Re: [Sidrops] Which 8210-bis error code should be used?
Claudio Jeker <cjeker@diehard.n-r-g.com> Wed, 24 May 2023 09:39 UTC
Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79782C151B3A for <sidrops@ietfa.amsl.com>; Wed, 24 May 2023 02:39:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VjvX-LPhU94N for <sidrops@ietfa.amsl.com>; Wed, 24 May 2023 02:39:07 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0937FC151B07 for <sidrops@ietf.org>; Wed, 24 May 2023 02:39:06 -0700 (PDT)
Received: (qmail 11895 invoked by uid 1000); 24 May 2023 09:39:03 -0000
Date: Wed, 24 May 2023 11:39:03 +0200
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: Martin Hoffmann <martin@nlnetlabs.nl>
Cc: Jay Borkenhagen <jayb@braeburn.org>, "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>
Message-ID: <ZG3bN1p4EzSn4XIS@diehard.n-r-g.com>
References: <SA1PR09MB8142523FA03AC4EA6E0E014E847C9@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814235BE0566A5C6935CF5B184439@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814231707524646D651B69B884439@SA1PR09MB8142.namprd09.prod.outlook.com> <ZGs5bFRjPLnyL2Jd@diehard.n-r-g.com> <25708.55138.924074.242182@hrabosky.cbbtier3.att.net> <ZG2Vobyxl/gPEfCU@diehard.n-r-g.com> <20230524100558.452d4caf@smaug.local.partim.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20230524100558.452d4caf@smaug.local.partim.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/VLnZ3mll7BDdUFh-NNkTdh0INdA>
Subject: Re: [Sidrops] Which 8210-bis error code should be used?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 09:39:08 -0000
On Wed, May 24, 2023 at 10:05:58AM +0200, Martin Hoffmann wrote: > Claudio Jeker wrote: > > > > I agree that ASPA-generating CAs (especially the RIR portals) need to > > stop or warn operators when they create entries that only cover one > > AFI. Actually the portals should discourage the operator to use AFI > > specific entries in the first place. > > This sounds a lot like we are creating the next max-len debacle. Have > we seriously considered just not having afiLimit at all? The > consequence would be that a couple ASPAs have a couple ASNs in their > provider set that aren’t valid providers for a subset of prefixes. > > How does the added protection weigh against the added complexity > at all stages of the protocol, particular in view of the strong > recommendation to not use the feature at all? > > I.e.: > > > Remember: > > Rule number one to improve security is to remove options, not adding > > them.> > > > -- Martin > > PS: Yes, I know it is very late in the process. But this keeps popping > up which is a good indicator that it will keep popping up later and > cause operational issues. Perhaps avoiding that is worth the extra > hassle now? I would love to remove the optional afiLimit from ASPA. I brought this up a few times (well before there was any implementation of any ASPA draft) and every time the answer of some of the authors was no (without any particular reason). As one of the developers of the first RP and only BGP implementation handling ASPA I would enjoy to remove all the code required to handle the afiLimit. We probably control most test deployments (RP and BGP side) and are willing to make this change. -- :wq Claudio
- [Sidrops] Which 8210-bis error code should be use… Borchert, Oliver (Fed)
- Re: [Sidrops] Which 8210-bis error code should be… Randy Bush
- Re: [Sidrops] Which 8210-bis error code should be… Claudio Jeker
- Re: [Sidrops] Which 8210-bis error code should be… Claudio Jeker
- Re: [Sidrops] Which 8210-bis error code should be… Borchert, Oliver (Fed)
- Re: [Sidrops] Which 8210-bis error code should be… Borchert, Oliver (Fed)
- Re: [Sidrops] Which 8210-bis error code should be… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] Which 8210-bis error code should be… Borchert, Oliver (Fed)
- Re: [Sidrops] Which 8210-bis error code should be… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] Which 8210-bis error code should be… Claudio Jeker
- Re: [Sidrops] Which 8210-bis error code should be… Claudio Jeker
- Re: [Sidrops] Which 8210-bis error code should be… Claudio Jeker
- [Sidrops] some wording improvements in draft-ietf… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] some wording improvements in draft-… Borchert, Oliver (Fed)
- Re: [Sidrops] Which 8210-bis error code should be… Jay Borkenhagen
- Re: [Sidrops] Which 8210-bis error code should be… Claudio Jeker
- Re: [Sidrops] Which 8210-bis error code should be… Martin Hoffmann
- Re: [Sidrops] Which 8210-bis error code should be… Claudio Jeker
- Re: [Sidrops] Which 8210-bis error code should be… Job Snijders
- Re: [Sidrops] Which 8210-bis error code should be… Randy Bush
- Re: [Sidrops] Which 8210-bis error code should be… Martin Hoffmann
- Re: [Sidrops] Which 8210-bis error code should be… Tim Bruijnzeels
- Re: [Sidrops] Which 8210-bis error code should be… Tim Bruijnzeels
- Re: [Sidrops] Which 8210-bis error code should be… Borchert, Oliver (Fed)
- Re: [Sidrops] Which 8210-bis error code should be… Jay Borkenhagen
- Re: [Sidrops] Which 8210-bis error code should be… Hollyman, Michael
- Re: [Sidrops] Which 8210-bis error code should be… Mikael Abrahamsson
- Re: [Sidrops] Which 8210-bis error code should be… Tony Tauber
- Re: [Sidrops] Which 8210-bis error code should be… Yangyang Wang
- Re: [Sidrops] Which 8210-bis error code should be… Tim Bruijnzeels
- Re: [Sidrops] Which 8210-bis error code should be… Claudio Jeker
- Re: [Sidrops] Which 8210-bis error code should be… Tim Bruijnzeels
- Re: [Sidrops] Which 8210-bis error code should be… gengnan
- Re: [Sidrops] Which 8210-bis error code should be… Claudio Jeker
- Re: [Sidrops] Which 8210-bis error code should be… Borchert, Oliver (Fed)