Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-verification-16.txt
Nimrod Levy <nimrodl@gmail.com> Tue, 29 August 2023 18:10 UTC
Return-Path: <nimrodl@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B64DBC1524AA; Tue, 29 Aug 2023 11:10:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1s7ITGAVoYX; Tue, 29 Aug 2023 11:10:20 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C114C1519B8; Tue, 29 Aug 2023 11:10:20 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-9a58dbd5daeso487003966b.2; Tue, 29 Aug 2023 11:10:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693332619; x=1693937419; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=71dJ/ZCDIvWKrVTOkWEacuX/nkDIiqHXOfX/OZWEd74=; b=ISjqo0ef4jZZT8nKMGtPHGxS/E/LPfMHpBClWZixlfqFr/3NNomPdAPy+s24oWpuMY iwq1zsu2kAEVN5TapA+fl3n9265mb0BZTMGeT3fkmCXFp1VtLmF8nbPq3jxUZZh3I+cq qeWbaQPJLQwaYBZ0D6TXGe14H0up3fHaU3qh1KmOZxXWlKJ3a3cpYPBnDLiTiv6IK6RA 3nboHZnKB5cVOL6hbaA5AtlEkUJki3m26g++soHIHBuN50Tc0B/1SItsTm+D7Ks05tBa 9q8sYiByC9Qc3aCc9ToCn1odGTxR1AEjAD6ZrZzsuF8ZJZjZJCwZtcU2tCZ8OhShk5cc QFwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693332619; x=1693937419; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=71dJ/ZCDIvWKrVTOkWEacuX/nkDIiqHXOfX/OZWEd74=; b=KAF1Ler9TcePGWz+USKO7QRbIK+SYSxd9I1Ku1UcbnOHuBDCxI2StSgEEXgYn6OOd3 lB0m5cRJF54hcjQ2++p7x+Y5OUwCYxDg06qhQuCyb8RINYd09aysh+1iTCNR0cy74CHC 0P9dPYr6M9hq5tsFntRordvS9O6JaYB9fk7rofmu4aaRtB5sh+V69woD3pYZgFIYdHth ValOOiBm2VplvpQ98jjmLzsRsTLgSDTSveG105OTEM+eFv/HwkNSYcGPoPcIfzuBZ5fZ SYD88Z7Wnfx1QgUJ2+C6O05A7mlolZBIvlVQzbSFN7d2mw/LpWs16HLr/zFQyeNeV8Y8 u2WA==
X-Gm-Message-State: AOJu0YyY0L7RAUzPwl5VQFpVOTU1Fg5WwnIOGAJbWl3cXyHzqCye4DqC Ix9ydXgIwmTywZrFxMhpKPkKndg9TepEn+SMhXw=
X-Google-Smtp-Source: AGHT+IEGomuvan2sf/k9508nS9T79EC5ioXow1dC46mrUZiER8/LpZ5MZvsZXnaQKYf1jrEKufprr3AZ9c4MwarNJnM=
X-Received: by 2002:a17:906:9bd3:b0:991:d2a8:658a with SMTP id de19-20020a1709069bd300b00991d2a8658amr22636379ejc.34.1693332618710; Tue, 29 Aug 2023 11:10:18 -0700 (PDT)
MIME-Version: 1.0
References: <SA1PR09MB81422900A0E561D40FF1F63F84E7A@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB81422900A0E561D40FF1F63F84E7A@SA1PR09MB8142.namprd09.prod.outlook.com>
From: Nimrod Levy <nimrodl@gmail.com>
Date: Tue, 29 Aug 2023 14:10:07 -0400
Message-ID: <CALTLbCG1dG72UKG-awZOoGrg3T-XDLc57MEJ+rP3szTaVEUjug@mail.gmail.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>, "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003993f7060413b96c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/M-clZzUmMzFsuhE_3CznHl4CBCY>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-verification-16.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Aug 2023 18:10:22 -0000
On Tue, Aug 29, 2023 at 11:41 AM Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org> wrote: > > (2) Do not include ASPA path verification in IBGP either. > Reasons: Performing ASPA path verification and rejection of routes with > Invalid AS path at eBGP ingress is sufficient. The AS is expected to > maintain a consistent view of RPKI data across all its border routers. > I agree that it should be sufficient to enforce validation on eBGP, but in practice this is not always possible. Adding validation on certain iBGP sessions (on RRs for example) can add security. Understanding that this does leave some gaps, this is still a better scenario than not enforcing validation at all. What problem do we solve by adding this restriction from validating on iBGP? -- Nimrod
- [Sidrops] I-D Action: draft-ietf-sidrops-aspa-ver… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Nimrod Levy
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Nimrod Levy