Re: [Sidrops] Talk: RPKI Deployment: Status, Challenges and the Learning-Validator
"Jakob Heitz (jheitz)" <jheitz@cisco.com> Tue, 25 July 2017 17:55 UTC
Return-Path: <jheitz@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62BAB126C0F for <sidrops@ietfa.amsl.com>; Tue, 25 Jul 2017 10:55:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7r0fNypM44it for <sidrops@ietfa.amsl.com>; Tue, 25 Jul 2017 10:55:49 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC27A1241FC for <sidrops@ietf.org>; Tue, 25 Jul 2017 10:55:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8364; q=dns/txt; s=iport; t=1501005349; x=1502214949; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=bs0lA9D5mnWO0b58tXHK/uVQJD5QyJ4oScgGdnq+ruI=; b=dHQ/InCk0UFVXsqNOmdeC8c2iyTOR21/N0BGGh0czw9VSDQ2ssQuM8hw pTtJsn8CgHpFfQR0Kc9no+XkDsx8cAFWyMI/ggfvDp7mCq7ewZixTQV6T DJxE0+mQESQQ1pTam5oQrF4c3PjZ5CfChHlViRoq3IXRlGC5I5EQYhajt Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CbAADkhXdZ/49dJa1dFgMBAQEBAQEBAQEBAQcBAQEBAYNaZIEUB44FkWiIMI1WDoIEIQuETE8CGoMdPxgBAgEBAQEBAQFrKIUYAQEBAQMBASEROQELDAQCAQgRBAEBAQICIwMCAgIfBgsUAQgIAgQOBQgUiXsDFRCxNoImFocjDYQDAQEBAQEBAQEBAQEBAQEBAQEBAQEBHYELgh2DTYFhgySCV4FpARIBgzKCYQWfGzwCh02BDIZUhGeCFZAtjBR0iGABHzhMMwt3FUmFS4FOdgGGdg0XB4EFgQ4BAQE
X-IronPort-AV: E=Sophos;i="5.40,411,1496102400"; d="scan'208";a="264035266"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Jul 2017 17:55:31 +0000
Received: from xch-rcd-011.cisco.com (xch-rcd-011.cisco.com [173.37.102.21]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id v6PHtVSr030078 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 25 Jul 2017 17:55:31 GMT
Received: from xch-aln-014.cisco.com (173.36.7.24) by XCH-RCD-011.cisco.com (173.37.102.21) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 25 Jul 2017 12:55:30 -0500
Received: from xch-aln-014.cisco.com ([173.36.7.24]) by XCH-ALN-014.cisco.com ([173.36.7.24]) with mapi id 15.00.1210.000; Tue, 25 Jul 2017 12:55:30 -0500
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: Tim Bruijnzeels <tim@ripe.net>
CC: "Carlos M. Martinez" <carlosm3011@gmail.com>, Matthias Waehlisch <m.waehlisch@fu-berlin.de>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] Talk: RPKI Deployment: Status, Challenges and the Learning-Validator
Thread-Index: AQHS/wosXCvss6U2wEyq5n16HYmqTqJdMwYA///B1+CAB/qLAP//6wTg
Date: Tue, 25 Jul 2017 17:55:30 +0000
Message-ID: <96044ca1d98d4cb99fe2dd8e6d3ead08@XCH-ALN-014.cisco.com>
References: <alpine.WNT.2.00.1707171628150.10844@mw-x1> <5ED572DF-AC77-4F54-92DC-F65C86F4E022@gmail.com> <177afbdbb5424f26992196dae0219ff1@XCH-ALN-014.cisco.com> <78F49BAC-F0F2-4712-862A-BCFA1A9DC35D@ripe.net>
In-Reply-To: <78F49BAC-F0F2-4712-862A-BCFA1A9DC35D@ripe.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.154.160.157]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/ZTrFoVRwpOLtLPTxfHTLFCutjgc>
Subject: Re: [Sidrops] Talk: RPKI Deployment: Status, Challenges and the Learning-Validator
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 17:55:52 -0000
I could understand if there are providers that would rather accept the "maybe invalid" than drop them. Dropping prefixes breaks connectivity. If they can't tell the difference between "matched with wrong AS" and covered, then they'll just accept them all. Thanks, Jakob. > -----Original Message----- > From: Tim Bruijnzeels [mailto:tim@ripe.net] > Sent: Tuesday, July 25, 2017 6:49 AM > To: Jakob Heitz (jheitz) <jheitz@cisco.com> > Cc: Carlos M. Martinez <carlosm3011@gmail.com>; Matthias Waehlisch <m.waehlisch@fu-berlin.de>; sidrops@ietf.org > Subject: Re: [Sidrops] Talk: RPKI Deployment: Status, Challenges and the Learning-Validator > > Hi, > > Jakob, not picking on you - but your statement gave me a good angle for what I wanted to say on this. > > > On 20 Jul 2017, at 19:01, Jakob Heitz (jheitz) <jheitz@cisco.com> wrote: > > > > If it causes legitimate traffic to fail, then it's wrong. > > Sure, but knowing what constitutes legitimate is the trick then. If an announcement has status “invalid”, then this > means that the holder of the prefix made one or more authorisation(s) for other announcement(s) for this space, but > not for *this* announcement. > > Whether this is: > a) a bug, because the holder wants the announcement but neglected to authorise; or > b) a feature, because the holder does not want this announcement > > That is impossible to tell based only on the observation that there is a disagreement. And I fear that any smart > heuristics, e.g. based on announcement history, are in the end only estimated guesswork. It may be smart and it may > be right more often than wrong, but it’s still guesswork. > > Now, I see value in exposing such differences and helping operators anywhere to understand and debug them and take > action, but I have to say that I disagree quite fundamentally on automating decisions on the validator side. I > believe that it will inevitably result in announcements that are supposed to be “invalid” (by choice of the holder) > to become authorised. This will degrade the benefit of using RPKI Origin Validation for networks that do maintain > their ROAs properly. Secondly I believe that ‘fixing’ this on the RP side will remove the incentive for networks to > fix their ROAs so that they match their intended announcements. If it hurts, people will fix it. This has been > happening in Europe for decades w.r.t. route objects. > > Let me provide a further datapoint. We have 4880 organisations that activated their hosted RPKI service. Some > organisations only switched on the system, but a total of 2874 organisations actively maintain ROAs. We provide an > opt-in service whereby organisations can receive alerts in case we see announcements that are inconsistent with > their ROAs. Although this is not mandatory, the majority of organisations (2020) have opted in to this service. The > alerts will inform the organisation of any “invalid” or “unknown” announcements. On receiving this organisations can > choose to authorise these announcements - but ONLY if they are supposed to be correct (their choice). If they do not > authorise the announcement, and it keeps happening, they will receive an email every day. For this reason users can > also choose to suppress the warnings on announcements they do not wish to authorise. We have 219 organisations that > have at lease one announcement suppressed. > > So, in short: I believe that this in itself proves that a lot of our users are actively managing their ROAs, and > that quite a few of the “invalids” out there are really supposed to be considered just that: “invalid” > > Thanks > Tim > > > > > > > > > Thanks, > > Jakob. > > > > From: Sidrops [mailto:sidrops-bounces@ietf.org] On Behalf Of Carlos M. Martinez > > Sent: Thursday, July 20, 2017 8:41 AM > > To: Matthias Waehlisch <m.waehlisch@fu-berlin.de> > > Cc: sidrops@ietf.org > > Subject: Re: [Sidrops] Talk: RPKI Deployment: Status, Challenges and the Learning-Validator > > > > I was about to ask a question on the mic but was late to the line. Maybe it’s worth sharing it here: > > > > • How we define a ROA to be “wrong” ? One that invalidates routes or one that causes legitimate traffic to be > dropped ? > > Why? because we’ve seen in many cases ROAs that create lots of invalids but validate a less-specific route that > covers those invalids > > > > In a way, this even a positive side-effect, sort of vacuum-cleaning your routing tables. > > > > I believe analyzing what ROAs are wrong is quite important, but i’d believe this particular case should not count > as wrong. > > > > thanks! > > > > /Carlos > > > > On 17 Jul 2017, at 16:36, Matthias Waehlisch wrote: > > > > two comments via the list because we run out of time: > > > > (1) I'm wondering about the statement that the quality of ROAs decreases > > over time. My impression is that the quality improved because of > > excellent training by RIRs and others. > > > > Slide 4 shows absolute values, which is not helpful in this context. > > > > > > (2) Regarding ROV measurements: "Similar results apparently from > > measurements by Randy Bush and others (didn't yet see details)" > > > > Details are available, easy to find using Google: > > > > * "Towards a Rigorous Methodology for Measuring Adoption of RPKI Route > > Validation and Filtering", https://arxiv.org/abs/1706.04263. Some of > > this work was also presented at the last RIPE meeting: > > https://ripe74.ripe.net/archives/video/46/ > > > > > > > > > > Cheers > > matthias > > > > -- > > Matthias Waehlisch > > . Freie Universitaet Berlin, Computer Science > > .. http://www.cs.fu-berlin.de/~waehl > > > > _______________________________________________ > > Sidrops mailing list > > Sidrops@ietf.org > > https://www.ietf.org/mailman/listinfo/sidrops > > > > _______________________________________________ > > Sidrops mailing list > > Sidrops@ietf.org > > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] Talk: RPKI Deployment: Status, Challeng… Matthias Waehlisch
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… Carlos M. Martinez
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… Jakob Heitz (jheitz)
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… Randy Bush
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… Randy Bush
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… Christopher Morrow
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… Randy Bush
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… Tim Bruijnzeels
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… Jakob Heitz (jheitz)
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… Tim Bruijnzeels
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… Randy Bush
- Re: [Sidrops] Talk: RPKI Deployment: Status, Chal… George Michaelson