IETF Logo Mail Archive

Re: [Sidrops] Which 8210-bis error code should be used?

"Borchert, Oliver (Fed)" <oliver.borchert@nist.gov> Thu, 18 May 2023 17:13 UTC

Return-Path: <oliver.borchert@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B25EC14CEE3 for <sidrops@ietfa.amsl.com>; Thu, 18 May 2023 10:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DhGjl_Zqr_lU for <sidrops@ietfa.amsl.com>; Thu, 18 May 2023 10:13:43 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on20726.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::726]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AA27C15109A for <sidrops@ietf.org>; Thu, 18 May 2023 10:13:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mu/RgWRU9C7YxpKVVwDD31hmrQKzrNPg5hloeA/sGXh9h2PX/3FRfUpmz7s6oaMrK6v6aBvWgPVvNi/BOQYXtS4NOCHYugA7Q6PcjIDW5ei8ZULdSSGCEOa27xnzOWd7ejNrf1oEOPXe5iFYfnT3Ql9tPfEZKmkAX0SAGLzHRPXzYYHez7OqKbhMIcJdx6/1ikR7PGpnQgdFWdWbNZg5fb2xKuaxn5vgN4FwTAoHxgt8T58s8xRSfbGjJoQesCYHZK7Ngn6ZO2NaBkTuxLpeR87KsFa/Jy58z0Xt1BucXjYdOR62Pmody2rnI3Ki+G6OBvRIjChctZjUiGwJMDhyTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ihVTU7Ud89d9mFvXWx6OzAGaL2McTrfYQUu+PPr2ESE=; b=hU9vbOmh6WBmTUGpDAVjvd7mBQ8rnOCpjmL2yVboPbNYchxUmVlt0uGh67yPSsxcW0JI4qEAAegzdM0IV/X5/uxb3qjJnEOHY3liqDrfOs5IWVHzXhDgclTVpWytQJk09e4W/7lIFcENcTZWti4b2ra+H6g2omVo8X+yxBCiF4w5glR9E7kbaGsaTrG6AIrIyd0cILPbyBvSlEmnzjGiVMU1VYXAVDEg4tBHR4cY3iNFFjKgtIrfR5KY0r726ZG6FpgNACGd+39eYciofHC3UYht200luXsl6Q9p1ljEFFlZpb+LtMMX+oH3I9yp/8M6VltyvJUydjZeF8xeNuHY2Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ihVTU7Ud89d9mFvXWx6OzAGaL2McTrfYQUu+PPr2ESE=; b=UtWyaX7DCzHK0bbtV9vFiTNAAVqyW9DKw5e1b2/2Nto35nYh8gW9++4jX9FI41r9vONYoORDYhlhUF9fJafFARyErkk50MACIJfkFrFWS1T1rOKfSkM0m85AD3ZZ5uzG9C7YgczcTaHvDmZAQbFXNaicZ/ojPBjO2m6Ss53WsIUKRMjM3mw2jopfcLpr3TP5rYWbPpbvQ9wGS0xU8/FuckC0c4kiInnqOcQ/wnIsN9NJk9mcUxCpbH677yaDlNVcMW4dF7oNbOsNxHrmsfujIzRjX2Ie5TecDwsTq/7uU6lZhptVLpNbJtKX+7bfnIqxJcX7FsdygP8G3wTBXQp16w==
Received: from BLAPR09MB6322.namprd09.prod.outlook.com (2603:10b6:208:2af::22) by SA1PR09MB10053.namprd09.prod.outlook.com (2603:10b6:806:275::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6387.33; Thu, 18 May 2023 17:13:37 +0000
Received: from BLAPR09MB6322.namprd09.prod.outlook.com ([fe80::4cfd:5a22:71b0:3149]) by BLAPR09MB6322.namprd09.prod.outlook.com ([fe80::4cfd:5a22:71b0:3149%7]) with mapi id 15.20.6411.019; Thu, 18 May 2023 17:13:37 +0000
From: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>, "Borchert, Oliver (Fed)" <oliver.borchert=40nist.gov@dmarc.ietf.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
Thread-Topic: [Sidrops] Which 8210-bis error code should be used?
Thread-Index: AQHZh2KgZ9Wt6dWEK0mqYTQIdTmM2a9fwL6AgABTrKk=
Date: Thu, 18 May 2023 17:13:12 +0000
Message-ID: <BLAPR09MB63222067540949CB3E978FA2987F9@BLAPR09MB6322.namprd09.prod.outlook.com>
References: <BLAPR09MB632225B977B3138A7E05793E98789@BLAPR09MB6322.namprd09.prod.outlook.com> <ZGXqH8CpCQ0IRFdh@diehard.n-r-g.com>
In-Reply-To: <ZGXqH8CpCQ0IRFdh@diehard.n-r-g.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BLAPR09MB6322:EE_|SA1PR09MB10053:EE_
