IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 28 March 2023 04:59 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8CA9C14CE2B; Mon, 27 Mar 2023 21:59:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HU_H70_NoS_g; Mon, 27 Mar 2023 21:59:45 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2070f.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d04::70f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21CC2C14CF1C; Mon, 27 Mar 2023 21:59:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XyUDFw963yuTFsNsrUZP6qYZZz9RBNHBL62msvdJfw6WhoaC4QUVVSwQDz3gm8RXAEuSdhze7Q6mj0xkxDZJbZJa5C5H3uH9XXMlpoamQ+wAHaTKgZ0CCec7iMZtic5RXsC/zEl5Iz76/OimNl7Y1hlNhEbicYvwQID5jLxtYwDv8Ry8euxf6eKWQaRfI1Punu84+qZNcUGaLLgyWL8Cj+doXz76y7SAbdqIZL3Q0Ewl/bKTq7h6/yZiP6dCetxI9yN0ehJI3ppk7XFBviDDC/8DraivOkVw6/iyneN7PRFol+uToKE+qcfb1zw1XvJpj9W2rs3rj1DPBjNCbWQpqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yJVlvafpVC/vMSFBYIuiLbzz/pB30xiMxwOgihyyqpY=; b=Oz5iBV3zRyztdU5fXmeH8si1DdwxGrwTnc46vQvdOIe+3m/bdvZ+jEeN8c5l36mgWwSE10UGktQNQsmDkthVtCgVS+kPiGbg7OtvzQn8/Q75JBYotkia1Uq9ITVGxiz6Fe547aPxMT9Z6DOyr4QsHA7Iq8WbenCrmKEZQ13Pzkab0av9Q581Rl0ED89fqmSp/KSWNeYV6Y2VDa5YzKnhw4MzC0wn42RCPXhfGsy9n2u+5tXzRaPMxWFV3QH608mgdpe2CvEpa3LYuL3+DicR7aDk/MX7WlsduQCAAhln/L9L2kcbby+hZL6WdwYsZDZOG2m5EVDer342kn4voikFEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yJVlvafpVC/vMSFBYIuiLbzz/pB30xiMxwOgihyyqpY=; b=E+DUX/1B1p3NlAzR7jheiFwEfGW9au5LV/aKODFn1jZoKapUjid1yP2O76tjiYKdTEM3ivEd0w+K/kvb8n00bHMLS0DO32+POAeatxgLxJg5yo0KVvqV4QhwJsKSeQ1KQJU8ynQ/S0g7+fYCyVLLgXQZDtMeiRM6LQkUqPGtjtrZHUJcYxYQgpKeM8Ndo9lBtRlOZM/Cw4mxQa9z0gFt1ejCgS/hxRXQNYyGtBJQEso29AxuAp58kqcF2VY4AbkcGYJpoEDZixdOlskuylnDtqvrBxf0Wgqw8/p2tW24oj8jCnny9F0Rxg0bjlN6C1tPiJMU3VZTbM+U8/0qxWKZ0A==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by SA1PR09MB9164.namprd09.prod.outlook.com (2603:10b6:806:282::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6222.30; Tue, 28 Mar 2023 04:59:40 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::5a71:2eb6:5ff8:eb4f]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::5a71:2eb6:5ff8:eb4f%7]) with mapi id 15.20.6222.033; Tue, 28 Mar 2023 04:59:40 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>, "draft-ietf-sidrops-aspa-profile@ietf.org" <draft-ietf-sidrops-aspa-profile@ietf.org>
Thread-Topic: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
Thread-Index: AQHZUV6mxB5bPFSj10Ch+S0fYxNY/K77vemAgAuycmCAB0/JAIAA8bzMgAAMfvg=
Date: Tue, 28 Mar 2023 04:59:40 +0000
Message-ID: <SA1PR09MB81426E1BB66D6DF31860F26984889@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB814241245D01E81BADE3ED0884CF9@SA1PR09MB8142.namprd09.prod.outlook.com> <31FDE1E9-3E87-4011-B65B-C6B3A264303F@vigilsec.com> <SA1PR09MB81427B4A1B126A5D1C1E289C84CF9@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142E41F2D6B537BCAA758F384CC9@SA1PR09MB8142.namprd09.prod.outlook.com> <CAL9jLaYz3OhcwBBcVMqnUseBR9J1ZyktcJo5YLeefQHMoYJu+A@mail.gmail.com> <CAL9jLaZ7eDc+zbhapS8dTYQKnTfgLd=MOPYw97-qcJ4eP6S6Mg@mail.gmail.com> <CAL9jLaYJ4ODfumG9Yk3-yv=_TaTSUeD++U4sGy7S-0xWcGBQPw@mail.gmail.com> <ZBGqSVL9sSqnAiJc@diehard.n-r-g.com> <SA1PR09MB8142E9F71F250B83062C724884869@SA1PR09MB8142.namprd09.prod.outlook.com> <ZCGcYHJ9PyrjgR+V@diehard.n-r-g.com> <SA1PR09MB8142EA7F33880679E9B509D384889@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB8142EA7F33880679E9B509D384889@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|SA1PR09MB9164:EE_
