Re: [Sidrops] ASPA duplicates
Tim Bruijnzeels <tim@nlnetlabs.nl> Wed, 29 April 2020 12:26 UTC
Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A9063A0E15 for <sidrops@ietfa.amsl.com>; Wed, 29 Apr 2020 05:26:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2h_VfLvuMlkn for <sidrops@ietfa.amsl.com>; Wed, 29 Apr 2020 05:26:32 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E83C3A0E19 for <sidrops@ietf.org>; Wed, 29 Apr 2020 05:26:32 -0700 (PDT)
Received: from [IPv6:2001:981:4b52:1:512c:a84e:aa06:4f21] (unknown [IPv6:2001:981:4b52:1:512c:a84e:aa06:4f21]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id C0E0821055; Wed, 29 Apr 2020 14:26:29 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1588163189; bh=87qfwGyg/f//qP3zWyVzYPIzHwK6Dxg0P40veMny7+8=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=zGB03VXkJF4hj8+IqcqNy+DKD+CKpOmrKutzqtEnXdf0yAowLLtLCP62R0Q2Ykw6n 1BPbEH+tNJDNWy2FpuPxBrM3f90yUB6Hfz2J+IwFrrWthJRW38Jv8CGhD41Wk58LPd 9TkK5851/YJpXhEHzh8iZ49jHhMgILLpIK6OKImk=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <d7858280-d86f-4517-a7df-26fc64d3e7f7@www.fastmail.com>
Date: Wed, 29 Apr 2020 14:26:29 +0200
Cc: Jay Borkenhagen <jayb@braeburn.org>, sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <12F90135-5597-490B-947F-F588C2ED3B48@nlnetlabs.nl>
References: <87pnbrspdr.wl-morrowc@ops-netman.net> <24232.24434.41224.396200@oz.mt.att.com> <d7858280-d86f-4517-a7df-26fc64d3e7f7@www.fastmail.com>
To: Job Snijders <job@sobornost.net>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/RtuOlGHy5C--0TCgsYzhotgOjd0>
Subject: Re: [Sidrops] ASPA duplicates
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 12:26:35 -0000
Hi, > On 28 Apr 2020, at 19:03, Job Snijders <job@sobornost.net> wrote: > > On Tue, Apr 28, 2020, at 18:53, Jay Borkenhagen wrote: >> The current ASPA Verification draft: >> >> https://tools.ietf.org/html/draft-ietf-sidrops-aspa-verification-04 >> >> .... says in Section 3 "For a selected Customer AS MAY exist only >> single ASPA object." >> >> I concur that an ASPA object should list every authorized upstream ASN >> to avoid possible race conditions, and as such it makes sense for only >> a single ASPA object to exist at any point in time. >> >> But how is that uniqueness to be ensured? What should RPs do if >> multiple validated ASPA objects are ever found to exist? > > Good question. What should it do? In my mind it's good to that CAs can create a single ASPA object for a customer ASN they hold for all their provider(*) ASNs. But, I think it may be better to cover that CAs SHOULD (or even MUST if you will) combine all provider ASNs on a single ASPA objects as a separate BCP, and leave a bit more flexibility in the profile and validation drafts. This makes it easier to change things, should we find that we need to change our minds on what is best. I don't think that RPs have to check whether the CA did indeed use a single ASPA object for a customer ASN. I think it should just validate all ASPA objects it finds, and build a list Verified Asn Relations <or insert alternate acronym here>. Furthermore, I think that 8210bis should then specify that the RP (cache) MUST exclude duplicates when sending these relations to routers. And veering a bit further into that document, I am not sure why those updates should be sent as a single PDU containing all current provider ASNs. I think it make sense to do the same as with ROAs where 'announcement' (add) or 'withdraw' VRPs (excluding duplicates) are sent over RTR. I read the comment about race conditions, but I don't see how this is an issue when such PDUs are sent as a typical exchange (section 8.2) between a Cache Response and End of Data PDUs. *) relations as defined in draft, not necessarily the business relation. > I expect such duplicates *will* exist if ASPA were to be deployed for real: in cases where an ASN is transferred from one RIR to another RIR and one wishes to make before break. Well in that case one would expect objects for the same customer ASN in different parts of the RPKI tree. But a similar issue could also come up if a parent issues the same ASN to multiple children. Which could be a working model if a large operation operates the same ASN globally, but has different teams managing it. In that case an organisation could chooses to run a delegated CA and issue certificates to child CAs in use by those teams. (I am not sure how likely this is, you have much more operational insight than I do, but it's definitely possible under the standards). In those cases any of those CAs can issue valid ASPA objects, and they should be combined as above. Furthermore, the security considerations (section 8) of the AS path verification draft can use some additional words to warn that this also means that any ASPA issuer can potentially invalidate other users of the same ASN if they exist. Maybe the idea of multiple parties operating the same ASN is ludicrous, but then I think it would be good to have words that discourage delegating the same ASN to multiple CAs, and similarly, discourage issuing ASPA for customer ASNs that are also delegated. Note that this issue is somewhat similar to ROAs for prefixes which are also (partially) delegated, or received by multiple organisations. > > Kind regards, > > Job > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] Updated Interim Meeting WebEx Link Chris Morrow
- [Sidrops] ASPA duplicates Jay Borkenhagen
- Re: [Sidrops] ASPA duplicates Job Snijders
- Re: [Sidrops] ASPA duplicates Tim Bruijnzeels
- Re: [Sidrops] ASPA duplicates Alexander Azimov
- Re: [Sidrops] ASPA duplicates rifqyhakimi
- Re: [Sidrops] ASPA duplicates Tim Bruijnzeels
- Re: [Sidrops] ASPA duplicates Randy Bush
- Re: [Sidrops] ASPA duplicates Tim Bruijnzeels
- Re: [Sidrops] ASPA duplicates Alexander Azimov
- Re: [Sidrops] ASPA duplicates Randy Bush