Re: [Sidrops] [GROW] Any credence to AS_SET in the *middle* between AS

Re: [Sidrops] [GROW] Any credence to AS_SET in the middle between AS_SEQUENCEs?

Ben Maddison <benm@workonline.africa> Tue, 26 July 2022 19:45 UTC

From: Ben Maddison <benm@workonline.africa>
To: Alexander Azimov <a.e.azimov@gmail.com>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>, GROW WG <grow@ietf.org>
Thread-Topic: [GROW] [Sidrops] Any credence to AS_SET in the *middle* between AS_SEQUENCEs?
Thread-Index: AQHYnShQgEIXQDNXC0uqamVDCEo8r62NO1+AgANtngCAAGubKA==
Date: Tue, 26 Jul 2022 19:45:14 +0000
Message-ID: <AS8P190MB1078E02E943BC7E453DB01F8C0949@AS8P190MB1078.EURP190.PROD.OUTLOOK.COM>
References: <SA1PR09MB8142D357A98BFAAF206C387C848F9@SA1PR09MB8142.namprd09.prod.outlook.com> <66814cfa-8425-8063-9193-272bc8b28291@foobar.org> <1F8421AA-8514-41FB-A047-EEDAF975B934@pfrc.org> <SA1PR09MB81421D152AC2DA200EDE1D9784919@SA1PR09MB8142.namprd09.prod.outlook.com> <E19A89F1-B892-4D41-99A3-5C551C7FB640@pfrc.org> <SA1PR09MB8142B461A3FCF715071F7EBD84919@SA1PR09MB8142.namprd09.prod.outlook.com> <F02D928E-1600-42C4-B8D0-9A544849A22D@pfrc.org> <m24jzagyi8.wl-randy@psg.com> <SA1PR09MB81422706D5E43E581A75E5B384929@SA1PR09MB8142.namprd09.prod.outlook.com> <CAEGSd=AYgEqhcsFvoxppkBQYXOVcEiJ7qe2MrL4-qDCQcKDJZw@mail.gmail.com>
In-Reply-To: <CAEGSd=AYgEqhcsFvoxppkBQYXOVcEiJ7qe2MrL4-qDCQcKDJZw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: vneOzkp8RRDG459FlGW9LtPGIgQT6q9SAVSNCle4AZ/pqlc/jZQIox52NaA9nQz39nJzeOOw36gvDjyYtxUbbANy3RareZ/T25C1QoBssTrMqfAnqqUltSgHeDE4ANEL/+tmFuIcxT5zU3ueA3c+Z7WqDZSjfwElh84PIav1Di5asQLpTWFMlyNGuoUJewSlfAm/KDaargNuUbPKBvKnjiBNSvhF57NVrOHEQFc7Mh3PC3uHQEncOwnzpzXaMAUbqLYkHmhR8p7/AUKZ/7VIm5BmtXdk+XgMTpw8jwuxHTmdZ5eEZbasj4W15qcPJ0/fBfvRS/WxlJq9mu9OPo0b/Gd4LGgpVWxCACNMWXd4U3qJ8Y1UXMlYKsWcHiG8bu1SGEhGoCW3CaPpUkqi+PYH8ga6Sc231Ib2n/ZTLujipe0bKHe1lZeXlSWa10BE+8im8dSN7AkadtRhHgaGQwZ+xaSBXVdJ4J7TCJbhqsPJv27L6T2+Fy+rqmSPIbybDCSM5eJjsgZjGLffuWmXrmg7kDj2OrRTrQ+Lowqs90QCVRgiURuWpwWJF4NDOi06PskBSc3Ne1dqGlMazjdWUKkgbwJDlletjQW864+v6BJoLrP2jcMDUOQpI62RUks+e3PmEIfDxFAFfMQ2qWvLPZFiAVHuRQ68f9+IdjikVa48+CHDco9Bzn7Ru/Xhsc5pnpJRYKb0f+VvZSma7UfOBu7CFhEJEpS+UAsZW/6fBJYRXTqB9tbCMCRtg13NY4s1n/JTcfFXVozXyR1dQggo28O0/Z8blU/Wl/r+MVs2oaCoZrmRrsv6nWxpGP5A5e/wlxUeonkHLfKsHyykJS0wP+9XuhYdo6MbGCdyz2LND4oshJS99vvd1vA4rp11id5FVf+oeQkJRhkIGDA6IE6fmrNfOxDUAjfPIDIsbWMh8rzQraLDi3uKL3HyiVpkVvDGcMY2cTYKJjxkW080d2DoBWamyMLSRDuHz6pDyIh69BpJiwJEfG/KuHbDCgAUt4CNTehVVcjrpkerD0EzzNpvaasjcEzdxevEQKIGDB4CBvEjq2NXuBEQ9raseQEMlksCwRhAomye7xQXyyyBRrxx0ipq74OsYAmugmc3RjKFtfmSWEffXrB2abM8KvRC3SQ/49t0clS3gqKWelY8M12iYbnawGMGTOogS6jpAa2lXO1WEoR/E2GEuQRXvzy8/KFEfxx8NHqszmHjhRBkdjp/t6SjgiGogIMVW9/gyKMGq7CFC8Uv3g7pDD4+aLuYdeXP1tpNzv0U7myJKdoeGbCtB7CMyxY/ZFToxYZmKwAc5xaEuTZiCazH7lNkjoy66acDWTlpJPMg3Uu5Z3tTLCPeUyTHJ7iUgN1qHyBnv4gLOT/Mrffq3HiGXGcnpLDxv4UKj52Zc9RNRQCa3G3jYINcwzMHbTJ42qfr+3kX8anNjrGiPLSb7Wg8XgFR0qQ0cwbLe4GYYJwiRrXNin20zhyUKGZ9DrkXJqLJ/uiZmIY4dsFbVIBQQYj/UKEGqc9ZJ9HlaJRY5O8PjOXshek0JzliG9UlBkVAyLzzBIlnlU/0sa6gUDS1BssUN0iO6Eo1K0ecQdrItu41yoNsNbzZLhmBGTfmAQ==
Content-Type: multipart/alternative; boundary="_000_AS8P190MB1078E02E943BC7E453DB01F8C0949AS8P190MB1078EURP_"
MIME-Version: 1.0
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8P190MB1078.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2ba2c4c6-bfd8-49dd-a19a-08da6f3f5c1d
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2022 19:45:14.4947 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CUL3KX71IcTEbtHiEhGbbBtGEA8dacrcsdXVUY6PmX7c8wn1H67Oi6z91cePwk5dly1epmjYuB06dE/sl9/LhA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1571
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/5kKSCxVH6s6Or8w9k9aQs8j8kSw>
Subject: Re: [Sidrops] [GROW] Any credence to AS_SET in the *middle* between AS_SEQUENCEs?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 19:45:30 -0000

