IETF Logo Mail Archive

Re: [Sidrops] New Version Notification for draft-sriram-sidrops-drop-invalid-policy-00.txt

Job Snijders <job@ntt.net> Fri, 09 March 2018 16:32 UTC

Return-Path: <job@ntt.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6F9D12D7F2 for <sidrops@ietfa.amsl.com>; Fri, 9 Mar 2018 08:32:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5khBSp-ToDAR for <sidrops@ietfa.amsl.com>; Fri, 9 Mar 2018 08:32:26 -0800 (PST)
Received: from mail3.mlpsca01.us.to.gin.ntt.net (mail3.mlpsca01.us.to.gin.ntt.net [IPv6:2001:418:3ff:3::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C76612D868 for <sidrops@ietf.org>; Fri, 9 Mar 2018 08:32:25 -0800 (PST)
Received: by mail3.mlpsca01.us.to.gin.ntt.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) (envelope-from <job@ntt.net>) id 1euKwR-0002om-2t (job@us.ntt.net) for sidrops@ietf.org; Fri, 09 Mar 2018 16:32:24 +0000
Received: by mail-ot0-f169.google.com with SMTP id 79so9178827oth.11 for <sidrops@ietf.org>; Fri, 09 Mar 2018 08:32:23 -0800 (PST)
X-Gm-Message-State: AElRT7Gamz03h79tJhy3xOGm0WmUgfXs6ilrSPkw1YPXUqDZgR+ZI+2M im4rUltKnF7IczUCrJuPdVjelCBd0LmFJX3LwDXMyw==
X-Google-Smtp-Source: AG47ELsZRSj+hPyykhDl1u8pZzAl8kyMtetwtevfluUdOqiTTqUV/IO7xM6Q+h8y6vfYtqZC0Lf2OLFJi0/Zpzt31DA=
X-Received: by 10.157.25.203 with SMTP id k69mr6869797otk.275.1520613142395; Fri, 09 Mar 2018 08:32:22 -0800 (PST)
MIME-Version: 1.0
References: <152029076512.12908.14537578849320525718.idtracker@ietfa.amsl.com> <BYAPR09MB2773819AB3961189CDA9B4D784D90@BYAPR09MB2773.namprd09.prod.outlook.com> <23202.46675.595670.703736@oz.mt.att.com>
In-Reply-To: <23202.46675.595670.703736@oz.mt.att.com>
From: Job Snijders <job@ntt.net>
Date: Fri, 09 Mar 2018 16:32:11 +0000
X-Gmail-Original-Message-ID: <CACWOCC-wiEW39T0TqHon-7UtU5Xio-EtknK9zfqOkrYCpZp7pw@mail.gmail.com>
Message-ID: <CACWOCC-wiEW39T0TqHon-7UtU5Xio-EtknK9zfqOkrYCpZp7pw@mail.gmail.com>
To: Jay Borkenhagen <jayb@braeburn.org>
Cc: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c09b6f231c2a10566fd56c3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/bjK_fRTAnC-PUtONxPVVOeJNatg>
Subject: Re: [Sidrops] New Version Notification for draft-sriram-sidrops-drop-invalid-policy-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Mar 2018 16:32:28 -0000

Woah... not only do you not want to use it yourself, but you also want to
prevent others from using it?

I’d appreciate more elaboration!

Out of curiosity, are you doing OV today in your network and dropping
invalids?

Kind regards,

Job

On Fri, 9 Mar 2018 at 17:29, Jay Borkenhagen <jayb@braeburn.org> wrote:

> Sriram,
>
> I can appreciate this motivation for your draft:
>
> Suppose Popular Site X does not know what they're doing, and they
> publish a bad ROA that makes the only route announcement for their
> address space be invalid.  ISP-A competes with ISP-B, and Customer-C
> multihomes to both.  ISP-A implements route origin validation and
> drops invalid routes -- including that route to X.  ISP-B does no
> route origin validation, so they accept and propagate the route to X.
> Customer-C does not know or care about origin validation -- they only
> see that ISP-A cannot reach X while ISP-B can, so Customer-C thinks
> ISP-A sucks and decides to give ISP-B more business.
>
> ISP-A should not be punished for trying to do the right thing, but
> before we conclude that this situation deserves a technical
> workaround, consider:
>
> (1) Those who care about Internet routing security/sanity should
> attempt to educate the folks at Popular Site X, to teach them why that
> ROA is wrong.  This education can be done even before lots of
> providers employ a 'drop invalid' policy -- in fact I know some
> subscribers to this list have received emails from me saying "Y'know,
> you're currently announcing some invalids."  Later on, that
> education will happen the hard way when Popular Site X finds they
> cannot be reached from many networks who by then drop invalids.
>
> (2) Who's to say that an invalid-only route is invalid because of a
> bad ROA, and not because someone other than the legit owner is
> squatting on that address space?  Clearly squatting can happen on Not
> Found space, too, but there could be reasons why they prefer to squat
> on this space that happens to be covered by a ROA.  I think it's a
> better outcome for people to realize what a ROA actually means and how
> it gets used, rather than guessing that someone made a mistake.
>
>
> I'll stop here for now, but I'll also note that I would not want any
> of my router vendors to implement the DISR Policy.  I'll save those
> reasons for later.
>
>                                                 Jay B.
>
>
>
> Sriram, Kotikalapudi (Fed) writes:
>  > We have requested the chairs for time on the SIDROPS meeting agenda to
> discuss this work:
>  >
>  > https://tools.ietf.org/html/draft-sriram-sidrops-drop-invalid-policy-00
>  >
>  > The authors would appreciate comments/discussion on the list as well.
>  >
>  > Sriram
>  > ________________________________________
>  > From: internet-drafts@ietf.org <internet-drafts@ietf.org>
>  > Sent: Monday, March 5, 2018 5:59 PM
>  > To: Sriram, Kotikalapudi (Fed); Montgomery, Douglas (Fed); Borchert,
> Oliver (Fed)
>  > Subject: New Version Notification for
> draft-sriram-sidrops-drop-invalid-policy-00.txt
>  >
>  > A new version of I-D, draft-sriram-sidrops-drop-invalid-policy-00.txt
>  > has been successfully submitted by Kotikalapudi Sriram and posted to the
>  > IETF repository.
>  >
>  > Name:           draft-sriram-sidrops-drop-invalid-policy
>  > Revision:       00
>  > Title:          Origin Validation Policy Considerations for Dropping
> Invalid Routes
>  > Document date:  2018-03-05
>  > Group:          Individual Submission
>  > Pages:          6
>  >
>  > https://tools.ietf.org/html/draft-sriram-sidrops-drop-invalid-policy-00
>  >
>  > Abstract:
>  >    During incremental deployment of RPKI and Route Origin Authorizations
>  >    (and possibly under some transient conditions), network operators
>  >    would wish to have a meaningful policy for dropping Invalid routes.
>  >    Their goal is to balance (A) dropping Invalid routes so hijacked
>  >    routes can be eliminated, versus (B) tolerance for missing or
>  >    erroneously created ROAs for customer prefixes.  This document
>  >    considers a Drop Invalid if Still Routable (DISR) policy that is
>  >    based on these considerations.  The key principle of DISR policy is
>  >    that an Invalid route can be dropped if a Valid or NotFound route
>  >    exists for a subsuming less specific prefix.
>  > _______________________________________________
>  > Sidrops mailing list
>  > Sidrops@ietf.org
>  > https://www.ietf.org/mailman/listinfo/sidrops
>
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops
>

v2.23.0 | Report a Bug | By Email