IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

Claudio Jeker <cjeker@diehard.n-r-g.com> Thu, 23 March 2023 16:15 UTC

Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1787C153CBB for <sidrops@ietfa.amsl.com>; Thu, 23 Mar 2023 09:15:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.895
X-Spam-Level:
X-Spam-Status: No, score=-6.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0PIv0S6Azakg for <sidrops@ietfa.amsl.com>; Thu, 23 Mar 2023 09:15:15 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 811C4C1527BC for <sidrops@ietf.org>; Thu, 23 Mar 2023 09:15:13 -0700 (PDT)
Received: (qmail 3405 invoked by uid 1000); 23 Mar 2023 16:15:10 -0000
Date: Thu, 23 Mar 2023 17:15:10 +0100
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: Martin Hoffmann <martin@nlnetlabs.nl>
Cc: Amreesh Phokeer <phokeer=40isoc.org@dmarc.ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, Aftab Siddiqui <Siddiqui@isoc.org>, Max Stucchi <stucchi@isoc.org>, Hanna Kreitem <Kreitem@isoc.org>
Message-ID: <ZBx7DrM3Vjf/tSms@diehard.n-r-g.com>
References: <SJ0PR06MB7677230255CC9134CAF94E98D6879@SJ0PR06MB7677.namprd06.prod.outlook.com> <ZBxfj74YFy/5Fhax@diehard.n-r-g.com> <20230323162051.3069b516@glaurung.nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20230323162051.3069b516@glaurung.nlnetlabs.nl>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/W7GUHH3QJ7d_P49gYyUvYNK9vp4>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2023 16:15:15 -0000

On Thu, Mar 23, 2023 at 04:20:51PM +0100, Martin Hoffmann wrote:
> Claudio Jeker wrote:
> > On Thu, Mar 23, 2023 at 01:22:32PM +0000, Amreesh Phokeer wrote:
> > > Hello,
> > > 
> > > Thank you to all those involved in this draft. We have reviewed the
> > > document and here are our comments:
> > > 
> > >   1.  Section 4: “An AS SHOULD NOT have more than one ASPA”
> > >      *   It should be clarified that one ASPA per AFI is tolerated  
> > 
> > In general this is a bad adivice and therefor should not be further
> > clarified.
> 
> I don’t think that’s what the comment is about. Rather, there is an
> inconsistency in the document. Section 4 first RECOMMENDS against using
> the AFI limit and then proceeds to say you SHOULD only have one ASPA
> objects. This can be interpreted that if you are using the AFI limit
> (which you are allowed to, it is just not recommended), you still can
> only have one ASPA object. So, if you use the AFI limit, you can only
> use ASPA for IPv4 or IPv6 but not for both. Surely that is not the
> intention?

Please check how the profile is specified. The AFI is per provider
AS. So there is no real concept of "only use ASPA for IPv4 or IPv6 but
not for both" (only RTR 8210bis does that).

My point is that if you have an ASPA object then the hop function no
longer returns "no Attestation" for your AS. It can only return "provider"
or "not provider". The path down a road where that is not the case is an
operational nightmare.
 
> > As with all ASPA objects the RP software and router must
> > build the union of all providers per CAS. Now one could issue an
> > object per provider and AFI but it is not a very sensible thing to do.
> > 
> > The CAS is the primary lookup key.
> 
> Is it? In RTR, an ASPA entry contains both a mandatory customer AS and
> a mandatory AFI -- you cannot say “this entry is for both.” This means
> that in RTR land, the ASPA sets for IPv4 and IPv6 are distinct. The
> primary key is the pair of customer AS and AFI.

The thing is RTR is not ASPA. It is just a transport protocol to move
data and it is optional (our first implementation did not use RTR and most
of my routers do not use RTR either but do ROA and ASPA validation).
So RTR should follow the ASPA profile and validation standards and not the
other way around.

> This is the disconnect I mentioned earlier -- perhaps I posted this to
> the wrong thread. The verification draft talks about things in terms of
> the ASPA objects published but a router actually implementing it has to
> build its data structures based on RTR.

I know about this disconnect and I argue the way to fix this is in 8210bis.

I have a major issue with duplicating the CAS lookup table. The
implication for BGP implementations is twice the memory consumption and
more then double the computational cost and that in the most latency
sensitive portion of the code. A lot of time is spent in getting the most
performance out of BGP and so this should be a major consideration when it
comes to ASPA validation.
 
> Thus, the verification draft follows your argument: Don’t use the
> afiLimit, have one ASPA object for your customer ASN. But 8201bis then
> twists that around and has a mandatory AFI field on the RTR PDU.

Yep. 8210bis is at fault here.

> Given that this is already leading to confusion here, it should
> probably be resolved before publishing.

Absolutly agree with that.
 
> > >   2.  VAP: it is unclear whether how the VAP will be merged but
> > > grouped by AFI in the case of multiple ASPAs?  
> 
> That the sets of provider AS of multiple ASPA objects for the same
> customer AS should be merged is only mentioned in 8210bis but at no
> point in either the profile or verification drafts. One of them should
> probably spell out how the (on or two) VAPs for a customer AS are to be
> created from a the set of ASPA objects.

In draft-ietf-sidrops-aspa-verification-12 Section 3:
If a CAS has a single ASPA, then the SPAS for the CAS are the Provider
ASes listed in that ASPA. In case a CAS has multiple ASPAs, then the SPAS
is the union of the Provider ASes listed in all ASPAs of the CAS.

Now this is not perfect but VAP are Verified ASPA Payloads and by that the
above statement still applies to them since VAPs are still ASPA objects.
In the end a router must support multiple sources that provide Verified
ASPA Payloads and will need to build the union of all these sources. This
is how ROA works and I see no other way for ASPA.

The situation right now is a mess and I fear that I caused this sudden
rush because I implemented all three drafts. I would prefer to not rush
and instead use the feedback from this implementation and fix the
remaining issues.

-- 
:wq Claudio

v2.23.0 | Report a Bug | By Email