IETF Logo Mail Archive

Re: [Sidrops] Making ASPA AFI-Agnostic - coordination

Alexander Azimov <a.e.azimov@gmail.com> Fri, 09 June 2023 16:17 UTC

Return-Path: <a.e.azimov@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C05ADC1524B2 for <sidrops@ietfa.amsl.com>; Fri, 9 Jun 2023 09:17:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O_uQbXDqoU6L for <sidrops@ietfa.amsl.com>; Fri, 9 Jun 2023 09:17:34 -0700 (PDT)
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F161DC151B32 for <sidrops@ietf.org>; Fri, 9 Jun 2023 09:17:33 -0700 (PDT)
Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-1b0314f057cso8079925ad.1 for <sidrops@ietf.org>; Fri, 09 Jun 2023 09:17:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686327453; x=1688919453; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KJzMdMdbaHg4RTvY3nAkRBEM1EYfox+yYiNEIG8qmmI=; b=GL0HaXVgKZmO4jBPJyyRaNs13JDE3oB+jA3SRMGI4Ok9hdjIywhMfLpvtaotzZoLpY lJiWN2qX0oTo4MrnBSLc81kA8GGAEzJaeN4tA00q/bTSzvL0DAXTiYGLpfpz5d5M/Act NxSMdVUfQYxhmmsjsdkNANm2ww+qH4Hh5GPGWerjSNdgVkhiSJjzYzUhLwt1ixtz3eFm 9ipBnrfjh1OeJunX4pRmYR/sjG6nMVnfO5DW8MCgLdv74UhBXlon34smE28g4sVFZ9+v oOHu7mUTjf/hIMXiNKdgrIa6+wXaoqK9QZx4XKCOdbOPVTIprnbqIPfeiB7ygTQUbUY9 wMJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686327453; x=1688919453; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KJzMdMdbaHg4RTvY3nAkRBEM1EYfox+yYiNEIG8qmmI=; b=g4BZAVaN+6SYLg4r/nBxC+g3ZC+OTnndJ3v+WNz7/rG/SaLgmZ19DUsCnEn/cPFaHc mfdmOa0hR8K65Yl6NZiP1Zgjq4OGBDRkhdZ2IfYtKfJxyNtrp8ov8lO9fSO7exON/Uic Wx0TT/VqI8RKK8k1WSj6yubClc1+jNIk2tU1ng2ymMHdZ92Djnx7IyVqyt07Izkhiz/h 963wg16UDaCy1uWkpHxQXIBiX/OcrHfqCUN7/YTzwBRn9QyU4vXh3XBzmjmYuSem88at 5I08hwzv5HnpsHS3FB04MxFhD3gyl1PSQdTyc/A0GmuvweGMUmrUqVpv5wRQGl8NXc4Z eTIw==
X-Gm-Message-State: AC+VfDyPJGo9IKOyKkG4yMc9JQUi9PC+VG0BcBuYPxeGbjx8m5WUguyL Se0r5NVYfSdkbIa1EnsVC11RoUmaCpaa1WkqBI0=
X-Google-Smtp-Source: ACHHUZ4pho6TC0R96QwfSBosZRDIZKpNG27DlJ0VgY3mplkFwSaG4AeT4feQt3poXgh/cvE9U6lZHCGYqqQhWdvjIlc=
X-Received: by 2002:a17:902:e548:b0:1b1:d51c:f3f6 with SMTP id n8-20020a170902e54800b001b1d51cf3f6mr1764485plf.57.1686327453216; Fri, 09 Jun 2023 09:17:33 -0700 (PDT)
MIME-Version: 1.0
References: <ZH+hdvAwuZ7nN3vK@snel> <4dbb0ef4-91fc-6bbd-d979-2d0b736295ac@tu-dresden.de> <ZIBJUycE10HjIfAP@diehard.n-r-g.com> <BLAPR09MB63226569F3349669ABBEA60D9853A@BLAPR09MB6322.namprd09.prod.outlook.com> <62C121A4-DD89-477A-98EC-4356420F4888@vigilsec.com> <BLAPR09MB63223FFA678A45B6530265B49853A@BLAPR09MB6322.namprd09.prod.outlook.com> <AEE28B86-CACA-4280-99C4-505EC4A16963@vigilsec.com> <20230607184927.56a48b58@glaurung.nlnetlabs.nl> <098E4295-F418-41AF-B84F-0F826EA5C477@vigilsec.com> <20230608181210.1f5e5fc4@glaurung.nlnetlabs.nl> <ZIIbxAe9UXVzsFY3@snel> <CAEGSd=Dky1BbxNpsBnf60rbVi8rsK0m3J2n=Sq6rVQ0zmQHUZA@mail.gmail.com>
In-Reply-To: <CAEGSd=Dky1BbxNpsBnf60rbVi8rsK0m3J2n=Sq6rVQ0zmQHUZA@mail.gmail.com>
From: Alexander Azimov <a.e.azimov@gmail.com>
Date: Fri, 09 Jun 2023 19:17:21 +0300
Message-ID: <CAEGSd=CoZ1OqvsoEiqa-Cvg1a0Pqr0rpOWAfzipu-jONYdZF=A@mail.gmail.com>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Cc: Martin Hoffmann <martin@nlnetlabs.nl>, Russ Housley <housley@vigilsec.com>, "sidrops@ietf.org" <sidrops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d2f4f705fdb4b47d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/bH3hMEZrggIgfCE6Wnx_ZAKj5bU>
Subject: Re: [Sidrops] Making ASPA AFI-Agnostic - coordination
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 16:17:37 -0000

