IETF Logo Mail Archive

Re: [Sidrops] [WGLC] draft-ietf-sidrops-8210bis-03 - Ends 7/December/2021

"Borchert, Oliver (Fed)" <oliver.borchert@nist.gov> Mon, 29 November 2021 14:12 UTC

Return-Path: <oliver.borchert@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4EA3A09EE for <sidrops@ietfa.amsl.com>; Mon, 29 Nov 2021 06:12:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level:
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CAmR2ytLAa5u for <sidrops@ietfa.amsl.com>; Mon, 29 Nov 2021 06:11:55 -0800 (PST)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on20703.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::703]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4245C3A0842 for <sidrops@ietf.org>; Mon, 29 Nov 2021 06:11:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VGOBU20LXoN2biMSiylI5cFecHtOnIsxRzQNdETKJ6+3gi2KOUIZQxDiqKg+9IdbzUEcRjDjFzAilpgZOeBajNgghCmYauUo5lVhmS1U/J9XDLrxTA/65SX604JIagH+syiDFNVRyH7bDKd+oB61EGBgOvKQHIbR8JO+9pPh15b/IzJ5/cFK7VJin3xNJ9nNn9ZTVZw8dxiJI67dBVMtVHYVmWAE7PXsf9P0OmKr7L/UDaGvcDuRidoC0RF8Ph8zq6Oq1xg0pkOiS2++nmUdJE5yZAxijSxu1mcWPSKoyBT7wm0/E2+6LvtrMTiIS4c9Lu9cnfJ1iycw15UtGCbbGw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=voIyl1r2ZO+3/X5E0C42RWobGfMcKIGLvxEKjCXi1pU=; b=Njsltc13bt3GYttyh0nb9iI9UyR8KNZ2MblAbapTK59/8g/IluM42C48k0V3Gm3PJxrGOXbflAUnYvAM27+x//sMLgieA0L6uTD8F42ihY5Ck5aX+voPLpQa6j1W4/xlhDUp92rAw17UQgi5GgjJvKPVrKLmjBQD8wM6eYDfDSIEA7XjBsl0TtycJI0OC/15+VnyVFfKBvY24lJKL0CU/7qn/b9MD9TrEz9KHfDg7O6lsRyPholTZ9zivjB5x9+yJxi6beU7izHojUrHx+7kuQT9zoU/brUKDl7pXZNrSvM6wVNlmLfDJzbLOWyJ6tLxvkgOoOUs0LjuGefUD+6v0A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=voIyl1r2ZO+3/X5E0C42RWobGfMcKIGLvxEKjCXi1pU=; b=jhhq9fgHWiGkRu9NHp6MJFln2YkkatP8pizwuxMs1Wt3vAqDxZFvKSU72hTL4JVEuVY0EvfqG0PKqajaVGBZw4FAtlWUzB7AJF/qA5c7uprV8JakzrTSz5yAM0ztJATDD5OOesZajRiK0XUloPFos3a87r6BnFdnM2s8Vn+X310=
Received: from BLAPR09MB6322.namprd09.prod.outlook.com (2603:10b6:208:2af::22) by BLAPR09MB7300.namprd09.prod.outlook.com (2603:10b6:208:288::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4734.20; Mon, 29 Nov 2021 14:11:49 +0000
Received: from BLAPR09MB6322.namprd09.prod.outlook.com ([fe80::c161:f060:c5ad:9b59]) by BLAPR09MB6322.namprd09.prod.outlook.com ([fe80::c161:f060:c5ad:9b59%6]) with mapi id 15.20.4734.024; Mon, 29 Nov 2021 14:11:48 +0000
From: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>, Randy Bush <randy@psg.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
Thread-Topic: [Sidrops] [WGLC] draft-ietf-sidrops-8210bis-03 - Ends 7/December/2021
Thread-Index: AQHX4JxjysDMm9aqUk+5kLJKlC2YP6wShquAgAW5UQCAAiQTAP//3P4A
Date: Mon, 29 Nov 2021 14:11:48 +0000
Message-ID: <4ECF3177-C682-480F-81EF-9155498F081F@nist.gov>
References: <0B2DE27E-B67F-413B-806B-7131B90F3333@arrcus.com> <14BFC0A3-0352-47C7-86CF-23223F0E660E@nlnetlabs.nl> <m2ilwdovm7.wl-randy@psg.com> <0520521A-DF0E-4209-8FF2-745094D742C8@nlnetlabs.nl>
In-Reply-To: <0520521A-DF0E-4209-8FF2-745094D742C8@nlnetlabs.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.55.21111400
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 301d8bee-e7fa-4943-48e6-08d9b3422f0d
x-ms-traffictypediagnostic: BLAPR09MB7300:
x-microsoft-antispam-prvs: <BLAPR09MB730029013C685BBEB92782B098669@BLAPR09MB7300.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rJ5tCuKFkgieDZ2v0GU22jSrjQJdmCgRDLHSyLxqpmzKzv9HO9HByVANOXeqdtBsIztfBiaNjk4RRXlnwh/xRHREZg2ZxAwNnlgP83NHCQ2aujl5hE8keptK/CLXMQm7xPmhqRFokUB4FAp7yKVCmIQzXMSEyGG83wycE6NBf51jJGsZK5hndXG2ejvWs8AsUsp9bBogBkOKm0LFM6Cv1CUzysvjDpXhFVZuIJj55DSPHh6N4ItJMouyVczsbSmG3GOK09j7Q3SDopzKlbWDnawg8R3e3wmZm9uNdu2f2E75OXtk1O5tsuPxhe4vQ83wwbU4XSBxmqwbGcv+vFZ1w3YVher9vhRRtCC0hjQ2NX2/O9+/2gSdvzrBKagaxf+cN3n7e00Yv223LTSqXuq6aLYgjqrmPcAt9KG49ikUf3EixPC3V50kree3jC6S2KU0NJzz/U7bdiWRWarmOziZV2cuVMHxtCPCj2fCgaS1gn7g1FH7cs19rarwfO+t//bUTIj04pu5g+WY4NDFqS89nQ5qJAAZCr0jB8BvqsTxfa9Vs06XHn71VTopQ4SgpOTEuLAv3Q1dDHfsfH9158uUCgIE2HyJ9NztUl67GLoFH2HQtscvKwHbP8mfXOt8HfpK+N7O4aDXlIRS8kYVz6yuZQ03HgPjt9b/TJm4MqGA9fK/0C6CV4HHYzU5TFM/XbRlkozGmDZ7Hs+G0KHUHuMwsAFA4D01+hVtWRSxQbneYpyYwXMKF1iYt4M2KIOovnzkRpY/qzhAQjDG9kbwaVAP2iEeq7zlJZC31eHV1og7u3VXQR+1ue51unrfovh1AWVM
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BLAPR09MB6322.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(38100700002)(122000001)(40140700001)(66446008)(71200400001)(36756003)(38070700005)(53546011)(316002)(5660300002)(66556008)(66476007)(6506007)(64756008)(66946007)(6486002)(6512007)(82960400001)(54906003)(8676002)(45080400002)(83380400001)(110136005)(508600001)(33656002)(107886003)(2906002)(966005)(4326008)(86362001)(2616005)(66574015)(186003)(8936002)(76116006)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2yIA/mVt67NJTUO0UrDGAa4hcTqyCkGs5jDHUQS1rT/JYjfdPb8I8ZDtCsKpd00JkW8sJyWX77euCQydM1VMu14Zpb3mBhPBPZeHWyy+lUxG0kviIx29Y7izF5+j77pm4q8nYOGjhcS7/tNfTi9Q7zxwqKNckx1MwWfGN6LCQS4TfiIYddN6LRa6DZpdNRULzQRNjKladEvAvm9yQhwPw0jffModd8eGwvbTvQgEe+p7MBUeVAA4GezhPNgpuaDnv3wIvUVdFwstAuRC3tbYiPcc023KI8y5ZqnCYE1ppRq3aTXPT3rQ/EZKgDhpYRs214eX+EajgQPJrHpfqLEa84ETsanol2aV+6nvq2FVzMtNgucg4qS+dtVzv7YHtfFA5HUON1+o8UfDt6OZDu7+sSQ//taD0UA6nrV8XwuQFM1jt9EBMivKnKd1G1Tc929VrtcJSNVFEA1WLZRISNDF1vQYCOvVp3EODmicVwFtQ62hGicXfnYSO8F1rr4v8enDVqdj/mYoI8Hpi7sN16Mfyvg9pFMvbcGHJeSBCMw/r1oSLQZ+7E6XOjdIgm7BZhQxCInh0SU2WE4QPqb5qvR3Mhk1y2iu1r/rOwbe8tp+WfEtmPC7hx68CI80RP++Qy6niPh+0kdci5bpnqIr1RuTl7+TVD3cU29u2wLU7o/OAMyDCnNpwR+zneTY1U/SITGh3sUnhas2usJQecQ6hsedSkCxTZxtDQKZUqn5ijdkkOBY6+dxmMaiKxYz6is3JqGspniZ1xZXG1XLY0zasmZTmXFKtofRyaIfrpU5MXHYgdZaIq/JLC31o6y87cqD4LiiT/1WVa3c+8JZZA4T0ozEndBxcbVEsYXV9E6+PnQMzZzVkHCm6BySTukpID6AFPJPVLW/m6UPMif4xOqWO50exeS9Sv2cFBJpcHTU6xM15LLbtwGzjTQvyOnacpY8OmtrSPx8wTwis2HiatyymMWvw8GhqouMn4/98Da8ZHKxom46eEV1j+ki31JXMjXS+77CoZaPqFqAlX+QCoT1jBSCOMrxGxc0WTsYxOdT4E40+y9nSJe6DUFHiVNWvCRhr/Wanxlb4+6dDO/PzCR7Jqi+kXYM55++nRa6WxQ5V0sFCJqdZjnzcq9fLjlu+dXgZEJEWmRUkLBSe9yaj6ERuTUE0i436SKUfUUlph+hbZqMB2Avi3VPE4kU83bJQ2P9PL4LZ6cSpfHsrU/gvZtbja41L6ugFhsBW3tbyQlAQILLnVrEdh3IfUxLFCkvayHpIEIjs2FhrJ/ElfxVMbyPy4iMH5S5XaZUwvbTMoKmHw/KGSMiUkT5KuCRLBMtrOP+fBNlzRFFp9AuhggycMFz++tYew==
Content-Type: text/plain; charset="utf-8"
Content-ID: <A542569F1A5D5142AFE42BB4828DA32E@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BLAPR09MB6322.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 301d8bee-e7fa-4943-48e6-08d9b3422f0d
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Nov 2021 14:11:48.6636 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR09MB7300
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Y-Gktj3IRdyvwgPyB1Z3CVXU8Y0>
Subject: Re: [Sidrops] [WGLC] draft-ietf-sidrops-8210bis-03 - Ends 7/December/2021
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 14:12:01 -0000