x-ms-office365-filtering-correlation-id: 0762171e-7516-4396-6afe-08db2f493d0b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 336RCAPX+qazw/9/KJn44/CzvOU9Jh9AktDGwx208CvVvEhPKbBbNZXgZ/uVztDIjSqQHFNfeNymTkOXqqpXRA5HijNHX4E3K9oZInTFb93G+MqlMD41fwRQwb8avQPfF1+OFwNZP0AbaBgPQ5fJt/2FWqgTwAKMKAg5aBPcJTsCsFbh7OJCdwnY7APpi+4I9oJLkDSnie4cYk5B1fIckjvN3Dp1EcMTxBuoBPDqg2HYhMLkJxq3A8SJKmtuPeWoLqWc558XtYWgllDtOrMY0DURbe6m+j50Bm7kRRk8iKGXrwDWVMOjl7u7xHsFzLjyEKfE0PZLvAtTuFy5MRWs10d222V/6BRgRzTuJT59iREJqOxndIEksv7JoVkixixn/hwhKhyUac2gvYExa+6zDUA8PrG9xq1w/X80DFpWomYHz++fhO/buzoJh3vX/Bv8tJZ8l3piK0gJMSq3kNVBHvMYtvL3PcpKt7oPfH4oskwKSJGTF9t/ctKUr/mfJmJRrUchvxR3Jngy/x+PjDC6IAt1BfCOQjXv6IbsEU6aduStROZtErIn4xTyN2eULEJaunygUbbGGZpFohLfqBTDxv6dJRT+1uSve7T6iNr49l0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(451199021)(498600001)(8676002)(66446008)(64756008)(66476007)(76116006)(4326008)(6916009)(66946007)(91956017)(122000001)(8936002)(66556008)(5660300002)(82960400001)(186003)(52536014)(53546011)(9686003)(7696005)(71200400001)(54906003)(66574015)(966005)(83380400001)(2940100002)(6506007)(55016003)(38070700005)(86362001)(15650500001)(38100700002)(2906002)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: GzOyGPifbBbuM8aaBdpaK+jEi1kxiwJbl3m4lTHiK1y7UQa3z449iLRn/wqdSv1CwnMsat8ZfzHZMnwjXmUDNr3dBM4ndoKL0Caz4zZhxbd0M0/rLGVnTYusNerbwPVdtGxKbOa42XdkkapEXauhmUG4tJU7d7LF65p40QKd1sjw/PkdOYrLMv805sJjKGm2EY5bDwxochTijxz/KduiiRrA8ArWmjRQqyF7QDquoKcdeJ7wsm4GS2dz1sSDrleYvUWUWjz3n+6jnoqot+9yeyHg2ge48aFOwVMwfu1j/jGs+jWD1Jpv0jpGeL58vlYAn3QfBZ+LSIklDFhIdtv87syJQMrFOEH+OOb+VkiPGzq4MGHWgc0/n9kBkws9UahH67Q7hlL5b0rjJJwvWGM9XraLdxf7WBgk26j8ePNszYKM3iNynmooOUaGcf8dFsk1T54ZxAo6jsVIzkYQVjJWNzxZMO8xEQ9TRi/t213On34Y6333B7B5a3BnpWOFlRk84LjPlQV+3WYWTsBy54jNI39Qet08mGxlD9zO/pJLLfkgxSnfKNnsSQxYeDMGvIO8jMycqrKABpYPwcNfitb009AhyQocRHFAxrTtHELubWkPemrCUd1slcvrIoAWjqKZCXq7VXTejJz12xYC1g6sm7wNrpS8s1/Wu1wiIr6eH5FFEtoFRXI1bBELwVxMUnvVt51+TEUSCr23p3etQVKIuvDnlVBSHUyqoouLbeAz+FO/wSSl6gLNJX/F8a64fU94qdkU1bFl95gvNPYOE989iXRdKHw0RbNA0buuQZltzTTYhIHgk3hS5a+SpzlriFiOWTPoxl+L9RVOS3MTnxxqv+Qjn9h7pEtM/e4Bc/XYJPnfHdZpYDomTcggF16jphc56LX2Ti6EATgnz/k9bZSUnbdQB1A63MWy9Rb+Y/xi4V2FvJ90ZB9AE3kyP79hkjpXH+tLzZ89SneDcHdauPAKIprfpS/19ZzUd8n62xGpgE1uvkpD9JAlCD60cE+pLWePCnIk1oQWS9WBHWGM+W09QIbzQkaAxH4Cdg6Y1Z6ypPF5MDhxAUVZSwy4hT3VRvf9EIZ2yDDrgJANzARQ8qdNE5A5tbynyhmvzUUw4zZlm2XGLoqMnC951APNt//t8a92+4xqcYLlVXPOoJ/1hRRu6FqHVcDZMLAhkBsez5YY4nPOhmRP3ohwkKurMU+7JHOYvGo+C07EXcgq7/tZUGhSUqSIU/kLAOgKwCnr92qqfvQEW3du8LFV+lvF+vYMe5pFUfZAfnhCZBBiIizZwkQcJmP9aAW1cU6QUT1IxAuxL4KARR0XGkoNdlohgIYLCZK8LLYYAYqDeYeGCoxacT4uryBqxQyvMU5vCSYN8jWAENTYH75iKySIPkNH5Dka8ceayG94Yjz/KNmskIYvrnksZ8WiFK3xrw7fIN63rQACP1WcwADs9qDse601S6uCi0e0yo3f15KXxpY+rXlJbBqe1Y89y1zmcwnc87qBSUJI0vsMXp/aD1Bu7UQLZFMM80NwK8whx7ju4/+7Ywdns2JKbdtlx1pGA4+sanInbL9M8Z+Kr/gdnDDIlzBVeAQVD1QN
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0762171e-7516-4396-6afe-08db2f493d0b
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2023 04:59:40.6176 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR09MB9164
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/QEcBaIicIGlXRdq33io_Fv9sFLU>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 04:59:50 -0000

