Re: [Sidrops] I-D Action: draft-ietf-sidrops-route-server-rpki-light-02.txt
Job Snijders <job@instituut.net> Tue, 25 July 2017 18:45 UTC
Return-Path: <job@instituut.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83A26131EBD for <sidrops@ietfa.amsl.com>; Tue, 25 Jul 2017 11:45:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=instituut-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oaMSXU1SOXTs for <sidrops@ietfa.amsl.com>; Tue, 25 Jul 2017 11:45:33 -0700 (PDT)
Received: from mail-wr0-x229.google.com (mail-wr0-x229.google.com [IPv6:2a00:1450:400c:c0c::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4903A131EBB for <sidrops@ietf.org>; Tue, 25 Jul 2017 11:45:33 -0700 (PDT)
Received: by mail-wr0-x229.google.com with SMTP id v105so92450808wrb.0 for <sidrops@ietf.org>; Tue, 25 Jul 2017 11:45:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=instituut-net.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=eEfu8OJOMMwmQTCH0M/8iiCY69jgCwPRg8TTp0SI80g=; b=M6zSVdK94QFomABFxINcUXX1VM/Huhngotz9gacStaMAZhvrQFXm8iLCCqNUt6cJNW gBpLqIb93bOjKBieds4/lncuHSe3kPcVGaOOUMb3vjJRow9migLbg+nitjuvzBxvbIhJ ET24kv0v+KIaxYWWw8LYP04XkYoSGA3jflfncTDLpwtZccs5pnqns18zqzUJBtcCdaxR XLGeQVpOO5OG+q3kMXCfj76EznFm5eukrPTD9RakcvP4bZqUnrnBKnhkO6ozSsA/VCk7 W3YsNgYm0XfgHbh995UuUlbaD8/rD1JNqoch6gkP2aQv/e39fnTB+e+5cxupKBdfVSpH iLtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=eEfu8OJOMMwmQTCH0M/8iiCY69jgCwPRg8TTp0SI80g=; b=AB3LfI7ixoWWTXVqSyJ/CFqQj/jKCct6jYk6xZisSra0WgQSlrme2r4sREh7tkzX7n aYEPHEdZjTDqWMg/ceJ7psjtBWXFupfB4vEAYIIh9Zv85HNH/npiGqM5kHiUR7yoJz7/ O0HP2rfM0bDldO7v/ex0IuaMe6pvWS+WlJWSI0F/Eld4SbHS1HoTOATb2ZBoB9K3oCkU +SKIfHn3raYPAviQ8emph3bhn7LLxNC6zllj6aWfVLPNlnQBPaLRQsRHjDNq6lh/MPeq fGsDvI6lwFYbfjgnxXXP4tbS4/jUaBrNrNX67yU8n/9Drt5LfcuKwKCAukMGjEj9jSq/ dF6g==
X-Gm-Message-State: AIVw110WDEw7+f5OGKaQF/yy3EYsjq/x9S4S8XGmzhUpguYV6Dbmrb/H j8zAGcKtjV8AR/Lj
X-Received: by 10.223.168.70 with SMTP id l64mr21388157wrc.94.1501008331496; Tue, 25 Jul 2017 11:45:31 -0700 (PDT)
Received: from localhost ([2001:67c:208c:10:7065:5e1b:6a46:2fbb]) by smtp.gmail.com with ESMTPSA id q2sm10638969wmg.3.2017.07.25.11.45.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jul 2017 11:45:30 -0700 (PDT)
Date: Tue, 25 Jul 2017 20:45:28 +0200
From: Job Snijders <job@instituut.net>
To: Aris Lambrianidis <aristidis.lambrianidis@ams-ix.net>
Cc: Nick Hilliard <nick@foobar.org>, "sidrops@ietf.org" <sidrops@ietf.org>, draft-ietf-sidrops-route-server-rpki-light@ietf.org
Message-ID: <20170725184527.qyd63ipba2mvyksl@Vurt.local>
References: <149192729348.15702.14003842869826829117@ietfa.amsl.com> <8EB8DB53-793E-4269-8CF4-6BAB1D2B76B6@de-cix.net> <B3BC1C5C-27AE-4809-82B6-297D090CEF0C@ams-ix.net> <5971FE7B.6060607@foobar.org> <F1D60787-5C00-46EF-BADE-8E68ECDEB506@ams-ix.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <F1D60787-5C00-46EF-BADE-8E68ECDEB506@ams-ix.net>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: NeoMutt/20170714 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/MZopp9EkfiNRjyO3_uOKXgRNxNA>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-route-server-rpki-light-02.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 18:45:35 -0000
Hi all,
On Tue, Jul 25, 2017 at 04:38:38PM +0200, Aris Lambrianidis wrote:
> We’re working on an updated draft to elaborate further on the valid
> path hiding concerns you raised, as well as describing a new
> transitive extended BGP community attribute, (instead of reusing the
> one described in RFC8097), based on Job Snijders’ offline comments.
I had some more dialogue with Aris off-list, and the following idea came up:
With the current approach as outlined in sidrops-route-server-rpki-light-02
I find the anonymous attestation "this is a valid route" problematic.
However if hints are provided which ASN made the claim, the idea of
well-known communities to signal observed states is perhaps less
problematic.
What if a "Transitive Four-Octet AS-Specific Extended Community Sub-Type"
is used and (route server) operators put their own ASN in the Global
Administrator field, and an integer signifying the observed state in the
Local Administrator field.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x02 | Sub-Type TBD | Global Administrator :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: Global Administrator (cont.) | validationstate |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
(validationstate: 0 = "valid", 1 = "not found", 2 = "invalid")
While i am still not entirely sold on the idea of "RPKI Light", this
approach would alleviate some of my concerns:
- As a transitive type, this community is allowed to cross EBGP
boundaries without causing controversy;
- by putting the attesting network's ASN in the Global Administrator
field, any users of the community will need to explicitly
configure their routing policy to match on those parameters, and
we can then reasonably expect them to scrub in the appropiate
places as well. This is a form of "opt-in".
Furthermore I think the draft's intended status should be adjusted
from "Standards track" to "Informational" (as is customary for most
well-known communities). Half of the "Transitive Four-Octet AS-Specific
Extended Community Sub-Types" space is FCFS anyway, so "Informational"
is sufficient to obtain a codepoint.
Thoughts?
Kind regards,
Job
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Thomas King
- [Sidrops] I-D Action: draft-ietf-sidrops-route-se… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Aris Lambrianidis
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Nick Hilliard
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Aris Lambrianidis
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Jakob Heitz (jheitz)
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Aris Lambrianidis
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rout… Randy Bush