The current version of the draft mentions a router only contains one single APSA object per customer. This assumes a specific form of implementation. I don't believe a protocol specification should do that. One can imagine an implementation that stores the data as link relations hence multiple internal objects per customer. Take 10 implementers and you might end up with 10 solutions.

I always read to keep things simple - Great I like simple. Though, as I outlined in my email from last week, the current specification introduces implicit withdrawals while announcing an ASPA object. That contradicts simplicity - it adds additional complexity to the router.

As I mentioned in my email as well as was mentioned in prior IETF's a router should never perform any validation on incomplete data. The moment the router starts updating the data, it most likely will encounter a break before make situation - at least when it comes to ROA's. Therefore the router should always wait until a complete update is processed prior acting upon it.

Therefore, "Keep it simple" should result in a PDU as I proposed with only a single Customer Provider. An ASPA object that contains 10 providers should result in 10 PDU's each with the customer and a single provider. Duplicates are treated as established, withdrawals are treated as established. No special handling required on the router's side.

--> Simple!


Oliver


-----------------------------------------------
Oliver Borchert, Computer Scientist
National Institute of Standards and Technology
(Office) +1.301.975.4856
(GVoice) +1.240.668.4117
 

On 11/29/21, 6:18 AM, "Sidrops on behalf of Tim Bruijnzeels" <sidrops-bounces@ietf.org on behalf of tim@nlnetlabs.nl> wrote:



    > On 28 Nov 2021, at 03:35, Randy Bush <randy@psg.com> wrote:
    > 
    >> I think that a model similar to multiple ROA objects and resulting VRP
    >> PDUs is preferred.
    > 
    > From: Randy Bush <randy@psg.com>
    > Subject: Re: [Sidrops] Minor comments on draft-ietf-sidrops-aspa-profile-00
    > To: Alexander Azimov <a.e.azimov@gmail.com>
    > Cc: SIDR Operations WG <sidrops@ietf.org>, Tim Bruijnzeels <tim@nlnetlabs.nl>
    > Date: Sun, 06 Oct 2019 17:07:36 -0700
    > 
    > i have not thought deeply abut this.  but it seems to me that, as in
    > ROAs, one enters into and leaves relationship with a provider.  whacking
    > a multi-AS ROA or a multi-provider ASPA record seems ill advised.  for
    > example, what if there is a delay between delete and recreate?
    > 
    > keep things simple, please.
    > 

    I am all for simple, but you cannot assume there will only ever be one
    valid ASPA object for a customer AS.

    I know the profile text says the a CA MUST make a single ASPA for a customer,
    and I agree. But there are a number of reasons why RPs need to be prepared to
    see multiple valid ASPA objects in the RPKI:

    1 CA migration make before break

    Suppose that I want to change from one CA implementation to another, then
    I want to ask my parent to authorise my new CA and set up everything, ROAs,
    ASPAs etc before removing and breaking my old CA.

