IETF Logo Mail Archive

Re: [Sidrops] rfc7607 & multiple ROAs covering same resource

"John G. Scudder" <jgs@juniper.net> Tue, 21 March 2017 18:26 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C974212950C for <sidrops@ietfa.amsl.com>; Tue, 21 Mar 2017 11:26:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pLbHwZ3uV528 for <sidrops@ietfa.amsl.com>; Tue, 21 Mar 2017 11:26:37 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0097.outbound.protection.outlook.com [104.47.36.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CEF9129C64 for <sidrops@ietf.org>; Tue, 21 Mar 2017 11:26:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=iGo5kCGeE1KQ2GnCIfQtS+kcjHQWP1AYEozTWqtYc/o=; b=fs0T8FGq78S34W2211DuhS3TOPmBSV7xYfhN4MYnVKb0GlTGTWWQnA2nsmg7x1UwOmYjqV30SI/mLtbJmZLk3xemS6sXbLMPPI6zRIMPSl4AqnyvM6yBPRn4sHGHCYnrvIm5o0QYdXYQt4m5+Yac0uFnDyvbBZjZwijZBbPplcA=
Authentication-Results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=juniper.net;
Received: from [172.29.37.164] (66.129.241.12) by BN3PR05MB2500.namprd05.prod.outlook.com (10.167.3.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.4; Tue, 21 Mar 2017 18:26:34 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: "John G. Scudder" <jgs@juniper.net>
In-Reply-To: <15c6acae82454db0861f4dddf998669a@XCH-ALN-014.cisco.com>
Date: Tue, 21 Mar 2017 14:26:29 -0400
CC: Declan Ma <madi@zdns.cn>, Job Snijders <job@ntt.net>, "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <D3D544F1-4120-4EA0-A053-8CAD2F16986D@juniper.net>
References: <20170321135423.tye6fyixctuyzzay@Vurt.local> <D0532F66-BDD0-4E08-B7FC-F8555F89CA06@zdns.cn> <20170321155018.ufekfatlgrelgih5@Vurt.local> <44BEFF34-13C2-4660-8439-B46F86E935F2@zdns.cn> <15c6acae82454db0861f4dddf998669a@XCH-ALN-014.cisco.com>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
X-Mailer: Apple Mail (2.3124)
X-Originating-IP: [66.129.241.12]
X-ClientProxiedBy: BN6PR12CA0002.namprd12.prod.outlook.com (10.168.222.12) To BN3PR05MB2500.namprd05.prod.outlook.com (10.167.3.135)
X-MS-Office365-Filtering-Correlation-Id: 650a1760-f357-4ebe-5213-08d47087ce51
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BN3PR05MB2500;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2500; 3:RQl27JZjcZOWla1ms7rJMnXPOhh2bpL0i5njy8/wXc42up3l3fme2PLBbOns/NPBS8/d/7prGbdfA+Mp4K0PyoW4Z561WqncluIV+rFkc9117fkWw9NL1rXk80ZeTw9mTgt7Bv5RTLwVrfuPugMJ2lpIAyJZnZtKdVGPSepcNA6msM51jh+Tbs9nI07N1ROBaWOel2oQwMi8Qxa32zX2T0xu5lcJqIT5XAKhZOxVp616nxOE4XKjVKpi2Ybv6uMe4FJ8i4Fc+fpJn0hRtLLy0oBo4cH8SMN8kcKAW3ZAcKQ=; 25:zqTbKjFkIamNrpwt/77DMypQAwZr8jDo4NeszeAx4lNdtDThVbWUEAqkzlE5m4fIGz/SLGzfIYrcdk+yZypx4+xk3OecbQyxtfui5TSVZ+0v4bvdhuZMi70wJL2SHjFMPdRzHepFIjdjmdlwArJvtJ89aJeFLQnUqJ5qD7VgiMDp4cfOqwYGgdRCm7/M2GwJ/XlypZ0aIuL1J2pDwf6e2xKOZ6RXpGTFPNP8lZnqTrImpKzCHIG69Xto8p9X7t+dFt4qh1n6kqlhP7KY2GuuBxpxxY2dI2ZwNDIiYW0tRJcCjTY98tfDX19rXTDvFGOxS4XF+xld0C0PNgTvpbXTXHjsf3kk8hodlzouPH6P7sXOByAj+1eEuK9k1NzuRvOkD4L0FvWRXg5ev70iZJS93DWH45ltwmehgkY8va97QY8Rb4pOxKFJ/F6KaMhpRK+wBIRJnsH5zgH3E6Txev/WlA==
