IETF Logo Mail Archive

Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 25/August/2020

Nick Hilliard <nick@foobar.org> Wed, 26 August 2020 09:55 UTC

Return-Path: <nick@foobar.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EEE33A0E29; Wed, 26 Aug 2020 02:55:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.847
X-Spam-Level:
X-Spam-Status: No, score=-2.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.948, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dSXeZCfWb9wn; Wed, 26 Aug 2020 02:55:01 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B1E23A0E24; Wed, 26 Aug 2020 02:55:00 -0700 (PDT)
X-Envelope-To: sidrops@ietf.org
Received: from crumpet.local (admin.ibn.ie [46.182.8.8]) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id 07Q9smkE068032 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Aug 2020 10:54:49 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host admin.ibn.ie [46.182.8.8] claimed to be crumpet.local
To: "Borchert, Oliver (Fed)" <oliver.borchert=40nist.gov@dmarc.ietf.org>
Cc: Keyur Patel <keyur@arrcus.com>, "sidrops@ietf.org" <sidrops@ietf.org>, Daniel Kopp <daniel.kopp@de-cix.net>, "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>, "Montgomery, Douglas C. (Fed)" <dougm@nist.gov>
References: <6A0CA35A-4BA3-4063-BDA8-B93B17636B4B@arrcus.com> <b69340ac-d702-3ee2-00ec-948dc3184135@foobar.org> <F2528495-035E-4810-B865-F02A735CBE02@nist.gov>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <d536bb69-d977-baf7-64e7-a7833b351e50@foobar.org>
Date: Wed, 26 Aug 2020 10:54:47 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:52.0) Gecko/20100101 PostboxApp/7.0.27
MIME-Version: 1.0
In-Reply-To: <F2528495-035E-4810-B865-F02A735CBE02@nist.gov>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/L_OvXPG2nnHtGgzY1kQzR3b0hBM>
Subject: Re: [Sidrops] [WGLC] draft-sidrops-bgpsec-validation-signaling-03 - ends 25/August/2020
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 09:55:04 -0000

Oliver,

the difficulty here is not that operators might be using this, it's 
whether these signals cross administrative boundaries.  It's one thing 
to use this on your own network, and even though it's not something that 
I'd view as being a very good idea, there are two mitigating factors: 1. 
your network, your rules and 2. it's ibgp only which means that your 
interior routing infrastructure will get a full view of all routes and 
will be able to make informed routing decisions, where bgpsec signaled 
routes can be evaluated in context alongside other candidate routes.

The difficulty here is applying this to EBGP.  If this draft ends up as 
a standards track document, this is giving the process the IETF stamp of 
approval that this is a good idea and recommended practice.  This is a 
very poor idea for the reasons which I've detailed previously.