x-ms-office365-filtering-correlation-id: 64c97ebc-3431-4a29-7437-08db57c337e0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fZsk0FDwLygqsUvcDW/x05lFRTbFTEvq2rXugZ+PS3YYNvc6oKNdetkzl5UZr2ojzJIO4XHWa0PA/IGeuF4No9xZAFM6xFljKpeKI/oIWGD6SNw2qqffQ5KoZ0pfvoGAzduIuUklVUXv8ePJeSSUL+JFoTbhruOAI4bNy4O+pWoTNV8P6iNJpsdGpZDQ5tzpJ5W6OJMvdm6pFlHG6Lcfg1b4je6yMw2sSxZpNkabmaNxvrtT/QTlrTb8jgujGulR49Z194Z33MVD4UMPLkdrP7WkNSlhn+9a/Pzrw094UF+DmAvY9s/EkmcKJ9Gf3ZdwHEr4FL193DN4qhnmAD/Pym3KY86JBC2zcXCxCdmgYDAHDgz1w1pJ+BVTkA8O4sq5co66mQ8r9CtapvKFG7WmUna/zun2UG47X8IWgtkaJe/GwZlTb4mAaB1bBAkNRhWdbcPW44FNK/2JirLmjOGsHATdVKrNKXJxm8W6ht7tl93YkpfzAQfe9NO2pB8XLgQPzsk/gfh4JbW15J5HzmW1SvO7bUS5qPKyP3yGYEOgGAtFd4uFxZdY1pOAdN6PzN77wHbnMnXUOnduNTIPQZie9uxrRwfy3COJxIM12k7kf30=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BLAPR09MB6322.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(451199021)(66899021)(7696005)(83380400001)(76116006)(66476007)(66446008)(64756008)(66946007)(45080400002)(66556008)(91956017)(110136005)(54906003)(966005)(38070700005)(33656002)(498600001)(4326008)(86362001)(186003)(66574015)(107886003)(9686003)(6506007)(53546011)(2906002)(8676002)(166002)(5660300002)(55016003)(71200400001)(8936002)(52536014)(6666004)(82960400001)(26005)(122000001)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: W6MBFdLBjvfpbY/OlAIPWJFRQunuWC7B3tjBNyuUBSzNEgBFrRqyxwYXBXH4+KYA2PjH0OrVvZF3HpBvkJmGV4M2HbAy/oDeuqcooHf5JQGtxSlxhiAok0bnSN1uzGn7haXzbm+DQGHjeXiLZPb3klqT7jQ5JHa6ls/KDjUKU6+nqxbpJ7yM/fy7sa2e3fC7P2lMz2dJ/JpnTNSAtOD+xdjpId4GAGMtmePnSc9hev2aLfOkD48wAIc0LAZMtz2cYuM3sNnXmk+d+tUF2b6n77teKDRQ3d7OBFe+OJjG60/N/YW0JZley93SaxNZIbQ0jNYXavxNl+Lv8nNsZv6CaOcPP+ML8X0IMT6ss79kxa/z1uDKP4Yft/wm/v5x+DOXcX+qnfs/Cc9GhoHKsJVczbznz9j/LxfHQXKzjZqzTW59IVD2XpgGiRYpu2x6n3pd5+XsRJ4PJ2mMOgr0tGiyLdmtk6eZZnWpCao0uKRdrPlpOR13BdlwljaL+irlWOVdsq7rn0IUaNQttNMNCcCuHWJeSnpEub7Y6WKvLghw0mpZWOdVlv2r1fAXjcPDK16jKVKGawdgt/VWyAHZWYupU1GdwJplB5wZf1Rq8abc7U1M8mSTZQuZffY5Vd9ySaE9LLboLsLroEbGY5KuUNZhyQrcRDJjc3kdPWb18hnBAQ5csh+jJJOsnDgFcsmjBoFpYpjkUNzv6HknSLF1vcOt6jcyEtMZIdFsKp+QT+vtL2Y17VYIfaMcX2RhcWdGSJIAsvGgzPyg7cV7SryXpMIf73eGZ5n5jGEr+XCArZ+wesqMUOtEuToCHuK12kUDFB8V8ZEEkoCeVIKJ4cuiIi8D+hJvBo494jX2wjOuXM2w7+eYRDPgyVCxxb1zL+mGUN7x2FwnAYS48X6RbvHht+G8YgDa5XPlxwFZr6QznD54yzWysijE7OLmBPhlTemRSoZt/dIdQFWd6bIqTguxaBQV2NWxTXNEIzvJ9J6FtMUU54pMkaROOeDDknXMWJKnxLqMkmQ9PxvhGiRjE09meErAYLq2RgHRDHp6s5a132jausQ746uVQ800UOzKkXfeg+IjQHXqigKX00e+HHol8VsciO9vRHj/Y9OR3jXOU7WEp5BWI1ifDmAEWPtXTyaQM53pBGEI9z+uGY92jEsa74hmBF7T0fvSfu6PDQTgkAnbQru11b6+KRWwO2Kw/ORMCSSFJL0AO4IGIgKi7anMMF7G+iV1ikAZqri/wyu1podboZTcJcO43TwqJIhXQU9gv2H71orFIzCAbUUqt9LqciG8hU54KSm3zbV/dmJL0cMrLz8xyyHookFLUAbASDihAmuiD6vHmL8ou/1fap9aAd2TTHmnTm5TdgCnFHevvmvP+GzIFY1zLzdFHA+8hxshhMi25IWnhKjSy5zACJNWrp5mKCujQz8o6t2C+5n/UgqUCQBOQp9sP3IihbSmD9CK0iYl83emw7TywBoVMPyZaqvZOVZMS5Tse5JAYfo1CdNTqyhxVlejojG1meISlVVx7pdA8QiEnHz64yEYMeTVWLAx+88ga9wEfwGK/AEXxOZ3zmA=
Content-Type: multipart/alternative; boundary="_000_BLAPR09MB63222067540949CB3E978FA2987F9BLAPR09MB6322namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BLAPR09MB6322.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 64c97ebc-3431-4a29-7437-08db57c337e0
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2023 17:13:37.0143 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR09MB10053
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/QjMxESUv8RSaBM4JDjguCkkebpM>
Subject: Re: [Sidrops] Which 8210-bis error code should be used?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 17:13:47 -0000

