[Sidrops] A few quick comments / suggestions about Origin Validation Signaling
"Montgomery, Douglas (Fed)" <dougm@nist.gov> Tue, 26 March 2019 09:48 UTC
Return-Path: <dougm@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D04120282 for <sidrops@ietfa.amsl.com>; Tue, 26 Mar 2019 02:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xwyUbfHqdWS for <sidrops@ietfa.amsl.com>; Tue, 26 Mar 2019 02:48:38 -0700 (PDT)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-eopbgr830114.outbound.protection.outlook.com [40.107.83.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF7271202F2 for <sidrops@ietf.org>; Tue, 26 Mar 2019 02:48:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=a+Ds4u9UvWZNMAR01XrqwIr0dYNYm6r9ki6pg5dNXvI=; b=EzT/m36FJql0KKfG5qeqIReDA/G3OWweMvk5v63I96i4RuXBFSC+WygsKBIhR+cEsSuyVLMeEyNl1liH7bRiWjQzrN99ED86xoP4d3LKJJ55ocSNKGfF2GDwKl+ne9oWmh8PHGq3qDZT77SSyccIjf2lhg4T5Q86vHzaU+7l6ns=
Received: from BN6PR09MB1171.namprd09.prod.outlook.com (10.172.19.17) by BN6PR09MB1169.namprd09.prod.outlook.com (10.172.17.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.15; Tue, 26 Mar 2019 09:48:28 +0000
Received: from BN6PR09MB1171.namprd09.prod.outlook.com ([fe80::f0f8:3e55:84af:9d9c]) by BN6PR09MB1171.namprd09.prod.outlook.com ([fe80::f0f8:3e55:84af:9d9c%8]) with mapi id 15.20.1750.014; Tue, 26 Mar 2019 09:48:27 +0000
From: "Montgomery, Douglas (Fed)" <dougm@nist.gov>
To: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: A few quick comments / suggestions about Origin Validation Signaling
Thread-Index: AQHU47kP56hwOncUGE67UWghbrtpGw==
Date: Tue, 26 Mar 2019 09:48:27 +0000
Message-ID: <6FA78F28-8D0A-451D-B7D4-EEC9EE493303@nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.8.190312
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dougm@nist.gov;
x-originating-ip: [31.133.147.167]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bf91e25e-6bae-473a-a43b-08d6b1d0329a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BN6PR09MB1169;
x-ms-traffictypediagnostic: BN6PR09MB1169:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BN6PR09MB11699AD65093D975AFDBCE81DE5F0@BN6PR09MB1169.namprd09.prod.outlook.com>
x-forefront-prvs: 09888BC01D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39860400002)(346002)(396003)(376002)(136003)(199004)(189003)(256004)(6436002)(6512007)(6306002)(8936002)(476003)(2616005)(99286004)(8676002)(1730700003)(81156014)(81166006)(36756003)(5640700003)(83716004)(66066001)(6916009)(71190400001)(71200400001)(486006)(186003)(478600001)(6506007)(6486002)(966005)(53936002)(102836004)(26005)(14454004)(105586002)(5660300002)(58126008)(106356001)(25786009)(68736007)(33656002)(2351001)(6116002)(97736004)(7736002)(305945005)(82746002)(2501003)(3846002)(316002)(86362001)(2906002)(66574012); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR09MB1169; H:BN6PR09MB1171.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: QwAJ/apkiE8+PUAMaGeTRpMeoWpdp85Oq40xpgLkQ3IFUCZ9vgL/DWLguhVDuXgvogg7rxFFmI7gio/LnSXHDhT5CJ4kqTWwNkkuNL5K+6sIfdRXg8SLAwD+wNBRqwDzkAwQS8QQ8yekW2kqMr3cRdec4LBxtW+BCmbEW29r5ONwBOfNlXvg0FSrGmpnbYdsVGD5C+vvWiqP8Z8gY/mjm193DImmJG4OkefxlQLDbbRhNB+OrRaMxMbvcF+bbZNAkRt3r3B4wAm5bjod3T3YUiFhOvKwPq3q1VY7YXe3HNqaLEL8awXInJp+Qq9usEybpL/oDZMeBkQ7D0mO+7S0gxnYvLfYmMRR1ZyH2lhI5+pOcUX5YKcyJVFbqmh0bbioGNQX8OntAMzIybXBJiH2xYDdqe96VM/uyvZuDEqaMn0=
Content-Type: text/plain; charset="utf-8"
Content-ID: <98161EAEBEA5E84BA7CE51D438AC82F3@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: bf91e25e-6bae-473a-a43b-08d6b1d0329a
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2019 09:48:27.7571 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR09MB1169
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/TJurgJtpkC4rb0NWJj6SkBv2fuE>
Subject: [Sidrops] A few quick comments / suggestions about Origin Validation Signaling
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 09:48:40 -0000
https://datatracker.ietf.org/doc/draft-ymbk-sidrops-ov-signal/ 1. Make title more descriptive - we already have a few specs about what most folks would call "Origin Validation Signaling". Maybe "Outsourced Origin Validation". "Distributed" if that is our euphemism for outsourced. At the last NANOG a few new comers to the technology pointed out what a confusing swamp of specs we have - and that navigating that swamp is non-trivial. More descriptive titles would be a small step in the right direction. 2. Section 3 Trust Boundary "An [RFC4456] Route Reflector Cluster is an obvious candidate for this approach. The route reflector(s) would perform Origin Validation and signal an Invalid route back to the sending client." While I agree that an RP is the obvious place to do this, the draft would give one the impression that there are others. I would suggest that providing a few more details about how this would modify RFC4456 behavior would be useful. That is one fully described example of how this would work. If the RR model is the only model in which we think this works, we should say so. Or more to the point, if I were to modify my general iBGP behavior as described in this draft, do we see any problems with doing that? 2. Section 5 Actions "A sender receiving the returned prefix announcement so marked MUST treat it the way it would treat an Invalid origin that it itself detected. It should withdraw all routes it had announced to that prefix with the Invalid origin AS. This includes withdrawing any instances of additional paths with that origin AS advertised under [RFC7911]." Does the above apply to both e-BGP and i-BGP advertised routes? Does it need the caveat of "on peering sessions on which OV is being performed"? dougm -- Doug Montgomery, Manager Internet & Scalable Systems Research @ NIST
- [Sidrops] A few quick comments / suggestions abou… Montgomery, Douglas (Fed)
- Re: [Sidrops] A few quick comments / suggestions … Randy Bush