IETF Logo Mail Archive

Re: [Sidrops] [GROW] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt

Marco Marzetti <marco@lamehost.it> Tue, 17 January 2017 14:05 UTC

Return-Path: <marco@lamehost.it>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5D7312946D for <sidrops@ietfa.amsl.com>; Tue, 17 Jan 2017 06:05:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lamehost-it.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLVIIsQtMEzL for <sidrops@ietfa.amsl.com>; Tue, 17 Jan 2017 06:05:22 -0800 (PST)
Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FE2C129461 for <sidrops@ietf.org>; Tue, 17 Jan 2017 06:05:22 -0800 (PST)
Received: by mail-ua0-x231.google.com with SMTP id y9so103681789uae.2 for <sidrops@ietf.org>; Tue, 17 Jan 2017 06:05:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lamehost-it.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cdxlUU3n+m7HuoFnDvl9Z65rN962vG8ZW+8fV5gy7Bs=; b=CvmY+Dj7497jnMB58hZ5Jnn4SmjdFtxC7V/+wip+y/OUAMBR8qYmsKXq9MEbctBSW7 NHSsBKrPl7BJNcQxBQpmvyfCklwvqbgxSqWgGLRIEuwFZ9mDK0HarHhr9WGzIfA9OdZ6 NWRvBXb/9dSEc/zQffUdWpFCcNjzVhXSUqgT2QGVjdr1yVIuqNPI0u7deHzOJkZJ6r8D dHmKBwXWy9BCQhuP3QN689uV1j9Xmu0+VnTui+DyLnREWNIjjfCKGuYrxTsdq4cbARAu p/1XnBCbqTVG+5J5DhX6JY/bXePqwayzB1KnU8q3oJmsg2/XlTixotOj+fXZPS+SwuEQ GRqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cdxlUU3n+m7HuoFnDvl9Z65rN962vG8ZW+8fV5gy7Bs=; b=YpxaqObfA/1zN69thNxd5f7bJbFWmonAHCJ6e2r4UBfpBi1+ZASCzDpiGUWnnxQ1qZ +Fj/4yimXWAs9X0Pf4vPj2Rkw9AFbESaPB8n1kn+qPKA7KADj/veS/g24nm+1hRX+HaP FL4BuXGSZFTh3cC4ws2nH5m3iAI1ns4YTcJm63vQotU1Dwt+zEtChUYe+Hwrr27u8CaP qxOE8BUNE+V8VJLrP93jrm17I8VKxQIdFB83w35wHfXkcdh68BPrjO4ZEnOqWt2ICjmc f2utkdQPwutB/oSiSkANOUojrMUcvm+OxBmcKeNz+2m1h2rTMF9r4FGtRS13jPAeQl74 jp3w==
X-Gm-Message-State: AIkVDXJZxXweFxn5l8FLLtpxNekmV+Mlacx2hE2JC/gmf7zJej465/bRo6uwB+/CgnEq6b9drKdlLhVBmEKDfA==
X-Received: by 10.176.76.154 with SMTP id y26mr40949uaf.41.1484661921116; Tue, 17 Jan 2017 06:05:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.159.52.214 with HTTP; Tue, 17 Jan 2017 06:05:20 -0800 (PST)
X-Originating-IP: [95.252.41.226]
In-Reply-To: <329500bc-d283-bf93-d6a6-79a0dae6e284@bogus.com>
References: <148433210469.9788.12815016683609966013.idtracker@ietfa.amsl.com> <20170113184009.GC1055@Vurt.local> <7C35D47D-6605-4D6D-A97E-BD7139F36DBA@gmail.com> <7f08f967-247e-4060-b643-52bc45d8ab29@Spark> <1E278B10-A5BF-40BE-95C4-7A9B6AF6C817@gmail.com> <c55845cc-ca06-45c8-9b2e-075421d0447c@Spark> <m2lgueejxr.wl-randy@psg.com> <CAO367rX1jjOdenqgouzbTRBfeaWz+TFoUjGFJVtUr9tifwAw3g@mail.gmail.com> <20a8eefe-06e5-e1c9-04f8-3c4a66bc38f1@bogus.com> <CAO367rWdDkG7f7eF+FPj9VONsajZHYjTk7cEpWsxQKR1V9dnWw@mail.gmail.com> <44b83365-8ada-4e35-e485-885caa150f44@bogus.com> <CAO367rW7pGpK1y8EMBg7oWTx-Sz0N8EtBHqNupkhj5ECKmzCag@mail.gmail.com> <329500bc-d283-bf93-d6a6-79a0dae6e284@bogus.com>
From: Marco Marzetti <marco@lamehost.it>
Date: Tue, 17 Jan 2017 15:05:20 +0100
Message-ID: <CAO367rXeGTpnfsw7+eLco9pbjEL-tQvS53xsTapnw0d5Bjs_5w@mail.gmail.com>
To: joel jaeggli <joelja@bogus.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Q1k-rkbJ64MxqsQDyHpRDhqNZwA>
Cc: Randy Bush <randy@psg.com>, sidrops@ietf.org, GMO Crops <grow@ietf.org>, Job Snijders <job@ntt.net>
Subject: Re: [Sidrops] [GROW] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2017 14:05:31 -0000

