Re: [Sidrops] ASPA duplicates

rifqyhakimi@stei.itb.ac.id Sat, 02 May 2020 21:02 UTC

Return-Path: <rifqyhakimi@stei.itb.ac.id>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A95483A00D4 for <sidrops@ietfa.amsl.com>; Sat, 2 May 2020 14:02:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.487
X-Spam-Level:
X-Spam-Status: No, score=0.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1, MISSING_MIMEOLE=1.899, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9F_TFpwTGgbi for <sidrops@ietfa.amsl.com>; Sat, 2 May 2020 14:02:34 -0700 (PDT)
Received: from yudhisthira.itb.ac.id (yudhisthira.itb.ac.id [167.205.1.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A34F3A00D3 for <sidrops@ietf.org>; Sat, 2 May 2020 14:02:33 -0700 (PDT)
X-ASG-Debug-ID: 1588453347-0ef5d76b17209f170001-0d23Qc
Received: from mx6.itb.ac.id (mx6.itb.ac.id [167.205.23.26]) by yudhisthira.itb.ac.id with ESMTP id TuNWefy9OXmfsDjT; Sun, 03 May 2020 04:02:27 +0700 (WIB)
X-Barracuda-Envelope-From: rifqyhakimi@stei.itb.ac.id
X-Barracuda-Effective-Source-IP: mx6.itb.ac.id[167.205.23.26]
X-Barracuda-Apparent-Source-IP: 167.205.23.26
Received: from [192.168.1.2] (unknown [202.151.12.191]) (Authenticated sender: rifqyhakimi@itb.ac.id) by mx6.itb.ac.id (Postfix) with ESMTPSA id 49F1ll1sKLz23yS; Sun, 3 May 2020 04:02:27 +0700 (WIB)
Date: Sun, 03 May 2020 04:02:24 +0700
Message-ID: <64da0db8-9f23-4ce4-b870-b99066e50eb6@email.android.com>
X-ASG-Orig-Subj: Re: [Sidrops] ASPA duplicates
X-Android-Message-ID: <64da0db8-9f23-4ce4-b870-b99066e50eb6@email.android.com>
In-Reply-To: <CAEGSd=CUJ9WEUAtgdbghgbCWd6xW_KLr4_pCoWAAen_j+iW-iA@mail.gmail.com>
From: rifqyhakimi@stei.itb.ac.id
To: Alexander Azimov <a.e.azimov@gmail.com>
Cc: Tim Bruijnzeels <tim@nlnetlabs.nl>, Job Snijders <job@sobornost.net>, Jay Borkenhagen <jayb@braeburn.org>, SIDR Operations WG <sidrops@ietf.org>
Importance: Normal
X-Priority: 3
X-MSMail-Priority: Normal
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64
X-Barracuda-Connect: mx6.itb.ac.id[167.205.23.26]
X-Barracuda-Start-Time: 1588453347
X-Barracuda-URL: https://167.205.1.122:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at itb.ac.id
X-Barracuda-Scan-Msg-Size: 9072
X-Barracuda-BRTS-Status: 1
X-Barracuda-Bayes: SPAM GLOBAL 0.9998 1.0000 4.3405
X-Barracuda-Spam-Score: 4.34
X-Barracuda-Spam-Status: No, SCORE=4.34 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_MESSAGE, MIME_HTML_ONLY, MISSING_MIMEOLE, NO_REAL_NAME
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.81583 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.00 NO_REAL_NAME From: does not include a real name 0.00 HTML_MESSAGE BODY: HTML included in message 0.00 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/OuTzmUzfIu3I4dh5iqfZ8d8OxbQ>
Subject: Re: [Sidrops] ASPA duplicates
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 May 2020 21:02:37 -0000

Mmb  

Sent from Android device

On 3 May 2020 01:39, Alexander Azimov <a.e.azimov@gmail.com> wrote:
Thank you all for comments.

First of all, I'd like to address the reasons for that change at the side of RTR.

And the comparison with ROA is important. The RTR documents don't say that "you MUST apply diff after receiving EOD", instead it is applied incrementally. So, the race in the updates for selected address space may invalidate the correct routes. One may say that finally, all data will become consistent and the router will make a proper marking. Unfortunately, it's not true for two reasons:
  • You never know when all data will arrive, there may be every kind of network issues between cache and router (and it's TCP after all);
  • Even if all updates finally arrives some routing software will keep the result of original verification. I'm not sure how it is covered with RFC, but I know that such implementations exist.
As a result, we may end with hard to debug prefix propagation issues. These race conditions are partially addressed in the RFC8210bis by adding order to the ROA updates - from more specific to less specific routes. It solves the problem with less specifics, but issues for prefixes that have multiple records may still exist.

In the ASPA, we are trying to prevent race conditions from happening. And the easiest way is to guarantee the atomicity of updates for each key-value pair. In our cases - to pack all ASPA records for the selected customer AS into one PDU. I hope this will make clear the motivation why ASPA PDU is different from what we have now for ROA. Btw, I will vote to update ROA too (and the update of RTR is a good time for such change, there is no requirement for compatibility between versions).