All: I just uploaded a revised draft version -13. All comments received in this thread have been carefully considered and changes incorporated as necessary.

Version-13:  https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/ 

Diff:  https://author-tools.ietf.org/iddiff?url1=draft-ietf-sidrops-aspa-verification-12&url2=draft-ietf-sidrops-aspa-verification-13&difftype=--html 

Hi Claudio: I went with many of your suggestions below and earlier. It is easy enough to assume a single VAP-SPAS table even in the description in this doc. You should like what I did in the revised Sections 3, 4, and 5.

Igor: I addressed your discomfort with the earlier rosier description of the merits of ASPA verification in Section 8. I now systematically describe the key properties (mitigation capabilities) in Sec. 8 and the limitations are stated in Section 12. Hopefully, you'll find it accurate and more insightful.

Tim, Job, Martin, and others: Your comments/discussions relating to Sections 3 and 4 carefully considered and folded in.

Amir, Nan:  The changes promised are included.

Amreesh, Aftab, Yangyang: Please review the diff. You should find your comments addressed as well.

All: Please let me know if missed anything important.

Thanks to all who have kindly devoted time to reading and giving feedback.

Sriram

________________________________________
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Sent: Monday, March 27, 2023 7:08 PM
To: Sriram, Kotikalapudi (Fed)
Cc: Martin Hoffmann; sidrops@ietf.org; sidrops-chairs@ietf.org; draft-ietf-sidrops-aspa-verification@ietf.org; draft-ietf-sidrops-aspa-profile@ietf.org
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