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2500; 31:a2faIOjfr76MJ1gsbCex+L5h1A3RCiYZsIm6ZQKybFndj6deFwTOMwdnJAw5cwGc7plPdqUYqMBoCzn55KFvcmQI3pCCF81ElkfhAPzLKPlPo9N9ZnkQ3mpVTt05YYDsmRjiLmpi5jPYzpUqXDi+YhrsEwXdFxOxpmR5dH6z0ewZEuTIYZI/SS8htVathob7v5LyZ0BpfX75GJ8wyKuZ8yFoIpyMEO4kD1llEjKT2OpwNESCLkUYSo95Hllq/ifTdI0nJx+HS8EAqoTsTxHP1lN+hI4+96emskPYg7sTzIg=; 20:dYlb1LmIu47renVH39SryowvEjbObjEWx9r5JhaeHR8tZDChY7VZWe6PAf5wNIj+ERaUw+NKx1+ND8PBujp2hdefJXK2DtwWsuPhKZm/BM1ZZ5aMnnci+orHjIMELzrR/lGDeuDTjDoOXmaZsaVZsHTewtQgHvSOP74Fe8T5KzWK9RBKuWuTW013rM9JgGie1g9NwlZpZVFJ77ZcxPOeg4xy+FthH1+ErdqVBxiFu++Evf/01A8S5jyWd/A2GagFuleLsG3DKDLMYGjqNmTzLKCpnBZD6JKQ6o7ymKYPfxtwMRcFn7xws1USQsWst9ZDG71XwGNNmE7Pz93zcdTAXoqhWjXGIy6MIpbcMcvm2XIjUKaIhDhtaVteRzJacIZ5oX1KVDyzZHAZueJUMwEjHsV6WDGOcXq9x4uXVX1xK5q+VqzroFff1+IXv15biCKrl4meMOJ+lXkPj0nB2sG+4CnDIaLWzQe/e8H3wS0HEsIri4HvfhQXpT2ec9kF+T7vA8339ByYhPvD1PVhhxkQKClSQ4nLWR45J9f4/S+9Rg2qt0tz9zS7ZAFZI7r5vZB4CjhwJJd6jlYWSxvJSPJTyr0i1dIemGD182xhRCg0gV4=
X-Microsoft-Antispam-PRVS: <BN3PR05MB2500C73D0A7B4D7F76272CD8AA3D0@BN3PR05MB2500.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(95692535739014);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6041248)(20161123562025)(20161123564025)(20161123558025)(20161123555025)(20161123560025)(6072148); SRVR:BN3PR05MB2500; BCL:0; PCL:0; RULEID:; SRVR:BN3PR05MB2500;
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2500; 4:n5cnbfDN6HDl3+BG5D9dmUjrjZuPWttHNaiFqYLkeS5AmTsek5HYwuEg3Nr0RC0bTHcXA3+SYUjSYG7v1ozjbwS8ZJ6pMmiXyX7VOgYoDRZreMnB2bxww5BXUwJuhnaGP40bkIHnPvhurAHpC1WpgbWWwkce4Shjde8F7ajQDSP6bJ+VpLS1cZn2UeotkdOWRinJMm3FspSzVhR7k8Zzcw5gNfSQrwNz0SPGXNW09ukaUme/7yR02BVXLGADDcy9h0OzvQNK64YEkYB5Z/RfFyaCNp96CuZcf8+rhjlSVui/4NWJYYRZD3Sbsv96ErwiNSe0Tmxt79keIcj1lPnhKZXfpOsvppRt00vRuCM9f9WskzvEm1kK288LaWdjqahfXn31EUhFpM0uuUwvzIWjqN4psI1oiglhqLj8L2ZvDqulA5FBQdemenVY58YwxjSIsYLCFL3peBQt7lz6CPZPTLODLmqq3+mETV4DBxGjajiaUOemxUseoGog4WoMzUfxWP40g4eyptyKYgV5ZncnLU7c/be2YbIEMDC8znxOqNTwfZWKcv9RJ9Cf4lhznADowDJqaQO+x1HfO7ORNd8OHnxCHNX9MeuD2eXUA1UqOr+kpJSiOcUaIp0XLLc7iU9wjg+79BTHHOwAd26JE+8LmB154Cm9BsNbCs/hvJTVmYY=
X-Forefront-PRVS: 02530BD3AA
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6009001)(6049001)(39840400002)(39850400002)(39860400002)(39410400002)(39450400003)(377454003)(13464003)(24454002)(82746002)(6486002)(90366009)(77096006)(8746002)(81166006)(189998001)(93886004)(229853002)(6306002)(54906002)(6246003)(42186005)(53546009)(110136004)(4326008)(25786009)(7736002)(47776003)(50226002)(305945005)(38730400002)(57306001)(83716003)(8676002)(86362001)(53936002)(23676002)(76176999)(5660300001)(3846002)(6916009)(6666003)(33656002)(36756003)(2950100002)(50986999)(6116002)(66066001)(50466002)(2906002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR05MB2500; H:[172.29.37.164]