Re: [Sidrops] Closed -- [WGLC] draft-sidrops-bgpsec-validation-signaling-05

Job Snijders <job@ntt.net> Mon, 07 December 2020 20:54 UTC

Return-Path: <job@ntt.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 195C73A0A0B for <sidrops@ietfa.amsl.com>; Mon, 7 Dec 2020 12:54:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yo9rYNJQKLph for <sidrops@ietfa.amsl.com>; Mon, 7 Dec 2020 12:54:07 -0800 (PST)
Received: from mail4.sttlwa01.us.to.gin.ntt.net (mail4.sttlwa01.us.to.gin.ntt.net [IPv6:2001:418:3ff:110::40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 539733A09D6 for <sidrops@ietf.org>; Mon, 7 Dec 2020 12:54:07 -0800 (PST)
Received: from bench.sobornost.net (mieli.sobornost.net [45.138.228.4]) by mail4.sttlwa01.us.to.gin.ntt.net (Postfix) with ESMTPSA id 59A96220375; Mon, 7 Dec 2020 20:54:05 +0000 (UTC)
Received: from localhost (bench.sobornost.net [local]) by bench.sobornost.net (OpenSMTPD) with ESMTPA id 147ae914; Mon, 7 Dec 2020 20:54:03 +0000 (UTC)
Date: Mon, 7 Dec 2020 20:54:03 +0000
From: Job Snijders <job@ntt.net>
To: Keyur Patel <keyur@arrcus.com>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Message-ID: <X86Wa3Lf37GjF5Dq@bench.sobornost.net>
References: <CB44F630-69CB-4F07-840B-6B4482C27632@arrcus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CB44F630-69CB-4F07-840B-6B4482C27632@arrcus.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/T8_r_UUQ75uWBcgz3DVYwW-iwcw>
Subject: Re: [Sidrops] Closed -- [WGLC] draft-sidrops-bgpsec-validation-signaling-05
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 20:54:09 -0000

Dear Keyur,

On Mon, Dec 07, 2020 at 06:58:16PM +0000, Keyur Patel wrote:
> This working group last call is closed. Authors have already
> incorporated relevant feedback received during the last call and at
> this point the draft is ready to progress further. Accordingly we will
> prepare a report and forward it to IESG.

I really think this is a draft where it will proof to be useful to ask
for an implementation report from *at least two* implementations,
demonstrating interopability between the two implementations.

In this (lengthy, sorry!) email https://mailarchive.ietf.org/arch/msg/sidrops/5-sFl3RCzn7xQ0YFOD31C56Ko4o/
I tried to outline various problems I perceive with the draft in its
current form, Oliver replied to all text, but zero changes were made to
the document as he disagreed on all points of substance.

Oliver claims to have an open source implementation, (which I am happy
to believe!), and perhaps there is another implementation written by
someone else? Has it been tested how they interact with each other in
various configurations?

If there is a second implementation, the working group can confirm
whether the proposed Internet-Draft text, Oliver's implementation, and
the second different implementation are aligned with each other and
behave in exactly the way outlined in the document. An implementation
report can be as simple as listing all IETF normative terms contained
in draft, the line number, and a short comment whether the
implementation is compliant (MUST), or an implementation specific choice
was made (MAY), or anything else of note.

Specifically in this draft, I really see potential for a repeat of the
'IOS XE / origin validated extended communities'-problem that many
operators suffered from when they tried to deploy RPKI Origin Validation
in the BGP default-free zone, and I do not wish a similar repeat of
events upon the BGPSec technology stack!

Here is one of many references to the 'standardized' extended rpki
origin validation communities causing issues in networks build using
multiple BGP implementations, here is one mail thread. This was/is a
multi-year problem because of the slow upgrade cycle of field-deployed
routers: https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg67710.html

I think there is some kind of technology stack layering problem when the
state of a route can be manipulated through multiple channels. In this
case (1) signaled via BGP community and (2) via signalled via
RPKI-To-Router protocol, it can lead to problems for resource holders
who are trying to use BGPSec, because there can be situations where
their wishes are not expressed in the state of the network because of
interference of an unauthenticated BGP communitiy. 

So far I think some of us (perhaps myself included) have been too
focussed mostly on the security aspect (and of course everyone knowns 
extended BGP communities are not authenticated), but perhaps the
*security* aspect of it is not the real problem, the real problem might
be how an accidental misimplementation of draft-sidrops-bgpsec-validation-signaling-05
can lead to operators having to turn the feature off in the entire fleet
of devices, or roll back the software (be forced to keep running some
unwanted version).

If you ask anyone in the field about RFC 8097, virtually no operator
will tell you that RFC 8097 in any way helped them deploy RPKI Origin
Validation at scale (where scale is 100s of routers, multi-country
network, multiple vendors). What you *will* hear is that there were
interopability issues caused by the very existence of the RFC that
caused many people extra work. It also means that everybody now has to
test each and every new BGP software version they receive from their
vendor on what exactly the behavior is of the proposed bgpsec origin
validation signaling draft communities.

If this draft is published as RFC, IANA will assign 3 codepoints to be
used in some fashion in a generally unauthenticated protocol (BGP), and
from that moment all operators doing QA will need to blackbox test the
behavior of every BGP implementation they consider, to see if the
implementation does not accidentally cause deviation from 'local policy'
in any way under any circumstances.

Standardizing codepoints to signal cryptographic validation states
through unauthenticated channels really causes Internet operators down
the road deployment problems, for multiple reasons.

Kind regards,

Job

ps. I once was young and wet behind the ears and endlessly argued how
great RFC 7999 was a *great* idea. At the time it really did seem great
because DDoS attacks were a big problem, also lots of network operators
with a 32-bit had difficulty picking suitable inter-domain BGP values.

But in retrospect what I should have advocated for is a 'BLACKHOLE'
PKIX-RPKI profile, now realizing that the RPKI via RRDP/RSYNC/RRDPv2
might make for global near real-time public 'routing intention'
distribution, really rivaling with the speed at which BGP updates
propagate through the Default-Free zone.