Re: [Sidrops] ROV with ATOMIC_AGGREGATE

[Jeffrey Haas <jhaas@pfrc.org>]

I am massively behind in my IETF mail, but the subject line caught my eye.


> On Mar 12, 2020, at 5:04 AM, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org> wrote:
> 
> Hi all,
> 
> I'm currently working with one of our vendors on getting their initial
> ROV implementation ready to ship.
> 
> In their current code they are setting validation state of a route to
> Invalid if:
> 1. The route has the ATOMIC_AGGREGATE attribute set; and
> 2. The route is covered by any valid ROA.
> 
> Note that they are also, correctly, setting state=Invalid if the final
> segment of AS_PATH is an AS_SET (and the route is covered by a ROA).
> This is independent of the above behavior.
> 
> There appears to me to be clearly wrong. I can find nothing in any
> relevant RFC that requires the validating BGP speaker to consider the
> ATOMIC_AGGREGATE attribute one way or another.
> 
> I'd like to ask the WG to correct me in case I have missed something,
> before I tell the vendor to go fix this, please?

ATOMIC_AGGREGATE is the remaining fig leaf of proper aggregation.  Many implementations didn't check the resultant AS_PATH to see if it was truncated or not as part of aggregation, and simply sets the flag.  And, since this is showing up in some cases as part of private-as aggregation steps as well you might not have a good belief that it is improperly being set depending on the point it's injected into the Internet tables.

If the origin AS, sans sets, is correct - the implementation should believe it.

If you want path validation, we need bgpsec.

-- Jeff