IETF Logo Mail Archive

Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa-considerations - 04/16/2021

Taiji Kimura <taiji-k@nic.ad.jp> Fri, 16 April 2021 17:41 UTC

Return-Path: <taiji-k@nic.ad.jp>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89E773A2DCD; Fri, 16 Apr 2021 10:41:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.ad.jp header.b=kU+Pbcvg; dkim=pass (1024-bit key) header.d=nic.ad.jp header.b=A0aN9ssz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bt6EDPOZS4jm; Fri, 16 Apr 2021 10:40:59 -0700 (PDT)
Received: from dist8.nic.ad.jp (dist8.nic.ad.jp [IPv6:2001:dc2:1000:2004::8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 377103A2DCC; Fri, 16 Apr 2021 10:40:57 -0700 (PDT)
To: Chris Morrow <morrowc@ops-netman.net>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nic.ad.jp; s=nic; t=1618594854; bh=gy1zcc0v7gHkAalN0AuhWE9UWG24XCGz83ZWdEsOFdQ=; h=To:Cc:References:From:Subject:Date:In-Reply-To; b=kU+PbcvgTMcVinKgSgAiIOR6TGEcVOptPZgppHdlxnlrhwJvzDNF74pZ7Rkxq2Spk LxoVc0RIYZO/zx8yzP/rt/KJdZGdDnulWAteFxOdcu8tQNohvF/Po8Ai2RxJhS5gXI mz79JwZHFEBZBqY34vM2c5/mP30ff9lOza+BVmwI=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nic.ad.jp; s=nic; t=1618594853; bh=gy1zcc0v7gHkAalN0AuhWE9UWG24XCGz83ZWdEsOFdQ=; h=To:Cc:References:From:Subject:Date:In-Reply-To; b=A0aN9ssz65GFpV5lT6dLS4I5ZAyvceGHdR/uaS5Rqijx9xHVYMI356ssQ2OGjqQ8K +yHOra53Voiy4TpkmNLEjVdNksYTQWY6lHbf5r7597Jb6fg1UiCKBSseAB+g34gsjs YXPrG8PvH0OjfPxL0rdkpSZkvZBSBQxszkba++gU=
Cc: SIDROps Chairs <sidrops-chairs@ietf.org>, sidrops@ietf.org, sidrops-ads@ietf.org, Tim Bruijnzeels <tim@nlnetlabs.nl>
References: <87lfa94xyj.wl-morrowc@ops-netman.net> <67F48899-3B77-4722-B467-F73D50DF1006@nlnetlabs.nl>
From: Taiji Kimura <taiji-k@nic.ad.jp>
Message-ID: <3d723c7a-6e36-7333-560b-799e51d528e5@nic.ad.jp>
Date: Sat, 17 Apr 2021 02:40:51 +0900
MIME-Version: 1.0
In-Reply-To: <67F48899-3B77-4722-B467-F73D50DF1006@nlnetlabs.nl>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/OO2qZzV832aAq47khFsnmrciHd8>
Subject: Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa-considerations - 04/16/2021
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2021 17:41:06 -0000

Hi,

Tim's points sound to me.

I support adoption to discuss further on avoiding complexity
on processing ROA.

 -- kimura taiji

On 2021/03/29 23:06, Tim Bruijnzeels wrote:
> Hi,
> 
> I am not sure yet whether this should be a separate RFC in the end, or that this should be considered with other BCP work. But I support adoption so this can be discussed more thoroughly.
> 
> I have a number of comments / requests for clarity, most importantly:
> 
> = revocation?
> 
>    A large number of experiments for the process of ROA issuance have
>    been made on our RPKI testbed, it is found that the misconfigurations
>    during the issuance may cause the ROAs which have been issued to be
>    revoked.
> 
> I don't see how the ROAs would be revoked in this context. I think the problem is that ROAs which contain multiple prefixes can become invalid if one of the prefixes is lost by the issuing CA and the ROA is seen to 'over-claim'.
> 
> I.e. the problem that I see is fate-sharing. This has been discussed in the past and the advice - in general - was to issue ROAs on a per prefix basis if possible. Unless of course, as the authors also say, this would result in 100s of ROAs. There is a tradeoff to be considered.
> 
> 
> = analysis
> 
> It looks like an analysis was included in version -02 but has since been removed.
> 
> For the analysis I would like to raise that multi-prefix ROAs are not always a problem. The issue (that I see) arises when a parent shrinks a CA certificate before the child CA realizes this. This is an issue for remote children using RFC 6492 - they may find that the parent has already shrunk their certificate.
> 
> However, for hosted CAs where the parent and children live in the same system it is achievable to make sure that child CAs re-issue ROAs in advance of the parent re-issuing their CA certificate. So, the problem may never come up there. Meaning that just the occurrence of multi-prefix ROAs in such system is not necessarily an issue.
> 
> = redundant transmission?
> 
> From the document:
> 
>    That is to say, the update of the ROA containing multiple
>    IP address prefixes will lead to redundant transmission between RP
>    and BGP routers
> 
> I am not sure what the authors mean here. The RTR protocol is based on validated ROA prefixes (VRPs) (section 5.6/5.7 of RFC 8210). If there are ROA objects with many prefixes, then replacing those ROAs does not necessarily result in a lot of churn to the routers. Meaning if a ROA is replaced then only the difference in VRPs is sent to the router.
> 
> 
> Kind regards,
> Tim
> 
> 
> 
> 
>> On 26 Mar 2021, at 18:38, Chris Morrow <morrowc@ops-netman.net> wrote:
>>
>>
>> Howdy WG Folken,
>> The authors of:
>>  https://datatracker.ietf.org/doc/html/draft-yan-sidrops-roa-considerations
>>
>> had asked a while ago (probably 5 revisions ago :( ) for WG Adoption
>> of their draft. The draft abstract is:
>>
>>  "The address space holder needs to issue an ROA object when it
>>   authorizes one or more ASes to originate routes to multiple prefixes.
>>   During the process of ROA issuance, the address space holder needs to
>>   specify an origin AS for a list of IP prefixes.  Besides, the address
>>   space holder has a free choice to put multiple prefixes into a single
>>   ROA or issue separate ROAs for each prefix based on the current
>>   specification.  This memo analyzes and presents some operational
>>   problems which may be caused by the misconfigurations of ROAs
>>   containing multiple IP prefixes.  Some suggestions and considerations
>>   also have been proposed."
>>
>> a) Please consider this a WG Call for Adoption of this draft.
>>
>> 2) Please take a few moments to read the ~5 page draft and send along comments/
>> questions/complaints(in the form of fixed text) to the authors.
>>
>> iii) this call expires 04/16/2021 - April 16 2021
>>
>> Thanks!
>> -chris
>> wg-chair-persona
>>
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidrops
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops
>

v2.23.0 | Report a Bug | By Email