IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

Martin Hoffmann <martin@nlnetlabs.nl> Thu, 23 March 2023 15:21 UTC

Return-Path: <martin@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0584AC1524A3 for <sidrops@ietfa.amsl.com>; Thu, 23 Mar 2023 08:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TNzojv2qjZm4 for <sidrops@ietfa.amsl.com>; Thu, 23 Mar 2023 08:20:55 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [185.233.34.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80B55C151701 for <sidrops@ietf.org>; Thu, 23 Mar 2023 08:20:54 -0700 (PDT)
Received: from smtp.soverin.net (c04smtp-lb01.int.sover.in [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 4Pj8Dh1RRdz20; Thu, 23 Mar 2023 15:20:52 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.99]) by soverin.net (Postfix) with ESMTPSA id 4Pj8Dg57fZzN1; Thu, 23 Mar 2023 15:20:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1679584852; bh=STT0Tv2QmU391caA2hr82jVgK9tnZR1+Ww+gFBzGzWA=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=T3maD/808Q2schJeuXpV4/2cFdFNU4215C4PAEWiW26sCdaoss3w68CzXVNl9YkzC Vb/gy1jAnU8vWuBd+NHQt4q0eA3+8yYBmERHd0j/1pekTKHbaQZ/qCizJ2mzM6UZ3u I1K0uiyMVvdh3a4x0mXGhfyHCHkr6maoGr2e6w6ELAoIiz69e3HdU3DcW+Uu05a8ks AbQVg8yDfZU+8JUcMVQzlzioStsUviBggolS36ASZmEn79x6CnMO4I3tA+cyUKrKCn 9JhlhR6OUbRpjFXqqlSPFK3KZ9lkCzc8ciiO1FTGx4IZyK3emixfnroHnTbAz5yMsS Pot+NRnZ56l3A==
Date: Thu, 23 Mar 2023 16:20:51 +0100
X-Soverin-Authenticated: true
From: Martin Hoffmann <martin@nlnetlabs.nl>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc: Amreesh Phokeer <phokeer=40isoc.org@dmarc.ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, Aftab Siddiqui <Siddiqui@isoc.org>, Max Stucchi <stucchi@isoc.org>, Hanna Kreitem <Kreitem@isoc.org>
Message-ID: <20230323162051.3069b516@glaurung.nlnetlabs.nl>
In-Reply-To: <ZBxfj74YFy/5Fhax@diehard.n-r-g.com>
References: <SJ0PR06MB7677230255CC9134CAF94E98D6879@SJ0PR06MB7677.namprd06.prod.outlook.com> <ZBxfj74YFy/5Fhax@diehard.n-r-g.com>
Organization: NLnet Labs
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/KiD-P9qgojsE9BS6WVuprstSCyI>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2023 15:21:00 -0000

Claudio Jeker wrote:
> On Thu, Mar 23, 2023 at 01:22:32PM +0000, Amreesh Phokeer wrote:
> > Hello,
> > 
> > Thank you to all those involved in this draft. We have reviewed the
> > document and here are our comments:
> > 
> >   1.  Section 4: “An AS SHOULD NOT have more than one ASPA”
> >      *   It should be clarified that one ASPA per AFI is tolerated  
> 
> In general this is a bad adivice and therefor should not be further
> clarified.

I don’t think that’s what the comment is about. Rather, there is an
inconsistency in the document. Section 4 first RECOMMENDS against using
the AFI limit and then proceeds to say you SHOULD only have one ASPA
objects. This can be interpreted that if you are using the AFI limit
(which you are allowed to, it is just not recommended), you still can
only have one ASPA object. So, if you use the AFI limit, you can only
use ASPA for IPv4 or IPv6 but not for both. Surely that is not the
intention?

> As with all ASPA objects the RP software and router must
> build the union of all providers per CAS. Now one could issue an
> object per provider and AFI but it is not a very sensible thing to do.
> 
> The CAS is the primary lookup key.

Is it? In RTR, an ASPA entry contains both a mandatory customer AS and
a mandatory AFI -- you cannot say “this entry is for both.” This means
that in RTR land, the ASPA sets for IPv4 and IPv6 are distinct. The
primary key is the pair of customer AS and AFI.

This is the disconnect I mentioned earlier -- perhaps I posted this to
the wrong thread. The verification draft talks about things in terms of
the ASPA objects published but a router actually implementing it has to
build its data structures based on RTR.

Thus, the verification draft follows your argument: Don’t use the
afiLimit, have one ASPA object for your customer ASN. But 8201bis then
twists that around and has a mandatory AFI field on the RTR PDU.

Given that this is already leading to confusion here, it should
probably be resolved before publishing.

> >   2.  VAP: it is unclear whether how the VAP will be merged but
> > grouped by AFI in the case of multiple ASPAs?  

That the sets of provider AS of multiple ASPA objects for the same
customer AS should be merged is only mentioned in 8210bis but at no
point in either the profile or verification drafts. One of them should
probably spell out how the (on or two) VAPs for a customer AS are to be
created from a the set of ASPA objects.

  -- Martin

v2.23.0 | Report a Bug | By Email