Re: [Sidrops] WG-ADOPTION: draft-borchert-sidrops-rpki-state-unverified-01 - ENDS: 2019-03-12 (mar 12)

"Montgomery, Douglas (Fed)" <dougm@nist.gov> Wed, 27 February 2019 22:18 UTC

Return-Path: <dougm@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 897DF13116F for <sidrops@ietfa.amsl.com>; Wed, 27 Feb 2019 14:18:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZvPPWGNfg8jP for <sidrops@ietfa.amsl.com>; Wed, 27 Feb 2019 14:18:27 -0800 (PST)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0723.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd00::723]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E27DC1288BD for <sidrops@ietf.org>; Wed, 27 Feb 2019 14:18:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=il6xaOrOwJ28SGQ8JVaYO1TDVBFb6UyADDRfhOh9UO0=; b=Bvd6QPpxglnpHkV1s5tfJ+/R1c+cWNe3k0Uy7B9Wcu/4wbO7nBmeszNP43k5gdoB5wyod5P372/5yPWCmm2rkZABMNXhbIkh8MmC7tWxeLj0b+ddg259Ii67fzd7UPOIgKC+X2EUHpbrRCY1bKgciAQX07ndKEEX36pRaBBEi/4=
Received: from DM6PR09MB3244.namprd09.prod.outlook.com (20.178.3.144) by DM6PR09MB3243.namprd09.prod.outlook.com (20.178.3.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.14; Wed, 27 Feb 2019 22:18:25 +0000
Received: from DM6PR09MB3244.namprd09.prod.outlook.com ([fe80::7804:8385:141:8a49]) by DM6PR09MB3244.namprd09.prod.outlook.com ([fe80::7804:8385:141:8a49%4]) with mapi id 15.20.1665.015; Wed, 27 Feb 2019 22:18:25 +0000
From: "Montgomery, Douglas (Fed)" <dougm@nist.gov>
To: Russ Housley <housley@vigilsec.com>, Jeffrey Haas <jhaas@pfrc.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] WG-ADOPTION: draft-borchert-sidrops-rpki-state-unverified-01 - ENDS: 2019-03-12 (mar 12)
Thread-Index: AQHUztKTbd7Dl9/bdEmNmyGXwzeBcaX0L5oAgAAE5gD//66+AA==
Date: Wed, 27 Feb 2019 22:18:24 +0000
Message-ID: <7735E727-E19E-493B-ACAE-38F6A1A4BA75@nist.gov>
References: <m2fts968ei.wl-randy@psg.com> <BD686FC4-58B7-48FC-85EC-EEC5C2F30B53@vigilsec.com> <20190227215142.GB21642@pfrc.org> <3EF81391-A613-4F10-B636-E29ABB5643DA@vigilsec.com>
In-Reply-To: <3EF81391-A613-4F10-B636-E29ABB5643DA@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190220
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dougm@nist.gov;
x-originating-ip: [2610:20:6222:140:b400:fba1:5f8d:f236]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f6229e1c-0f9c-4d5c-0545-08d69d017dd6
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR09MB3243;
x-ms-traffictypediagnostic: DM6PR09MB3243:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: =?utf-8?B?MTtETTZQUjA5TUIzMjQzOzIzOlh0akpMckpseWpTY0ZJTHFrT0krdHBpZ2VS?= =?utf-8?B?cDNaZ2MySDRHOG11S0gyMFpCTGUyZmdNUitFSWVzemlxZXljYnoyZy9VTFZU?= =?utf-8?B?YnEzbEEyZWY4NGlaVUhQY3RKbGJpUzRGQlBtWFQxc2VJYmcyTkRtYmxqdkNw?= =?utf-8?B?NndkRVVzSVVERHdndHZGTW5RVVBGRTB6bUtGY1k2L1hvT3ExbEFvSU4xUW93?= =?utf-8?B?RUdva0lyWWZoSDk5T3VWbVRKVmthbzM0bGxlT1UxcGZEMmlBa3NuTzhmZllO?= =?utf-8?B?am56MWpRZ3FHMGlWQnpGRjUvNW1zd3dMVTh6T3p1OHZyOFJ5KzFUUk1XT3VI?= =?utf-8?B?MVpnSndEMHB0QTFTYVlrUk5QRysySzRLMHczMlpSNDdyL0xWREZMWjk4S1o4?= =?utf-8?B?YVVOSmcwRnptOVRNczM3U0FBOTB4Mjc0SUhKK1pYOUxDcXQ2YnhFZVNoajVy?= =?utf-8?B?ZkhCZUFHT0ZPZkVORytTN1lUNnlqdGhDUDAyMTltdTFIWnBzZDJKVkx4bTUv?= =?utf-8?B?VEtDb3VlNm14RW43b09aMDJYWExVWG02b3p6ODZiSVpHQmFSYlNEQm5LbkdJ?= =?utf-8?B?TEtXdmpaQ3BWZGNwdUpJb3ArMFFsTzhqT0p6bi9FSTBaNlprMjVIOWhlS1RO?