Re: [Sidrops] WGLC - draft-ietf-sidrops-validating-bgp-speaker - ENDS 09/07/2018 - Sept 7th 2018
Nick Hilliard <nick@foobar.org> Tue, 04 September 2018 23:03 UTC
Return-Path: <nick@foobar.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0322B131029 for <sidrops@ietfa.amsl.com>; Tue, 4 Sep 2018 16:03:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TBVzxOg9sfk5 for <sidrops@ietfa.amsl.com>; Tue, 4 Sep 2018 16:03:31 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86AAD13104D for <sidrops@ietf.org>; Tue, 4 Sep 2018 16:03:31 -0700 (PDT)
X-Envelope-To: sidrops@ietf.org
Received: from crumpet.local (089-101-070074.ntlworld.ie [89.101.70.74] (may be forged)) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id w84M3PCe062318 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Sep 2018 23:03:25 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host 089-101-070074.ntlworld.ie [89.101.70.74] (may be forged) claimed to be crumpet.local
To: Christopher Morrow <christopher.morrow@gmail.com>
Cc: daniel.kopp@de-cix.net, sidrops@ietf.org
References: <CAL9jLaYqGt1+f3GaccNwjPOHxM34ifWDu5bhRx24PMYHpqV4XQ@mail.gmail.com> <20180822161549.GA1021@hanna.meerval.net> <42CA116C-4F74-4D31-A58E-3D7528FC529F@de-cix.net> <CAL9jLaaYzZmGVgEPfuDze5D_yN5x_CMKFEnY7XwM2F7EycwEOQ@mail.gmail.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <1c20668c-4785-81e0-a7db-55b36cab8b12@foobar.org>
Date: Wed, 05 Sep 2018 00:03:25 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 PostboxApp/6.1.2
MIME-Version: 1.0
In-Reply-To: <CAL9jLaaYzZmGVgEPfuDze5D_yN5x_CMKFEnY7XwM2F7EycwEOQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/TMWPUQ2MXx2saw7-BM2Uuh0XyHI>
Subject: Re: [Sidrops] WGLC - draft-ietf-sidrops-validating-bgp-speaker - ENDS 09/07/2018 - Sept 7th 2018
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Sep 2018 23:03:41 -0000
Christopher Morrow wrote on 04/09/2018 16:57:> I think restating an earlier conversation about this draft (which I > think was the rpki-light draft name) is useful: > "The draft aims to provide the ability for a third-party (IXP) to > validate routes for me, because I can't do that myself" rather than having a discussion about theoreticals, I set up an RPKI cache from scratch on a VM earlier this evening and tied it into an XR router connected to an IXP. The RPKI cache ran on vanilla centos7 with the RIPE NCC RPKI validator v3 software. Here are the installation instructions for the validator software: > https://github.com/RIPE-NCC/rpki-validator-3/wiki/RIPE-NCC-RPKI-Validator-3-Production Two minor additions were made to the 8 commands required to install the software and get it running: one to get the rpki-rtr process to bind to the public IP address of the server in question, and the second was to install the ARIN TAL. The router was configured to tag and accept invalids. It took 6 lines of copypasta config (3 policy and 3 bgp/rpki) pulled from a couple of quick internet searches to do this. The result of this was a fully operational RPKI PoC which validated prefixes on the router immediately. Embarrassingly, it took longer to beat the firewall into allowing access to the rpki-rtr server than it did either to configure the router or to set up the rpki validator service (this was due to a typo: udp/8323 instead of tcp/8323, oops). In terms of router stack support, rpki validation has been there for years on Junos, IOS-XE, XR, SR-OS, vanilla IOS on some platforms and various other commonly-used router stacks. It's not there on some kit, including, for example, vanilla IOS on older non-core-oriented legacy kit and Mikrotik RouterOS, which gets a mention mostly because it's widely used at IXPs, despite its shortcomings. Obviously a PoC is not a production configuration, but the point of the exercise was to show that the bar for a basic rpki implementation has been lowered to the point of it requiring no more than a skeleton linux deployment and 8 lines of cut-n-paste from a wiki. It isn't rocket science, and it is widely supported on the sorts of routers that people use in production environments, particularly IXPs, i.e. the pool of situations where people can't deploy rpki is continuing to shrink and there is no real operational need to create standardised hacks for situations where it can't be deployed. Nick
- [Sidrops] WGLC - draft-ietf-sidrops-validating-bg… Christopher Morrow
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Job Snijders
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Daniel Kopp
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Daniel Kopp
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Christopher Morrow
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Job Snijders
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Job Snijders
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Christopher Morrow
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Daniel Kopp
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Job Snijders
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Daniel Kopp
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Ruediger Volk
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Christopher Morrow
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Daniel Kopp
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Jakob Heitz (jheitz)
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Borchert, Oliver (Fed)
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Borchert, Oliver (Fed)
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Christopher Morrow
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Borchert, Oliver (Fed)