Re: [Sidrops] Alvaro Retana's No Objection on draft-ietf-sidrops-rpkimaxlen-12: (with COMMENT)
Alvaro Retana <aretana.ietf@gmail.com> Wed, 10 August 2022 16:01 UTC
Return-Path: <aretana.ietf@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C833EC15C53F; Wed, 10 Aug 2022 09:01:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54-Fds7wAOmo; Wed, 10 Aug 2022 09:01:29 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45AA5C15C53B; Wed, 10 Aug 2022 09:01:29 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id a9so21814518lfm.12; Wed, 10 Aug 2022 09:01:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date :mime-version:references:in-reply-to:from:from:to:cc; bh=8QVYEm2uKs9rNmRkQh0acnk0MimtElbtJ2ppF9mmndE=; b=LZ8QJg++ILL0NTv/m9US7UPwELDV+rUcWTojZjojQNckw6TxIb1IfNRpY8a2gWyOek QaTODs9wMJ5THF3hVL9dZr9zF2e7H+dT1YhKdnnDuMMRPVaG9yo1AXQFm7RaHvBZ2lUZ g1M+3djMZbYh5JotTnY4v5CEMW6wWWA2hp4NWPZLlpDjacObMDzYkmA6ha9w+7oypqZH ByXHH65nLN1mZWlC3n0QGp3ojMvAWRiH90hWT9nup2AjyDFvZL+uYkaxSTq9WPPz5ZyA 1uWaJvZ7pIg2Pua/iMfgVd0qnLxpnpxJdiaqo3OV1Vy5oEk0cd3Y1vJMsMfYJ3jnwbHB PXJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date :mime-version:references:in-reply-to:from:x-gm-message-state:from:to :cc; bh=8QVYEm2uKs9rNmRkQh0acnk0MimtElbtJ2ppF9mmndE=; b=P9JHJII+njZePYbEFeu9G1Nkx8pi7Px1zUrZ35cT59tPlXJ+NYbdOc643j69zMb4mL wpVR363hmxBk8Zvjt0+QsudCGwzcyJLyjh2u8Dqwkno+2jQ8QIFhU/f/GyBMXOlhjbqq Vf0n29/5tLIb3n+2Mp6MWsRVsAU/88X6LYpze9Cug/vUaC5Pj1NJXrllJJmzg/EnbQBG 2ggiCoNgfHZuLRuoj1y2YKm6K87uJfgJZIgO6+PErXZPniFFolcZ1FVRfjkKANggKc4c lp3WjB8TO3P9f0r/YbQgQmOlewET4gklln0XKSlw/fsaqI6edklnuW9kGbd/vU5l3GEQ jtLA==
X-Gm-Message-State: ACgBeo2Esuzg5edGWv6xy4euPrA55XtVdmPxFiF5lEJIOtsq0KyJ/l7i gzJfsAkE0D74nHV310gwBOJvjKLyFkmqEnTfhBFViNba
X-Google-Smtp-Source: AA6agR5WmhVA4sMRRBTy49XMJyJj3+h0Fyrnh6hTray9IFyOOWz01ZEcKJDRAfvxd+xOuLZXZrwpB7LolUuVqWTo6Pw=
X-Received: by 2002:a05:6512:3501:b0:48a:ef16:2b5d with SMTP id h1-20020a056512350100b0048aef162b5dmr9312370lfs.186.1660147287055; Wed, 10 Aug 2022 09:01:27 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 10 Aug 2022 09:01:26 -0700
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <20220810105618.yueivflxkx72b24h@benm-laptop>
References: <165999488384.24516.14815105547545369665@ietfa.amsl.com> <20220810105618.yueivflxkx72b24h@benm-laptop>
MIME-Version: 1.0
Date: Wed, 10 Aug 2022 09:01:26 -0700
Message-ID: <CAMMESsyHo8HbBCj4BE3afLiJQ1vy+2JMZqgs48=2tnxEEh-qpg@mail.gmail.com>
To: Ben Maddison <benm@workonline.africa>
Cc: sidrops-chairs@ietf.org, morrowc@ops-netman.net, sidrops@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-sidrops-rpkimaxlen@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/VoXM_zwCfnm_XEAHiQ01mCqMxw4>
Subject: Re: [Sidrops] Alvaro Retana's No Objection on draft-ietf-sidrops-rpkimaxlen-12: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 16:01:29 -0000
On August 10, 2022 at 6:56:29 AM, Ben Maddison wrote: Ben: Hi! > > (1) The running example makes the text clear -- but by being a minimal > > example (only a couple of prefixes are involved) it may oversimplify the > > potential operational complexity of maintaining a set of minimal ROAs. > > > > In particular, operators with short prefixes and many advertisements of > > both IPv4 and IPv6 may have a harder time keeping up with changes. I would > > love to see some text around the challenges that applying the > > recommendations at scale may bring, which may also "result in a self- > > inflicted denial of service" (to use the description in §7). > > I doubt that such an operator would fail to see that their situation is > more operationally complex than the example. > > Perhaps something along the lines of: > > The recommendations made in section 5 are likely to be more onerous > for operators utilising large IP address space allocations from > which many more-specific advertisements are made in BGP. Operators > of such networks are encouraged to seek opportunities to automate > the