= =?utf-8?B?VUtIcTlDbHZVbWZjNGp2bHpGV1J2a3FOcjUrMWJZZ1ZJSUJVaUdrSXUyMHBP?= =?utf-8?B?WjlQRERCU3pMUGtGbFg1ellEK3QwdnljRTQwdlRmNHlnNHlrNERTaks2eDMv?= =?utf-8?B?Z3Z2ekpORVdBVFNveHd6Z0YxbEppS0JmZDQydTY2ZzZHS25DWDhMdWpIYUp5?= =?utf-8?B?Z3pBaG5rbGFlblJ2YWR5TFFFTE90TWg0WkFiZ240NDF5ZTRaUnVjbFp0T05I?= =?utf-8?B?d1NRc3JqQms4Ym41YzNJT1FWOERkcWNEV0VzNnc3Nm5oaFc5anhRN08zOHky?= =?utf-8?B?SzRGUEtLMGMzT09qN0J6ZjVTNFRoZUNPVENYVytIblkrVzlxS3c4V1BLSW1R?= =?utf-8?B?T2J5M1d1SWhXQ3pRSnhmU3Y0Z0NSWDFGNUVZM01SQi94Z1dOMllLa1pYamxL?= =?utf-8?B?LytjUitLOHlQVHZuODBRY2RPZGV4NlRBMWJLU0N4MUZhNjR1cTdBdG9DTFNU?= =?utf-8?B?WU94Rjg1R1NVTlhYbmp5cElKc25OZWRGWi83TDFDbTRQeDl1OW1KNUdpejlU?= =?utf-8?B?dTBUeHl6RisySmFiTGlUSzR4VDVRdHAvYmpoWWVIbHBISThBYjVoWmI5Y0Ny?= =?utf-8?B?ckhrUkVTN3I4KzNNQzFkSUZTQ2VFR1ZtMWlDS1BVci9KdXhHaEgwYUJ1T3B2?= =?utf-8?B?a1NVc3RQcEZRTExkMGZBUEhrWDY5L3Q4MU81ZjBJNmxOeXNmSTdKRlcrYTYy?= =?utf-8?B?b0ZtOXhBbUFraE8xRGxoTkxCanVORU8yeVRhWFc5RnRJWjVkMFh4ZUFhSWkr?= =?utf-8?B?Rmp2dkpWUk9YT256aXBIREVXZjZ4NU5TVW5QRHlOclg4ajJmWS9EbldzUUFj?= =?utf-8?B?clUvRjh6Z0hoL05MRWQ5YmR5K3h5bkVGOFpFa0JWK2tkQkFKSGVDcFhpa1BE?= =?utf-8?B?TnArNy80dCtzUU1JbnF0T3EwTHozbHRJOHhRYmJUYXM5L1VtYWdWbHFJRDBq?= =?utf-8?B?eERkb25WNGMwbTRFLzQ0MEpoQS9Pb3JGYnhGMHovZGlFWGlGQjRRQlpSSk81?= =?utf-8?B?cUpraVZJVW85K2JYSmNDRzhpU2QzR2E5MTBISWdIUGh2akFwQXFoR0o5S0tx?= =?utf-8?B?WklCVXRvRUptVTY3OEczRkxubEZzUUpjalVpSGpSV3U0U1NaMDNHd1JnV1dT?= =?utf-8?Q?N8uu15ui+Tq28?=
x-microsoft-antispam-prvs: <DM6PR09MB32439E75DA6B4BF120B8EA1BDE740@DM6PR09MB3243.namprd09.prod.outlook.com>
x-forefront-prvs: 0961DF5286
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(136003)(376002)(346002)(366004)(39860400002)(199004)(189003)(46003)(33656002)(186003)(6506007)(6306002)(102836004)(93886005)(446003)(71200400001)(561944003)(305945005)(7736002)(71190400001)(83716004)(81166006)(99286004)(316002)(486006)(2616005)(6486002)(11346002)(66574012)(476003)(14454004)(81156014)(8676002)(8936002)(5660300002)(6512007)(14444005)(6436002)(4326008)(966005)(256004)(76176011)(86362001)(110136005)(58126008)(97736004)(45080400002)(6116002)(82746002)(229853002)(36756003)(105586002)(53936002)(6246003)(25786009)(478600001)(106356001)(68736007)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR09MB3243; H:DM6PR09MB3244.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PCEU4GUTZaipe8qwPNEtkVzMyWGujqodgzbO6BxzXWQHyJmmXJBlIJX6St2rA3ieByevrREuVbVCzGPywmOf70rYSzY85SRnXhjn0qrP0QijbEotxownk983ffVCwU+Ls/x048t02qM6CouKTfbHGrLbDJweTL2zwNhDIxw1iDtdTbWYDvDa/LtOMiDRbvWXsTWQCrAn4iwORDFVRdfQ89OespaIYMqyWIio2U8wq21uPkYb7o1DKWeasdir5t76Wy4UiuzSmXfP2j4fHe8K+LiyNFJIHskVUh7x0GrEV08qm0HcPRYh/H0+oTnLnmH+bg7ADk0VACLNtnLV5Scd29RPVjnBHEiKpJQOilPp8EK+uCzOQ+rvUdXFFJQcdcvH6ZSGJDvb11a/lK564p4P0t+rddPaD9xFh6W8EIezrUg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <440111DE76D26445992DCAED708E3861@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: f6229e1c-0f9c-4d5c-0545-08d69d017dd6
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2019 22:18:24.9889 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB3243
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/P0go8H4ZMCpeSot-rHtpMrq8ZeY>
Subject: Re: [Sidrops] WG-ADOPTION: draft-borchert-sidrops-rpki-state-unverified-01 - ENDS: 2019-03-12 (mar 12)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 22:18:29 -0000

