IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

"Lubashev, Igor" <ilubashe@akamai.com> Sat, 25 March 2023 11:29 UTC

Return-Path: <ilubashe@akamai.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99573C1522D7; Sat, 25 Mar 2023 04:29:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQHkoEdxUhHB; Sat, 25 Mar 2023 04:29:03 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8F0BC1522AF; Sat, 25 Mar 2023 04:29:02 -0700 (PDT)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32P3pK7K021496; Sat, 25 Mar 2023 11:29:01 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=4oArxXdanwvFcgD0Q83ug26IPEs6ZzenCA3jUTI3KZE=; b=dMZdKXHwP2vW/hRaaYDE9sQAlK43Qr3FsAKgoTQnRym3LZa14ubSYV9KvZzQ7e4lRBnq zCetaZjyZ7udUX2eI9aK9/ij0+Xf7YpsACdt/5T+SK44KvaoAep7t6Q2QUKVC4xosbhN kYf9m/KoRyljkeEZr3wk+UfFPS5Bi55EK8SC1INfRV3QmuKUYS1BgIdJzzBwCfxStUDT /RoxvXqpzqihyS4cyZ00IiL4W5iEXWqCCZODbK4NEzjRxgXx0vMRpoce9zlyra60E48x WXKafyO24YkR/uwlCYJzPrEE5RXaH+gqxV11pZ1NDQ4NT6uV4LuUnLur1wYKhBYILalR Mw==
Received: from prod-mail-ppoint8 (a72-247-45-34.deploy.static.akamaitechnologies.com [72.247.45.34] (may be forged)) by mx0a-00190b01.pphosted.com (PPS) with ESMTPS id 3phsdvrwyh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 25 Mar 2023 11:29:00 +0000
Received: from pps.filterd (prod-mail-ppoint8.akamai.com [127.0.0.1]) by prod-mail-ppoint8.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 32P78JXv004721; Sat, 25 Mar 2023 07:29:00 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.205]) by prod-mail-ppoint8.akamai.com (PPS) with ESMTPS id 3phv9y10g3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 25 Mar 2023 07:28:59 -0400
Received: from ustx2ex-dag4mb3.msg.corp.akamai.com (172.27.50.202) by ustx2ex-dag4mb6.msg.corp.akamai.com (172.27.50.205) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.21; Sat, 25 Mar 2023 04:28:59 -0700
Received: from ustx2ex-dag4mb3.msg.corp.akamai.com ([172.27.50.202]) by ustx2ex-dag4mb3.msg.corp.akamai.com ([172.27.50.202]) with mapi id 15.02.1118.021; Sat, 25 Mar 2023 04:28:59 -0700
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>, gengnan <gengnan=40huawei.com@dmarc.ietf.org>, Aftab Siddiqui <me@aftabsiddiqui.com>
CC: Aftab Siddiqui <Siddiqui@isoc.org>, Hanna Kreitem <Kreitem@isoc.org>, Amreesh Phokeer <phokeer=40isoc.org@dmarc.ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, Max Stucchi <stucchi@isoc.org>
Thread-Topic: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
Thread-Index: AQHZXYjPNJLZt5LW/keL30gQG63u3q8I2uQAgACwe4CAAjsjAP//mGie
Date: Sat, 25 Mar 2023 11:28:59 +0000
Message-ID: <fa682854-5168-4368-9f18-2750e363e03b@akamai.com>
References: <SJ0PR06MB7677230255CC9134CAF94E98D6879@SJ0PR06MB7677.namprd06.prod.outlook.com> <ZBxcTHebGjhJGpzh@snel> <CAB5NZESXFF68ez7NwK6s3hqYY6ChkHyu_r8jPggO3ysHQB0emA@mail.gmail.com>, <619522318a5c40edac5a8d0635195456@huawei.com>
In-Reply-To: <619522318a5c40edac5a8d0635195456@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_fa682854516843689f182750e363e03bakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-24_11,2023-03-24_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 suspectscore=0 adultscore=0 phishscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2303250093
X-Proofpoint-ORIG-GUID: 0mvx8LuYJT2-8UJO-faWSWW3hhYpvgUN
X-Proofpoint-GUID: 0mvx8LuYJT2-8UJO-faWSWW3hhYpvgUN
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-24_11,2023-03-24_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxlogscore=999 lowpriorityscore=0 suspectscore=0 mlxscore=0 impostorscore=0 adultscore=0 spamscore=0 bulkscore=0 malwarescore=0 priorityscore=1501 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2303250094
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Zvqwyi5GPRD4gUgCDCKCgdaOMuU>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2023 11:29:06 -0000