The second measurement was done in a different direction.
I've measured the number of c2p pairs that are visible only in v4 while
both customer and provider support v4 and v6.

This time numbers are even higher. The number of 'missing' pairs is 12418
from 53968 (23%). It affects 8481 unique ASNs.
The overall number of affected ASNs from the two measurements is 10364.
Relatively high numbers.

For me it raises several questions:

   1. The main point to remove the AFI flag is possible simplification at
   the router side: it will have a single cache of processed/invalid paths
   instead of two hashmaps for v4 and v6. I wonder if anybody has measured the
   memory requirement for such a cache? Keeping in mind, that it should be
   cached with limited ttl. Or may be we just don't need cache since it
   have linear complexity?
   2. What is the trend for the above numbers? Is there a trend in the diff
   reduction during the last years?
   3. Is it possible to model these relaxed rules to see the effect in
   number of leaks?


During next week I'll try to cover point 2. I wonder if anybody from
vendors made implementation evaluations for point 1.
And I'd love to see double check of the above data.


пт, 9 июн. 2023 г. в 18:16, Alexander Azimov <a.e.azimov@gmail.com>:

> Gentlmen,
>
> Thank you for your patience.
>
> I believe we are at an important point when the number of prototypes
> related to ASPA objects is not high and we can still change the object
> structure.
> But it should not be done in rush. We are already facing compatibility
> issues with the RTR protocol, let's not make the same mistake twice.
>
> I've made several measurements to find out if it is safe to drop AFI flag
> in ASPA object.
> The idea behind lays in the assumption that IPv4 and IPv6 connectivity is
> merging with the growing adoption of IPv6.
>
> With that in mind, the set of IPv6 c2p pairs should be included in the set
> of IPv4 pairs.
> So, I measured the difference: the number of c2p pairs, where the customer
> supports both v4 and v6 but the selected pair is not visible in v4.
>
> I've got 4149 c2p pairs that are visible only IPv6 from overall 43470 such
> pairs (9.5%).
> This affects 3516 unique ASNs from overall 24286 ASNs with dual stack
> (11%).
>
> The biggest input comes from HE operations, which acts as a provider for
> 1242 ASNs only in v6 while running open peering policy in v4.
>
>
> чт, 8 июн. 2023 г. в 21:20, Job Snijders <job=40fastly.com@dmarc.ietf.org
> >:
>
>> On Thu, Jun 08, 2023 at 06:12:10PM +0200, Martin Hoffmann wrote:
>> > Russ Housley wrote:
>> > >
>> > > In CMS, the version number indicates which alternatives are possible
>> > > in some CHOICEs.  The point is to ensure that the ASN,1 decode
>> > > operation will work if you recognize the version number.
>> >
>> > But, crucially, the overall structure remains the same. The new version
>> > of the draft changes the structure of the ProviderASSet which I think
>> > warrants to treat this as an entirely new definition and use a new
>> > content type OID.
>>
>> Another relevant question is whether we want to have a 'grace period' in
>> which both formats are valid. I myself would prefer to make this is a
>> 'hard cut', simply a breaking change to avoid the complications of
>> supporting both profiles in my RP implementation.
>>
>> As far as I know there is only one ASPA verifying deployment (YYCIX),
>> and the few already-existing ASPA objects can probably easily be updated
>> through a software update.
>>
>> If the group accepts it as a 'breaking change' and commits to work to
>> migrate the tiny ASPA ecosystem in the span of a few weeks, I see less
>> of a need to get a new content-type OID. Technically if 'breaking
>> change' is the choosen path forward, there wouldn't even be a need to
>> bump the version of contained in the eContent.
>>
>> However, bumping the version contained in the eContent is be a novelty
>> in the RPKI ecosystem, so keep things as-is (profile-15) might have some
>> value as a learning experience for this community.
>>
>> In this situation I suspect there aren't objectively right or wrong
>> choices, but in the interest of time we should converge and agree rather
>> sooner than later on one of the options.
>>
>> For previous ASPA profile changes no new OID were requested.
>>
>> Kind regards,
>>
>> Job
>>
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidrops
>>
>
>
> --
> Best regards,
> Alexander Azimov
>


-- 
Best regards,
Alexander Azimov

v2.23.0 | Report a Bug | By Email