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;BN3PR05MB2500;23:L5ODCL9esI4p6mkS8qrwPMML/7UCQKlS0dqf0cciR98azu2qp87NU4DNlVgffrgVc/LYpOKJZLwmvKSzTPPdXdtMT742PqTWqzjtBHNMaL+dI0cmQVKPLmExs8eNGxPf1mPmqEnQ07BNF2zXA9acuZtym2be6ev6ABcDJMBEeSGGFhjhQasB8sLh4dg6d5M4lgNGm5bVE9o3v5+wbcLzW/OyGBymu8D9haAu0BzIpyFC+8BkYkx7AzXiBbByKXH1EryL8WP01Lz9chUYwprixKPzRx9dNI3P18eJoOeSMjVpemetXTZ4xIqhDVmakh2fJbOLva+o3PzP9aoKwgTHQRQd/zOa+wO+FaTDR8C5TiI18wUtfswibWSTbE+wOq8Rs8UJdLF1d9Hp8OfZq7/rbTjhTnAk7wK41B8yl6M59E3m/weZmsTqL0NNe6//oC8EnVK63S3Pp3mqLSwCzcV58vlILrEqE7NTgevQScgjxu5kGg6Xi5fXIGuT2szdlKhBE4nX6BcmDgQnb7ssJnjbA1SQ2YcNPCDr1drD0dm7zBh4/VxvYdgQAT5ZySHEIueRPiC5Lw7OtRvOguEgbY4nt97YLnPnNUBX5GxrOUoUiWZbhL2njzlIFhygjInYq1/1UWcKF6Z/pcVB9fz8iWBGziR1n75vbnGqAlvFaEWZuQfbBJ9afl4TLVJAfNpV6S0b+zd/v8KEDnXq0SEfZRAM1pj3aGOVdz0EW/EHsDJsoCbLgoOjZ+qvlxxLLHy4gTOqiOwf+obyPr/fXmP1lsvpw5Gn72EW09LdCcsv538Wp1XaePaZlBc4FvM1du16XzG3aNbW7zmPthVCY+oj8WibqU6Ao2s+dpyqfLTUkDJ3iF5vv6cMCZUsUfCnvv1l95CuaqiVw3gD6hcM6m7ZaX79ACy+mtLBWWrZeHQXdIYzY8oddaV8As8qnffcfW2ZvfmQB2gpy9LJqB4zuzGHGKV48SUIV0X1sZLE9DR6eRTrJCh6suxC5xOWEIeRGtoiHl1jGZc2RF2OKvPkrMV4L2GtpQkemac0GkGS9wMqZ3qJwVC78CUFDytwHbvtQAZ6NxadKkMUpSTaJB28TvrNpmLwGsSEct5L2pZkLyykS0FZoXfv4phhefdwu9eZZGbK9KNiLgaqyAiY1W5i1GnPf4ZpN/8+aLJqwAJxPHJyplFBgb0AJjTNALFbXRsmHZ3/3mVZZN7jSNHVnvgmUFv1AGpshEuUyhCLeEnSIEh8D3E3Jlj8c5PUKjcpaCrI/VRzSyDmE9buabuE90/94e3Toy+8gg==
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2500; 6:jUTwWWMBxF+P3qv52eu4c4+1vz4PT97zcdg75y2WbD/QqVOk90Q4v7KG3TukOMRbkUEJmopx5qZwUvn/Jjs/XtnPygqkvtSqlCGoHfDL9Q4F03DpgMKaYJfKbClHsTR4tdvmpvd3XA22l1JNjK8uCMA84INKwswKnwKuQMr5vxkxc9xzF63yuEMBURI24NJDig1uPfFusxXrs+EAZCZc0n30v56/1Tsy47rqQJi36DsFhnSlREyRi2WNVBmIty+f5GeoyreSxIMn5ZBB8+xjz7TCVbQ7cpvkvHTuk22Yh8XeErV2jfk6kmReDxW0sXz4PuVFsOW2Pmtvgvdu5WruYgeWReYs375IjB6N5Ce34oMUiTi38bGh86MbLN+qfILitSZTFfPE06xoshMoy2t91iPd2tOnwXV1phaIoGpMfqc=; 5:YzllpuikpOtmV5bf34oVMouABCHq171mdZhsnGltIox/B3/90Dq3Q+GpfcqaN3sQ5s6b6ogvumZ37mWZWqCfLpY7i1rGxLzr8LMIelPC93KDninNBvtvaoBx8qBkA/jztDB4cZ8MTgVOIAkpKopgnw==; 24:le3GfL0wM1/nJMLM9TyWjFL5wIKokQvGU2/2eDSG2QMeqsw/8l54q3PHVN9y7ZR5emPztXqp2BYwt6bR3325Gx9C6gtDwuXijN40Pg09DYQ=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BN3PR05MB2500; 7:xGRBwaYfzQesg5OBmWlf7uaSkhlxQbPfiyo94lHPZT0gcFstay6fA/U1gPHLAjcDDu5l8cgzrqDFMtuvbKWepf2hzN+x6mBobzccyZFoEgBqwiVG404jGdBp/qV7BCiFpvWUyEnsZ5yh29FtY5FPF4E//EIAp5eufQpP+4S8tPiJlMbAc+4Vgjs0p9+TtAwehc6qrxHxeGteo6clyWlIao9GcM+C7dqbxXZq/I0Ju66Q38t24ZXJD23yezsY2JRyVdC28zlgc2FJU97IeyzBEFuSY4bUqJOz4wyyS+jTfAMq77HLEIlQtKdGcS0HU4QFC5FL06Cp5W63pI8m9AbzOQ==
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Mar 2017 18:26:34.6611 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR05MB2500
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/MK-rjF8guxDM5M6ZmB4HsnFiPfg>
Subject: Re: [Sidrops] rfc7607 & multiple ROAs covering same resource
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 18:26:40 -0000