On Tue, Jan 17, 2017 at 12:10 AM, joel jaeggli <joelja@bogus.com> wrote:
> On 1/15/17 6:35 AM, Marco Marzetti wrote:
>> On Sat, Jan 14, 2017 at 9:10 PM, joel jaeggli <joelja@bogus.com> wrote:
>>> On 1/14/17 3:58 AM, Marco Marzetti wrote:
>>>> Joel,
>>>>
>>>> So you don't want your upstreams to honor RPKI just because they're
>>>> 3rd parties between you and the other end?
>>>
>>> An ixp route-server is not a transit provider, all of the nexthops
>>> exposed are in fact peers. So no I do not consider such a  device an
>>> "upstream" it exists to service the policy needs of the peers on the
>>> fabric  rather than that of the exchange operator.
>>>
>>
>> You can easily do the same in transit providers by disabling next-hop-self.
>
> Nope, The router expressing nexthop self retains the available nexthops.
> Under no circumstance is the router-server in the forwarding path, were
> it, the route-server would be an upstream.
>

That;s correct.
But is the specific device really relevant?

I mean: you send your traffic to another network's forwarding plane.
Do you really care about the role of the devices your packets pass through?

>>
>>> I would  expect that a ixp route server that had a state policy of
>>> validating rpki would not propagate invalid routes.
>>>
>>>> In the context of IXPs: instead of peering with the RS you should
>>>> setup direct sessions with your partners if you really want to do
>>>> prefix/path validation by yourself.
>
> Consider the case where the invalid route masks an valid but longer path
> from being advertised via the route server as the best path. in that
> case the validating route-server is facilitating a prefix hijacking
> which it would not have, had it discarded the route. You might argue
> that this is no worse than not validating, however I think that is a
> somewhat dubious point given that the rib on the route-server would show
> otherwise.
>

I argue that the same could happen with transit and we would consider it legit.
Why?

>>> No, I setup bilateral peering arrangements because they actually load
>>> balance to my multiple ports, because the loci of control is
>>> unambiguous, because it facilitates greatly build per session prefix
>>> filters, and because they converge the control and forwarding path,
>>> which has a tendency to fail much more gracefully in the face of l2
>>> failures in distributed exchange fabric designs then does the route-server.
>>>
>>
>> Aren't we saying the same thing?
>> Bilateral peering brings more control over what you send and receive.
>
> we have a similar concurrence respecting the advantages. We appear to
> differ on whether the route server offering a feature or not confers a
> similar outcome.
>
>> I just take an additional step and say that RPKI should be part of the
>> default decision process of RSs
>
> To confer the advantage you need to not allow invalid routes into your
> best path selection processing.
>

Again, I really do think that the same logic of transit applies here.

Regards


-- 
Marco

v2.23.0 | Report a Bug | By Email