See inline for my comments

From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Date: Thursday, May 18, 2023 at 5:04 AM
To: Borchert, Oliver (Fed) <oliver.borchert=40nist.gov@dmarc.ietf.org>
Cc: sidrops@ietf.org <sidrops@ietf.org>, Borchert, Oliver (Fed) <oliver.borchert@nist.gov>
Subject: Re: [Sidrops] Which 8210-bis error code should be used?
On Wed, May 17, 2023 at 06:56:45PM +0000, Borchert, Oliver (Fed) wrote:
> All,
>
>
>
> When processing the ASPA PDU of https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-sidrops-8210bis-10&data=05%7C01%7Coliver.borchert%40nist.gov%7Cbe7158429bf94b8d969008db577ee823%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638199974800535960%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BXUnFJllutHaMWJhJmsqFIOa1PGaanhEKBv9cpLNn9E%3D&reserved=0<https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-8210bis-10>, the profile draft https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-sidrops-aspa-profile-13.txt&data=05%7C01%7Coliver.borchert%40nist.gov%7Cbe7158429bf94b8d969008db577ee823%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638199974800535960%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2F7RHLX%2FTWzNrGo%2Fk3LbsM4LlXCDpjsReBA%2BQHtmKsTs%3D&reserved=0<https://www.ietf.org/archive/id/draft-ietf-sidrops-aspa-profile-13.txt> and in particular Appendix A mentions that: “Note that two PDUs are always generated per Customer ASID: one with AFI Flags = IPv4 and one with AFI Flags = IPv6.”. This requires when using 8210bis to propagate the data to the router (client) that 2 separate PDU’s need to be generated because a single ASPA PDU only contains provider information for a single AFI.
>
> Question:
> =========
> What error code should I use when the router only receives in total one of them?
>
> The fact that the content for IPv4 and IPv6 are not in the same PDU might make this a possibility. I checked the error codes and at this point I only can think of error code 0.
>
> 0: Corrupt Data (fatal):
> The receiver believes the received PDU to be corrupt in a manner not specified by another error code.
>
> Though the received PDU is not corrupted, data is missing and should trigger an error.
> Would it make sense to add a new error code that deals with the missing ASPA PDU?
>
>
> Furthermore, this requirement does add additional workload on the router? The ASPA PDU’s for AFI=IPv4 and AFI=IPv6, let’s call them ASPA-PDU pairs for simplicity, might not be send in sequence, there is no requirement to do so and with the lack thereof, one should not expect it to. Maybe the cache processes first all AFI=IPv4 and then all AFI=IPv6 PDU’s. In this case the router needs to parse through all data it received to assure all ASPA-PDU pairs are accounted for.
>
> Now after the initial set of ASPA-PDU siblings were received, the AFI=IPv4 ASPA data changes for one ASPA object and therefore triggers the need for an update. Because both PDU’s were send already, only the AFI=IPv4 PDU needs to be generated. The AFI=IPv6 PDU remains the same and therefore no re-send is necessary. Here too, the router, in order to comply with the requirement listed in Appendix A of the profiles draft, must verify that all ASPA-PDU pairs do exist and throw an error if not.
>
> Should there be more wording in any of the drafts to address this situation?
>