    2 Parent publishing ASPA

    A parent can publish an ASPA for my customer ASN, delegate the ASN to me,
    and then I can publish a second ASP?A. Ill advised indeed, but we cannot
    assume it won't happen.

    3 Multi TA

    ASPA objects for the same customer ASN can appear in different trees, at
    least in theory.

    4 (future) Local exceptions (SLURM)

    While this would not be an object as such, we can (and should) extend
    SLURM to allow for local ASPA filters / additions. This could also cause
    overlaps with actual objects.

    5 Algorithm Roll?

    I need to re-read this in detail (RFC 6916) but I think there may be
    duplicate objects in there as well, though I am not sure whether RPs
    are required to validate both for the same CA. But, there may be something
    here too.


    In short I think RPs should process all *valid* ASPA objects and then
    derive the *union* of all providers for a given customer ASN and AFI.

    Note that this is orthogonal to the question of whether that union should
    be presented to routers as a single PDU, or that single provider announcement/
    withdrawal PDUs could be used.


    > randy
    > 
    > 
    > From: Randy Bush <randy@psg.com>
    > Subject: Re: [Sidrops] New Version Notification for draft-ymbk-8210bis-00.txt
    > To: Alexander Azimov <a.e.azimov@gmail.com>
    > Cc: SIDR Operations WG <sidrops@ietf.org>
    > Date: Tue, 24 Mar 2020 12:02:10 -0700
    > 
    >> The current proposal addresses this issue for ASPA and ROAs in a different
    >> way:
    >> 
    >>   - For ASPA a single PDU per customer AS is neveling the issue;
    >>   - For ROAs the draft introduces ordering of the updates + suggests
    >>   sending updates with the same prefix back to back.
    >> 
    >> The way ROAs will be processed decreases the chances that valid prefixes
    >> will be marked as invalid, but they are not zero. My thinking is, that
    >> since RTR protocol is negotiating its version at the start of the session
    >> there is no need to keep full backward compatibility with the way ROAs were
    >> processed previously. Instead, we can change ROA RTR PDUs is the same
    >> fashion as it is introduced for ASPA: a single PDU for a selected prefix
    >> that replaces previous records.
    > 
    > two dimensions of why not
    > 
    >  o the ASPA is a single atomic assertion signed by the only party who
    >    has the authority.  it's pretty simple.

    See above, there can be, and therefore RPs must assume there will be, more
    than one object.

    > 
    >  o ROAs for a range are not atomic and may be asserted by many parties.
    >    e.g. a /15 with two delegated /16s, each with delegated /whatevers.
    >    if a /29 down the subnet-chain changes, you have to re-do the whole
    >    shebang.
    > 
    >    a number of these are likely to be via CA delegation; more and more
    >    as alex's marketing engine revs up.  so they will arrive at a cache
    >    skewed in time.
    > 
    >    think what this does to the load on the router; and remember that
    >    one major goal here is to minimize router load so current hardwhere
    >    running on 6502s with 640k can route origin validate.

    I am all for reducing the load on routers.

    How is presenting a single PDU with a provider list that is supposed to
    replace the previous list better on routers than having multiple PDUs
    in a single update - i.e. before the end of data as Oliver mentioned?

    In the first case there is possible overhead in case lists get long,
    the second puts some burden on the router to build up its own new version
    of a list before replacing the one it had. I expect that burden to be
    low, but if router implementers can attest that it isn't then I would
    love to hear it.

    As I said, multi ASPA objects is orthogonal. If we MUST have a single
    PDU then the cache can send the union of providers in ASPA objects as
    a single PDU.

    > and ask folk such as mark how rov deployment is going on some of the
    > more common platforms.

    I don't know who you mean by mark and what you mean by this. If there
    are lessons to be shared, then please share specifics.

    > 
    > randy
    > 
    > _______________________________________________
    > Sidrops mailing list
    > Sidrops@ietf.org
    > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&amp;data=04%7C01%7Coliver.borchert%40nist.gov%7C70d048bf3e5b49ef79c008d9b329f3d8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637737815033219650%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=bbwNyYio7MY9HcS6y5c%2Fc%2F3be6thDWayfwQu77Vh7Dc%3D&amp;reserved=0

    _______________________________________________
    Sidrops mailing list
    Sidrops@ietf.org
    https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&amp;data=04%7C01%7Coliver.borchert%40nist.gov%7C70d048bf3e5b49ef79c008d9b329f3d8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637737815033229605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=YUOeX%2BFBPcBdcKEb5xGBSFu6kO0cBu1d73bixONq0fg%3D&amp;reserved=0

v2.23.0 | Report a Bug | By Email