required procedures in order to minimise manual operational > burden. > > Even the above seems a bit tautological to me! Thoughts? That works for me. I'm just looking for completeness, even if there's some redundancy. > > (2) This text in §5 talks about the maintenance steps (review, replace, > > repeat): > > > > Operators that have existing ROAs published in the RPKI system SHOULD > > perform a review of such objects, especially where they make use of > > the maxLength attribute, to ensure that the set of included prefixes > > is "minimal" with respect to the current BGP origination and routing > > policies. Published ROAs SHOULD be replaced as necessary. Such an > > exercise SHOULD be repeated whenever the operator makes changes to > > either policy. > > > > I assume that throughout the document "SHOULD" is used because, even though > > this is a BCP, the practice is only recommended. > > Correct. MUST feels weird in an Ops BCP. Maybe that's just me. > > > That is not an issue for me, except for the last recommendation above: > > the "exercise SHOULD be repeated whenever the operator makes changes > > to either policy". If the recommendations in this document are > > followed, a review of the system should be required, not just > > recommended. > > I think they should either all be MUST or all be SHOULD. Changing only > the last sentence would mean performing a review initially is > operational, but performing subsequent reviews is required, which I > think is poor advice. > > I generally think MUST is odd in this kind of doc, but I'm happy to > accept guidance on this. IMO, documents are generally self-contained -- the normative language should be interpreted in the context of each document. For example, if an optional extension to a protocol is being described, the required or recommended behavior should be seen in the context of using that extension. In the case of this document, it describes a practice that operators may decide to take on, or not. If they do, then the requirements and recommendations should apply in the context of using the mechanism. All this is to say that I would rather you require (MUST) the behavior -- in the context of "if you're implementing this BCP then these are the things you MUST do". Specifically, all the actions above are required. If operators don't chose to follow what this document recommends, it doesn't matter whether SHOULD/MUST were used. ... > > (4) "The recommendations complement and extend those in [RFC7115]." > > > > It seems to me that this document should formally Update rfc7115 as there > > are related considerations mentioned there. I checked the archive but > > couldn't find a related discussion. Was an Update considered? > > To the best of my recollection, no. > > I'm inclined to agree that this should probably update 7115. Given that > the original author of that document has indicated he is, at best, > lukewarm about this draft, I'd appreciate some guidance on the etiquette > here? This is a decision that the WG should make. I would expect the Chairs to lead a discussion and reach a consensus, one way or the other. [Disclaimer: this is not my WG, so I'll rely on the Responsible AD/Chairs on the way forward.] FWIW, given the relationship with rfc7115, I think it's more important to make sure this document is also part of BCP 185 than to use the Updates tag. Thanks! Alvaro.
- [Sidrops] Alvaro Retana's No Objection on draft-i… Alvaro Retana via Datatracker
- Re: [Sidrops] Alvaro Retana's No Objection on dra… Randy Bush
- Re: [Sidrops] Alvaro Retana's No Objection on dra… Ben Maddison
- Re: [Sidrops] Alvaro Retana's No Objection on dra… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] Alvaro Retana's No Objection on dra… Alvaro Retana
- Re: [Sidrops] Alvaro Retana's No Objection on dra… Alvaro Retana
- Re: [Sidrops] Alvaro Retana's No Objection on dra… Ben Maddison
- Re: [Sidrops] Alvaro Retana's No Objection on dra… Ben Maddison