An alternative to a special 'AS 0 ASPA' would be allowing a zero-length Provider AS list. Then there are no special rules at all. But if 'AS 0 ASPA' is used, a further special rule is needed to describe how a 'union' is taken when both 'AS 0 ASPA' and a 'normal' ASAP are present (maybe from different RPKI registries).

- Igor

On Mar 25, 2023 6:40 AM, gengnan <gengnan=40huawei.com@dmarc.ietf.org> wrote:
Hi Aftab and Job,

From: Sidrops <sidrops-bounces@ietf.org> On Behalf Of Aftab Siddiqui
Sent: Friday, March 24, 2023 8:36 AM
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Cc: Amreesh Phokeer <phokeer=40isoc.org@dmarc.ietf.org>; sidrops@ietf.org; Aftab Siddiqui <Siddiqui@isoc.org>; Max Stucchi <stucchi@isoc.org>; Hanna Kreitem <Kreitem@isoc.org>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

Hi Job,


>      *   To make it clear “AS 0 ASPA MUST only have AS 0 as Provider
>          AS”, it doesn’t clearly mention that “normal” ASPA (non AS 0
>          ASPA) MUST NOT have AS 0 in the Provider AS.
>      *   In the absence of point ‘b’ what if AS 0 is added as Provider
>          AS in the ‘normal’ ASPA?

I'm a bit unclear on what is meant with the above two points, can you
further clarify?

As per the definition "An ASPA object showing only AS 0 as a provider AS is referred to as an AS0 ASPA." i.e. {CAS, AS(0)}
Any ASPA which is not "AS 0 ASPA" is referred to in the draft as "normal ASPA" but it doesn't say that normal ASPA can't have AS 0 in the provider AS. i.e. {CAS, AS(139038), AS(0)}. Yes, there is no reason to have AS 0 in the provider AS but make it clear in the draft.

[NAN]: Agreed. AS 0 MUST NOT appear in the normal ASPA. IMO, two points can be clarified in either the profile or the verification draft: 1) CAS MUST NOT be AS 0, and 2) AS 0 MUST NOT be included in the provider AS list if the ASPA is a normal ASPA. There is a section of “4.  ASPA Registration Recommendations” in the verification draft which can be the candidate place to make the clarification.

I think some descriptions also need to be added in the verification draft. Actually, the verification process works normally even there exists AS 0 in normal ASPA data. In the v11 of the verification draft (sec. 5.4), there are some related descriptions which somehow are removed  from v12:
“
If AS 0 coexists with other provider ASes in the same ASPA (or other
   ASPA records in the same AFI), then the presence of the AS 0 has no
   effect on the AS_PATH verification procedures.  The validation
   procedures simply consider the other (distinct from AS 0) providers
   as the authorized providers of the AS in consideration.
”




>   4.  ROV vs ASPA validation states, keep the states consistent (Unknown/notfound)
>      *   ROV States [valid, invalid, notfound] vs ASPA states [valid, invalid, unknown]

Why? Route Origin Validation and ASPA verification are two different
algorithms with different inputs and different outputs. To me it doesn't
seem to increase consistency.

OK then why using terms like "valid", "invalid" and "unknown" why not just use "Provider", "Not Provider" and "No Attestation" because these are actual outputs of the function? don't you think the latter creates more clarity than the former?

[NAN]: I guess they were talking about the outputs of ASPA verification, instead of ASPA Hop-check function. For Hop-check function, the terms like "Provider", "Not Provider" and "No Attestation" are suitable. For ASPA verification, "valid", "invalid" and "unknown" will be used to indicate the validity states of AS paths.

--
Best Wishes,

Aftab Siddiqui

v2.23.0 | Report a Bug | By Email