The way new ASPA records are issued and the way they are received by RTR (rsync?) is another place for race conditions. And it seems native to guarantee consistency the same way - making a single ASPA object, thus preventing possible misconfigurations.

Now the question - what should be done if RTR cache receives multiple RTR records for ASPA? Let's discuss possible scenarios:
  • There is misfunction at the level of RPKI software that issued records;
If we face a bug in the hosting RPKI software it should be gracefully processed, without effect on operations.
  • Tim's example with administrative domain splitting;
The administrative domain splitting in RPKI doesn't seem to be a good idea, it significantly increases chances to get in the state with a partial set of customer-providers pairs with hardly predictable outcomes.  
  • Transfer between RIRs.
And the last seems to be on the same board - such semistate isn't safe, and one should keep one record at any point in time.

Keeping in mind that the absence of ASPA record is less dangerous then inconsistent state my thinking is that if RPKI cache receives multiple ASPA records for selected customers AS it should ignore all of them. IMO looks like a fair good compromise: prevent race conditions and also do not have an effect on operations if something goes wrong.


ср, 29 апр. 2020 г. в 15:26, Tim Bruijnzeels <tim@nlnetlabs.nl>:
Hi,

> On 28 Apr 2020, at 19:03, Job Snijders <job@sobornost.net> wrote:
>
> On Tue, Apr 28, 2020, at 18:53, Jay Borkenhagen wrote:
>> The current ASPA Verification draft:
>>
>> https://tools.ietf.org/html/draft-ietf-sidrops-aspa-verification-04" rel="nofollow">https://tools.ietf.org/html/draft-ietf-sidrops-aspa-verification-04
>>
>> .... says in Section 3 "For a selected Customer AS MAY exist only
>> single ASPA object."
>>
>> I concur that an ASPA object should list every authorized upstream ASN
>> to avoid possible race conditions, and as such it makes sense for only
>> a single ASPA object to exist at any point in time.
>>
>> But how is that uniqueness to be ensured?  What should RPs do if
>> multiple validated ASPA objects are ever found to exist?
>
> Good question. What should it do?

In my mind it's good to that CAs can create a single ASPA object for a customer ASN they hold for all their provider(*) ASNs.

But, I think it may be better to cover that CAs SHOULD (or even MUST if you will) combine all provider ASNs on a single ASPA objects as a separate BCP, and leave a bit more flexibility in the profile and validation drafts. This makes it easier to change things, should we find that we need to change our minds on what is best.

I don't think that RPs have to check whether the CA did indeed use a single ASPA object for a customer ASN. I think it should just validate all ASPA objects it finds, and build a list Verified Asn Relations <or insert alternate acronym here>. Furthermore, I think that  8210bis should then specify that the RP (cache) MUST exclude duplicates when sending these relations to routers.

And veering a bit further into that document, I am not sure why those updates should be sent as a single PDU containing all current provider ASNs. I think it make sense to do the same as with ROAs where 'announcement' (add) or 'withdraw' VRPs (excluding duplicates) are sent over RTR. I read the comment about race conditions, but I don't see how this is an issue when such PDUs are sent as a typical exchange (section 8.2) between a Cache Response and End of Data PDUs.

*) relations as defined in draft, not necessarily the business relation.

> I expect such duplicates *will* exist if ASPA were to be deployed for real: in cases where an ASN is transferred from one RIR to another RIR and one wishes to make before break.

Well in that case one would expect objects for the same customer ASN in different parts of the RPKI tree.

But a similar issue could also come up if a parent issues the same ASN to multiple children. Which could be a working model if a large operation operates the same ASN globally, but has different teams managing it. In that case an organisation could chooses to run a delegated CA and issue certificates to child CAs in use by those teams. (I am not sure how likely this is, you have much more operational insight than I do, but it's definitely possible under the standards).

In those cases any of those CAs can issue valid ASPA objects, and they should be combined as above.

Furthermore, the security considerations (section 8) of the AS path verification draft can use some additional words to warn that this also means that any ASPA issuer can potentially invalidate other users of the same ASN if they exist.

Maybe the idea of multiple parties operating the same ASN is ludicrous, but then I think it would be good to have words that discourage delegating the same ASN to multiple CAs, and similarly, discourage issuing ASPA for customer ASNs that are also delegated.

Note that this issue is somewhat similar to ROAs for prefixes which are also (partially) delegated, or received by multiple organisations.




>
> Kind regards,
>
> Job
>
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops" rel="nofollow">https://www.ietf.org/mailman/listinfo/sidrops

_______________________________________________
Sidrops mailing list
Sidrops@ietf.org
https://www.ietf.org/mailman/listinfo/sidrops" rel="nofollow">https://www.ietf.org/mailman/listinfo/sidrops


--
Best regards,
Alexander Azimov