Hi Alexander,

I think that SHOULD is strong enough to justify the behaviour as part of aspa validation.

Certainly the side effect wrt AS_SETs should be called out in operational considerations.

Cheers,

Ben
________________________________
From: GROW <grow-bounces@ietf.org> on behalf of Alexander Azimov <a.e.azimov@gmail.com>
Sent: Tuesday, July 26, 2022 9:14:36 AM
To: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov>
Cc: sidrops@ietf.org <sidrops@ietf.org>; draft-ietf-sidrops-aspa-verification@ietf.org <draft-ietf-sidrops-aspa-verification@ietf.org>; GROW WG <grow@ietf.org>
Subject: Re: [GROW] [Sidrops] Any credence to AS_SET in the *middle* between AS_SEQUENCEs?

Hi all,

The current version of the draft follows the wording from draft-ietf-idr-deprecate-as-set-confed-set


   BGP speakers conforming to this document (i.e., conformant BGP
   speakers) MUST NOT locally generate BGP UPDATE messages containing
   AS_SET or AS_CONFED_SET.  Conformant BGP speakers SHOULD NOT send BGP
   UPDATE messages containing AS_SET or AS_CONFED_SET.  Upon receipt of
   such messages, conformant BGP speakers SHOULD use the "Treat-as-
   withdraw" error handling behavior as per [RFC7606<https://datatracker.ietf.org/doc/html/rfc7606>].


As you can see, it uses 'SHOULD'. And this was the reason to have an additional 'Unverifiable' state, because the 'Invalid' routes MUST be rejected.

If the WG agrees to change normalative language from 'SHOULD' to 'MUST', the ASPA document will follow.


вс, 24 июл. 2022 г. в 11:53, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov<mailto:kotikalapudi.sriram@nist.gov>>:
I think we can conclude that the outcome of the discussions in this thread is to make the following change in ASPA-based AS path verification:

If an AS_PATH has one or more AS_SETs in any position, mark it as Invalid.

At least four (perhaps all five) of us who participated in the discussion support this change.

Thanks.

Sriram


--
Best regards,
Alexander Azimov

[Sidrops] Any credence to AS_SET in the *middle* … Sriram, Kotikalapudi (Fed)
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Nick Hilliard
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Job Snijders
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Nick Hilliard
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Sriram, Kotikalapudi (Fed)
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Job Snijders
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Sriram, Kotikalapudi (Fed)
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Jeffrey Haas
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Randy Bush
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Sriram, Kotikalapudi (Fed)
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Jeffrey Haas
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Sriram, Kotikalapudi (Fed)
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Jeffrey Haas
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Randy Bush
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Sriram, Kotikalapudi (Fed)
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Alexander Azimov
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Ben Maddison
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Randy Bush
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Job Snijders
Re: [Sidrops] [GROW] Any credence to AS_SET in th… Randy Bush