All of this is covered by Section 4 of
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-sidrops-aspa-verification&data=05%7C01%7Coliver.borchert%40nist.gov%7Cbe7158429bf94b8d969008db577ee823%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638199974800535960%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LP%2BMoCBGS8xt24dO0GPMVZZTabsMk3%2FByRR3%2BwzGQLQ%3D&reserved=0<https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification>

    If, despite the above recommendations, the ASPA(s) of a CAS includes SPAS
    for one AFI but not for the other AFI (not even an AS 0), the ASPA SHALL
    NOT be rejected just for that reason. However, such an ASPA(s) will be
    presumed to imply that the CAS has no providers (equivalent to AS 0 SPAS)
    for the AFI that they neglected to include.

I don’t like it when drafts include implicit actions; that always leads to bad implementations, especially if implicit actions are expected to be taken.

I personally believe it is bad design to presume certain implications. Why not getting to the point and either use SHOULD or MUST. With SHOULD it makes it clear that there might be some implementations that follow the “or not” path and it means we need to have something in place that takes this case under account.
On the other hand, why being so shy and not demand what action is to be taken in the absence of an AFI and use a MUST. This reduces the change of unexpected behavior drastically.


So you should not error out if an AFI object is missing instead an implicit
AS 0 entry for the missing AFI should be inserted. How this is done is up
to the implementation.

Btw. the router needs to merge all ASPA data received from RTR sessions
and static config and at that point that rule has to be applied. It can
already be done for each source as well but be careful if you add implicit

elements they need to be removed when the ASPA object covering the other
AFI for that CAS is removed.

Reversing the implicit action from above, any single withdrawal of an ASPA PDU also results in the withdrawal of the PDU for the other AFI. And that should happen right away, otherwise it might not be possible to determine if the remaining PDU is just missing an AS0 PDU companion or if it is the leftover of a withdrawal of the other AFI PDU companion. Both would result in a different action to be taken.

Appendix B in https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-sidrops-aspa-profile&data=05%7C01%7Coliver.borchert%40nist.gov%7Cbe7158429bf94b8d969008db577ee823%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638199974800535960%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BzKNxjz67hgtnfpF77NKJyDPGxV0Nq26LvXY8ZKU1ag%3D&reserved=0<https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile>
tries to ensure that RTR cache servers provide full coverage so that the
ASPA objects at the router are always fully specified. This is good
practive but not a requirement in terms of a MUST clause.

I am very sorry to say but trying to ensure a behavior should at least include a should or SHOULD, otherwise means nothing. Even better is to use a “MUST” or don’t even bother.


I do not like how this is handled in this set of drafts. It is the number
one question that pops up over and over again.
--
:wq Claudio

I am completely in agreement with you on that point,

Oliver

v2.23.0 | Report a Bug | By Email