On Wed, Mar 22, 2023 at 10:47:20PM +0000, Sriram, Kotikalapudi (Fed) wrote:
> Hi Claudio,
>
>
>
> Discussing one your earlier points (March 15) for now as below and this might address Martin's question also:
>
>
>
> >Section 5:
>
> >
>
> >More AFI nightmares in figure 1:
>
> >          "no Attestation" if AS(i)
>
> >          does not have ASPA (i.e., VAP)
>
> >          for mentioned AFI
>
>
>
> >Again there is no conept of an ASPA for mentioned AFI. So what does that mean? I already asked this question and did not get a reponse. So let me ask again:
>
>
>
> I think SPAS can distinguished as ASPA-SPAS (before X.509 validation) and VAP-SPAS (after X.509 validation). What we are interested in the above are the VAP-SPAS. The VAP-SPAS can be separated per {CAS, AFI} into:
>
>
>
> CAS, VAP-SPAS(AFI=1)
>
> CAS, VAP-SPAS(AFI=2)
>
>
>
> VAP-SPAS(AFI=1) and VAP-SPAS(AFI=2) are two sets created per CAS post X.509 validation of the ASPA(s).
>
>
>
> Now we can edit the above (what you quoted from Section 5) to read:
>
>
>
>           "no Attestation" if AS(i) has an empty VAP-SPAS(AFI) set
>
>
>
> >Consider the following ASPA entry:
>
> >            customerASID: 42
>
> >            ProviderASSet: [ { providerASID: 4242, afiLimit: 0001 } ] an ASPA entry for AS42 with a single provider AS4242 that is limited to IPv4.
>
> >
>
> >What is the result of hop(42, 4242, 2) and what about hop(42, 123, 2)?
>
> >
>
> >The specification is ambiguous in this case because both "Not Provider"
>
> >and "no Attestation" could be considered a valid outcome. Now my view is that the result MUST be
>
> >"Not Provider" since 42 has an ASPA record but this really needs to be clarified before this draft can pass WGLC.
>
>
>
> We can eliminate the above problem with this addition in Section 4:
>
>
>
> ASPA registration is REQUIRED for a compliant AS. The ASPA-SPAS for a
> CAS MUST list at least one providerASID for each allowed value  of the
> AFI (1 and 2), either implicitly (by not specifying the afiLimit) or
> explicitly. This includes the possibility of providerASID = 0 for one or
> both AFIs. For example, if a CAS X registers only the ASPA:
> [customerASID = X, {providerASID = Y,  afiLimit = 1}], that is not
> permitted because it leaves out AFI =2. Instead, if the CAS X registers
> ASPA: [customerASID = X, {providerASID = Y}], or ASPA: [customerASID =
> X, {providerASID = Y,  afiLimit = 1},  {providerASID = 0,  afiLimit =
> 2}], or ASPA: [customerASID = X, {providerASID = Y,  afiLimit = 1},
> {providerASID = Z,  afiLimit = 2}], any of those is permitted.
>
>
>
> With the above updated recommendation, maybe the objection about the
> ASPA RTR PDU per draft-ietf-sidrops-8210bis (Martin's question) also
> goes away... since if the separation of VAP-SPAS per {CAS, AFI} is
> performed at the RPKI cache, the router can benefit (avoid having to do
> the processing on the router).
>
>
>
> Your thoughts?
>

Right now both BGP-SRx nor OpenBGPD implement a single aspa table.
At least for OpenBGPD this was done to have a single, cache efficent and
extremly fast lookup function. Performance of ASPA is a big concern since
it must be applied to every path received.
The lookup table consists of many sources (static config and each RTR
session) data is merged and compiled into one lookup table.
Adding more work in that compile step has little impact on BGP performance
which is fine as long as the basic lookup still works.

The operational impact of AFI dependent ASPA objects was little discussed.
ASPA is already complex enough and unlike ROA validation the outcome
depends not only on a single resource. Also every AS may get different
outcomes because the view is different (downstream path).
So having to figure out why one path is accepted and another fails is
already complicated without doubling the pain with AFI=1 and AFI=2.
Having a disconnect between an ASPA object in RPKI and the resulting lookup
object in BGP makes this not easier.

Now your requirement that ASPA objects MUST cover both supported AFI is an
option but all RP software MUST follow that rule and discard badly encoded
ASPA objects (which they should anyway but people still like to argue
about this a lot). Also BGP router need to follow that rule and make sure
that RTR ASPA PDUs always come in couples.
So this needs to be explicitly mentioned in all three specifications.
Not sure in which document you want to alter Section 4. Right now I think
that in draft-ietf-sidrops-aspa-profile-12 section 4 needs to be extended,
in draft-ietf-sidrops-aspa-verification-12 section 3, 4 and 5 need some
adjustements and in draft-ietf-sidrops-8210bis-10 it would be good to
extend 5.12 a little bit.

Now if I understand you correctly a Valid ASPA Payload would always cover
both AFIs (since an object MUST list some value for both AFI). So your
suggestion above:
>           "no Attestation" if AS(i) has an empty VAP-SPAS(AFI) set
can be replaced with
>           "no Attestation" only if AS(i) has no CAS entry
since if one VAP-SPAS(AFI) set exists the other set MUST exist as well.

--
:wq Claudio

v2.23.0 | Report a Bug | By Email