[Sidrops] Remove AFI from ASPA in draft-ietf-sidrops-8210bis-10
Claudio Jeker <cjeker@diehard.n-r-g.com> Tue, 20 June 2023 12:55 UTC
Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 190AEC151987 for <sidrops@ietfa.amsl.com>; Tue, 20 Jun 2023 05:55:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wvwl3UMJa3xA for <sidrops@ietfa.amsl.com>; Tue, 20 Jun 2023 05:55:58 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADCDFC151071 for <sidrops@ietf.org>; Tue, 20 Jun 2023 05:55:56 -0700 (PDT)
Received: (qmail 42958 invoked by uid 1000); 20 Jun 2023 12:55:53 -0000
Date: Tue, 20 Jun 2023 14:55:53 +0200
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: SIDR Operations WG <sidrops@ietf.org>
Message-ID: <ZJGh2XtuexVJ1GFP@diehard.n-r-g.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/JBHr-94Jtjsa6fb8VxMCa7HyLYY>
Subject: [Sidrops] Remove AFI from ASPA in draft-ietf-sidrops-8210bis-10
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2023 12:55:59 -0000
Hi, To remove AFI from ASPA draft-ietf-sidrops-8210bis-10 needs to be modified. I think there was already a group consensus that the version for this new draft shall remain at 2. >From my understanding there is OpenBGPD and NIST-BGP-SRx that implement 8210bis on the router side and StayRTR is the only cache which released a version with 8210bis support. My goal is to give the few OpenBGPD users which deployed ASPA a transition path and period where old AFI specifc formats are still supported but the AFI is simply ignored. At a later time those old formats will be removed and result in errors. This would allow users to update their infrastructure by updating OpenBGPD first and then the RTR cache and finally the RP software. For RTR the ASPA PDU needs to be adjusted. The simplest option here is to just change the current 'AFI flags' field to zero. For 8210bis-10 speakers this results in an IPv4 only table (AFI flag 0 == IPv4, 1 == IPv6). The result of minimaly adjusting draft-ietf-sidrops-8210bis-10 Section 5.12 would look like this: -------- 5.12. ASPA PDU 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | Version | Type | zero | | 2 | 11 | | +-------------------------------------------+ | | | Length | | | +-------------------------------------------+ | | | | | Flags | zero | Provider AS Count | | | | | +-------------------------------------------+ | | | Customer Autonomous System Number | | | +-------------------------------------------+ | | ~ Provider Autonomous System Numbers ~ | | ~-------------------------------------------~ The ASPA PDU supports [I-D.ietf-sidrops-aspa-profile]. An ASPA PDU represents one single customer AS and its provider ASes. Receipt of an ASPA PDU announcement (announce/withdraw flag == 1) when the router already has an ASPA PDU with the same Customer Autonomous System Number, replaces the previous one. The cache MUST deliver the complete data of an ASPA record in a single ASPA PDU. The Flags field is as described in Section 5. For the ASPA PDU, the announce/withdraw Flag is set to 1 to indicate either the announcement of a new ASPA record or a replacement for a previously announced record with the same Customer Autonomous System Number. If the announce/withdraw flag is set to 0, it indicates removal of the entire ASPA record for the specified Customer AS. Here, the customer AS of the ASPA record MUST be provided, the Provider AS Count must be zero, the Provider AS Numbers list MUST be null, and these last two fields MUST be ignored by the router. The Provider AS Count is the number of 32-bit Provider Autonomous System Numbers in the PDU. The Customer Autonomous System Number is the 32-bit Autonomous System Number of the customer which authenticated the ASPA RPKI data. There MUST be one and only one ASPA for a Customer Autonomous System Number active in the router at any time. There are zero or more 32-bit Provider Autonomous System Number fields as indicated in the Provider AS Count; see [I-D.ietf-sidrops-aspa-profile]. -------- The main benefit of this change is that the messages are still valid for a draft-10 router. The problem is that the IPv6 data is missing and so all IPv6 paths for published CAS are marked as invalid on these routers (so operators need to disable ASPA validation for IPv6). On top of this I'm not super happy with the text. For a start: ... the Provider AS Count must be zero, the Provider AS Numbers list MUST be null, and these last two fields MUST be ignored by the router. It is bad practice when systems are required to accept what is considered a malformed packet. Also what about length checks? In our codebase the 'Provider AS Count' is validated against the PDU length field and an error is returned if it is not consitent. Now that check (while sensible) violates the above. What about ASPA PDUs that are not a multiple of 4 bytes? Section 5.12 also does not specify how a router should act if the PDU length field and the Provider AS Count are not in sync. Are routers required to accept trailing garbage? What about cases where the count overflows the provided PDU? In short I think the text of Section 5.12 needs additional clarifications to address the above issues. So what other options do we have? There was the suggestion to remove Provider AS Count and move the Flags up to the header like it is done for the Router Key PDU: 0 8 16 24 31 .-------------------------------------------. | Protocol | PDU | | | | Version | Type | Flags | zero | | 2 | 11 | | | +-------------------------------------------+ | | | Length | | | +-------------------------------------------+ | | | Customer Autonomous System Number | | | +-------------------------------------------+ | | ~ Provider Autonomous System Numbers ~ | | ~-------------------------------------------~ If we go this route the upgrade path between draft-10 and this new version is more tricky but still doable since a session will be either following old -10 or new -11 encoding and the first ASPA PDU is an announcement and Flags == 1 in that case (using this info the system can check the new Flags field as an indicator). So the Router can detect the version of the draft used by the Cache and act accordingly. This only works if the Routers are updated before the Caches. Moving to this format has the benefit that there is no more conflict between PAS count and PDU length possible. In an update the number of PAS is the Length - 12 while a withdrawl would be just 12 bytes and carry no PAS numbers. Right now I prefer this option. While harder the implement the code responsible to transition it will result in an overall better and simpler end result. I would like to know if this second approach to change the ASPA PDU is generally accepted by this group so that I can help updating the draft accordingly. I would also adjust OpenBGPD to follow this path so that we can start the transition. Regards -- :wq Claudio
- [Sidrops] Remove AFI from ASPA in draft-ietf-sidr… Claudio Jeker
- Re: [Sidrops] Remove AFI from ASPA in draft-ietf-… Martin Hoffmann