To add to this, there's a fairly obvious use case for having two extant ROAs, one for AS 0 and one for another ASN -- make-before-break. I'm not sure why you'd persistently have both of them, but it seems harmless. Or at least "mostly harmless" to quote D. Adams.

As for 7606 itself, I think nothing needs to be changed. The text related to ROAs is only there to provide motivation -- the only normative language in the RFC is in section 2, and it doesn't talk about ROAs or route validation. I just reread the section and it seems clear to me. In short: don't put AS 0 on the wire in a BGP message. The conversation we're now having is evidence no good deed goes unpunished -- if the motivating text had been omitted and only section 2 published, we'd be good I guess.

The 6483 section 4 language trips over itself a bit -- if it were still in draft I'd suggest removing the "by convention" language since it's nonsense. But it's harmless nonsense (or at least "mostly harmless") since in the very next clause it says "this is not a strict requirement".

Doesn't seem like there's a problem in need of fixing.

--John

> On Mar 21, 2017, at 1:56 PM, Jakob Heitz (jheitz) <jheitz@cisco.com> wrote:
> 
> RFC 7607 does use the word "only":
> 
>   This allows a resource holder to signal
>   that a prefix (and the more specifics) should not be routed by
>   publishing a ROA listing AS 0 as the only origin.
> 
> 
> https://tools.ietf.org/html/rfc6483
> 
>   In an environment of a collection of valid ROAs, a route's validity
>   state is considered to be "valid" if any ROA provides a "valid"
>   outcome.  It's validity state is considered to be "invalid" if one
>   (or more) ROAs provide an "invalid" outcome and no ROAs provide a
>   "valid" outcome.
> 
> The ROA for AS 0 provides an "invalid" outcome.
> However, the other ROA provides a "valid" outcome.
> Therefore, the final outcome is "valid".
> 
> Thanks,
> Jakob.
> 
> 
>> -----Original Message-----
>> From: Sidrops [mailto:sidrops-bounces@ietf.org] On Behalf Of Declan Ma
>> Sent: Tuesday, March 21, 2017 9:00 AM
>> To: Job Snijders <job@ntt.net>
>> Cc: sidrops@ietf.org
>> Subject: Re: [Sidrops] rfc7607 & multiple ROAs covering same resource
>> 
>> Job,
>> 
>>> 在 2017年3月21日,23:50,Job Snijders <job@ntt.net> 写道:
>>> 
>>> Hi Declan,
>>> 
>>> On Tue, Mar 21, 2017 at 11:22:36PM +0800, Declan Ma wrote:
>>>> [RFC6483] states “A ROA with a subject of AS 0 (AS 0 ROA) is an
>>>> attestation by the holder of a prefix that the prefix described in the
>>>> ROA, and any more specific prefix, should not be used in a routing
>>>> context.”
>>>> 
>>>> I believe this issue bears relevance with how RP software responds to
>>>> multiple ROAs existence with ROA 0 included.
>>>> 
>>>> As for the example you provide, if both ROAs have been validated
>>>> successfully, it is up to RPs to generate output to BGP speakers.
>>>> 
>>>> Even a ROA with AS 0 doesn’t preclude other valid ROAs, we should not
>>>> encourage this operation.
>>> 
>>> How and why would you discourage this, if it is a valid mode of
>>> operation? Clarity is king. There may be legitimate use cases for doing
>>> this.
>>> 
>> 
>> There MAY be legitimate use cases for doing this.
>> 
>> These cases should be justified before the WG discuss how to update RFC 7607.
>> 
>> I am open to this operation, hoping to see more detailed context in which you said the owner of the ROAs was
>> intentional to do that.
>> 
>> Declan (Di)
>> 
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidrops
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email