Nick

Borchert, Oliver (Fed) wrote on 26/08/2020 01:11:
> Nick,
> 
> This point has been made in the past (about origin validation signaling) and I think it is a bit of a red herring.
> 
> Operators can and are signaling validation state today with ad-hoc use of communities.  Operators do this for multiple reasons, including providing some resilience to the system should a router lose access to validating caches, to detect and diagnose RPKI state skew among routers in the same network etc.   Not having a standardized encoding of this practice won't be the determining factor of how this kind of signaling is used.
> 
> In the case of BGPsec, the need for diagnostics and resilience will be even higher.  Remember there is no "not found" in BGPsec to fall back to loss of contact with RPKI data.  If such signaling also facilitated performance optimizations or implementation of consistent policy decisions on routers that have deferred their own validation procedures, it actually might encourage more deployment than discourage it as you suggest.
> 
> In short, I see such mechanisms as supporting and encouraging deployment of these technologies - or at worse being a non-factor to the adoption question - as those who want to do this in non-standard ways will just continue to do so.
> 
> Oliver
> 
> -----------------------------------------------
> Oliver Borchert, Computer Scientist
> National Institute of Standards and Technology
> (Office) +1.301.975.4856
> (GVoice) +1.240.668.4117
>   
> 
> On 8/11/20, 4:59 PM, "Sidrops on behalf of Nick Hilliard" <sidrops-bounces@ietf.org on behalf of nick@foobar.org> wrote:
> 
>      Keyur Patel wrote on 11/08/2020 19:45:
>      > A working group last call has been requested for
>      > draft-sidrops-bgpsec-validation-signaling-03, “BGPsec Validation State
>      > signaling”. Please reply to the list with your comments. The WGLC will end
>      > on August 25, 2020.
> 
>      In general, replicating validation functionality using BGP communities
>      is a poor idea and from an ops point of view, it seems wiser as a long
>      term objective to push vendors to support bgpsec than to implement hacks
>      like this.  For this reason I don't support publication of the draft as
>      an rfc.
> 
>      Major issues:
> 
>      1. The draft lacks a problem statement and a sunset clause.
> 
>      2. Previously there's been a good deal of discussion on sidrops about
>      RPKI validation state signalling.  Several problems were listed here:
> 
>      > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fsidrops%2FYV1WfoxQNiwfOjtKIY1d6YJjRxM%2F&amp;data=02%7C01%7Coliver.borchert%40nist.gov%7Cf3710792241d4bae15bc08d83e397d8c%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637327763936298280&amp;sdata=jfbGfpeLvSkbjjMYjIxzHtKA%2BmW3l%2B6Esky8QGrw1NQ%3D&amp;reserved=0
> 
>      Most of the problems associated with validation state signalling
>      identified in that email also apply to bgpsec validation state
>      signalling, namely:
> 
>      - crypto authentication is lost
>      - different and incompatible set of signalling hooks
> 
>      In particular all the problems associated with RPKI validation state
>      signalling over eBGP also apply to bgpsec state signalling over eBGP.
> 
>      Defining this as non-transitive is a good start, but the language needs
>      to change to ensure that it cannot escape an ASN.  Can I suggest the
>      following text changes:
> 
>      change:
>      >    If the router supports the extension as defined in this document, it
>      >    SHOULD attach the BGPsec path validation state extended community to
>      >    BGPsec UPDATE messages sent to BGP peers by mapping the locally
>      >    computed validation state into the last octet of the extended
>      >    community.  This SHOULD be done automatically for iBGP peers and
>      >    configurable for eBGP peers (see below).
> 
>      to:
>      >    If the router supports the extension as defined in this document, it
>      >    SHOULD attach the BGPsec path validation state extended community to
>      >    BGPsec UPDATE messages sent to iBGP peers by mapping the locally
>      >    computed validation state into the last octet of the extended
>      >    community.
> 
>      and change:
>      >    By default, routers SHOULD enable use of this
>      >    community on all iBGP sessions and routers SHOULD disable the use of
>      >    this community on all eBGP sessions.  Implementations MUST NOT send
>      >    more than one instance of the origin validation state extended
>      >    community and MUST drop (without processing) the BGPsec path
>      >    validation state extended community if received over an External BGP
>      >    (eBGP) peering session that has not be explicitly configured to
>      >    enable processing.
> 
>      to:
>      >    By default, routers SHOULD enable use of this
>      >    community on all iBGP sessions.  Implementations MUST NOT send
>      >    more than one instance of the origin validation state extended
>      >    community, MUST NOT attach the BGPsec path validation state extended
>      >    community to BGPsec UPDATE messages sent to eBGP peers and MUST drop
>      >    (without processing) the BGPsec path validation state extended community
>      >    if received over an eBGP peering session.
>      Nick
> 
> 
>      _______________________________________________
>      Sidrops mailing list
>      Sidrops@ietf.org
>      https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&amp;data=02%7C01%7Coliver.borchert%40nist.gov%7Cf3710792241d4bae15bc08d83e397d8c%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637327763936298280&amp;sdata=auM0IyvMSRptpkD2LVEWInQIJqTEanKyc4b%2BElrTEHc%3D&amp;reserved=0
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops
>

v2.23.0 | Report a Bug | By Email