Examine the iBGP peer that you thought you configured to do origin validation and determine why it is unable to.

We envisioned this being useful in scenarios such as: you have enabled BGP Origin Validation on a router that has lost all connections to its validating caches.  At the moment we can't tell administratively disabled from enabled, but failed in some manner.   We see some value in being able to diagnose that.

Keep in mind, most of the FUD in this space comes from the fear that operators will not be able to diagnose why routes are/are not being filtered.  This theme came up a lot in the meeting before NANOG.

Not the subject of this draft, but the concept of being able to tell if your iBGP peer actually performed validation will be even more useful in BGPSec, but that is for another draft.

dougm
-- 
DougM at NIST
 

On 2/27/19, 5:09 PM, "Sidrops on behalf of Russ Housley" <sidrops-bounces@ietf.org on behalf of housley@vigilsec.com> wrote:

    Jeff:
    
    >> This seems to be a proposal for documenting why the marking is something other that valid or invalid.  I can see why a researcher might care about those differences, but I cannot see how an operator would make use of it.  I do not think we should add complexity.
    > 
    > I likely should write more text, but very simply some operators want easy
    > ways to mark that a system that should be expected to do validation has not
    > done so.  The existing tri-state (valid, invalid, not-found) doesn't cover
    > this.
    
    Please write a little bit more.  What action would be taken in the unverified state that is different from the action taken in the not-found state?
    
    Russ
    
    _______________________________________________
    Sidrops mailing list
    Sidrops@ietf.org
    https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&amp;data=02%7C01%7Cdougm%40nist.gov%7C35a3d14483b74f42ff7e08d69d0043b5%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636869021800990545&amp;sdata=Z4CMhzA%2BReO21gFYhXZqMQwL4nxdjzTR9VpYcAcmrPg%3D&amp;reserved=0