ASPA Profile draft to require that an upper boundary MUST not exceeded 10,000 provider ASes. (Or 4,000 if this is more reasonable). This can easily be updated later to a higher number.
> >  As of now it is already possible to generate PDU’s that allow to exceed many GB.
> >  As example:
> > * The Router Key PDU (8) allows to have a key that is multiple GB of size.
> > * The Error Report PDU (10) can become multiple GB of size.
> 
> I am not opposed to limiting the size of ASPA objects by including an upper boundary in the ASPA profile.
> 
> >  Hence the ASPA PDU (11) is not really a special case.
> 
> I think the ASPA PDU also needs an upper boundary.
> 
> There is no way to prevent that multiple ASPA objects are created for
> the same customer ASN, possibly under different CAs, even if we say
> “don’t do it". Additionally, SLURM…
> 
> So, while it would be good to ‘fail early and clearly’ and limit the
> ASPA object itself, I think we need an additional limit and check in
> 8210-bis.

The rtr protocol took many shortcuts to be simple with the result that
properly implementing it is hard. I fully agree that this protocol needs a
PDU size limit not only for ASPA PDU but also for all other not fixed
sized PDUs. It also requires proper error handling.

All of this was already discussed on this list and it will come up again
and again since progress on 8210bis stalled long time ago.
-- 
:wq Claudio

v2.37.1 | Report a Bug | By Email | System Status