Re: [Sidrops] [routing-wg] misconceptions about ROV
Job Snijders <job@fastly.com> Tue, 22 February 2022 10:48 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 143323A0D4E
for <sidrops@ietfa.amsl.com>; Tue, 22 Feb 2022 02:48:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id nAaddBQpwjct for <sidrops@ietfa.amsl.com>;
Tue, 22 Feb 2022 02:47:59 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com
[IPv6:2a00:1450:4864:20::629])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 65F493A0D48
for <sidrops@ietf.org>; Tue, 22 Feb 2022 02:47:59 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id qk11so41654286ejb.2
for <sidrops@ietf.org>; Tue, 22 Feb 2022 02:47:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google;
h=date:from:to:subject:message-id:references:mime-version
:content-disposition:in-reply-to;
bh=jWrs2+L8jJlBV6zF5Nxc5UjnmLvZCcSWaN5FtBLenz8=;
b=I0dRJIx+7IFex6B9INSi1l92Pe0V5DbKm5PEtLcj0GpkU8tpPcDCX6hBrmPgtQjemd
QL7E49nYUmwusimbC3U4HKYuj4Ru38d/pe9OKQImWUGuWhznHmz90OtylAOxzy1KjFw/
WklwMZfNepf+3dYn4oZl9nY5Fkd7EEX+YdXiI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:date:from:to:subject:message-id:references
:mime-version:content-disposition:in-reply-to;
bh=jWrs2+L8jJlBV6zF5Nxc5UjnmLvZCcSWaN5FtBLenz8=;
b=RUD5Ihc2PV90sUPQLXtym00lukO2h7dg0vR9Wtirveh50Ruvimt/I0H5xAFmMmJKpZ
SGDY8AKUPMt4pJThaFUmVA6jBEmDuhon9Zvy0CFn6N5ahII7AVbHGyccIP+I92/qkvOX
AKlNZHHcVS8aOw6fepdovhFaML1eeU3+rl5rorUB7xyjIVngJude9p3YAGW0H5wLyxWt
20Q1ZlJHY757PxcT2qh3fQG9iNexn//plmw+QES44ffji+PtPj+3v1AG94J6QcT9HE+B
e/vrowSsUMRmrbLe45Wzx3LRP25owPM52SR/sGO2ys0fM2iXy1BFkqUIH41X2em0RYi9
T5BA==
X-Gm-Message-State: AOAM530tfT+5sWMYxSyTgEm0X3J22QKFilUMwdMC4Is+5NI/nutoFhml
IpIxDrOpsmKD2IVCrFhhLNSHMXMr2Acy57fqOH70zapbo0XXLSirXWAhR2ll0i5DHQ6AsXHyWgX
qfyDgL9BQqZlByfeihDlxh5OPf05Crx8Hl9gIbQgrYuuNVSLI+oFx+B0=
X-Google-Smtp-Source: ABdhPJx3ZKaxQ016AIdq2rXylxEPCjJHAzVXvipnMHgTzedatrVR0U4MIeywkDdLT+uEDbRiZvo9fA==
X-Received: by 2002:a17:907:505:b0:6cf:95c:5d6e with SMTP id
wj5-20020a170907050500b006cf095c5d6emr18634491ejb.13.1645526875824;
Tue, 22 Feb 2022 02:47:55 -0800 (PST)
Received: from snel ([2a10:3781:276:2:16f6:d8ff:fe47:2eb7])
by smtp.gmail.com with ESMTPSA id b14sm6141325ejb.160.2022.02.22.02.47.54
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 22 Feb 2022 02:47:55 -0800 (PST)
Date: Tue, 22 Feb 2022 11:47:53 +0100
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <YhS/WR3czIP3jNLF@snel>
References: <m2h78roqbp.wl-randy@psg.com>
<7FBC2063-2404-4BF9-836E-210629C4BA63@juicybun.cn>
<m28ru3ofyq.wl-randy@psg.com>
<3C18BA8C-FA34-4D24-96E4-F85644089513@nlnetlabs.nl>
<015C9C28-4230-40D8-A9F2-7420B726C00F@juicybun.cn>
<DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/cRRbl-d6pf0mCuXEMvcfMbIObqQ>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>,
<mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>,
<mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2022 10:48:04 -0000
On Tue, Feb 22, 2022 at 10:19:23AM +0100, Tim Bruijnzeels wrote: > > On 22 Feb 2022, at 09:51, Di Ma <madi@juicybun.cn> wrote: > > It seems to be a good idea to do signaling and have a sort of signed > > object for policy indicator :-) > > I think we need a model where we can have valid/invalid/not-found (or > equivalent) for paths. Do we really? Slide 10 "BGPsec is protocol, not policy": https://archive.nanog.org/meetings/nanog52/presentations/Tuesday/Bush-bgpsec.pdf > Then we people can turn validation on with much less risk, and people > can start implementing BGPSec on their routers independently with more > immediate (albeit initially small) benefit. I am not so sure about the above, it seems the reasoning stems from a desire to seek compromise without regard for the consequences of such settlement. The notion of "less risk" needs to be quantified more precisely to have meaning. I understand the goal of BGPsec deployment to be to reject BGPsec-invalid paths, that's all. If the signatures are trash: don't accept it, I don't see 'middleground'. Are there any scenarios in which one would want to accept BGPsec invalid paths? Similarly, RP implementations discard malformed ROAs, network operators reject RPKI ROV-invalid BGP updates. If people perceive risk: don't enable BGPsec, let others be the early adaptors. It is early days, lots of software still has to be written, lots of testing is required. > Note that all this is orthogonal to ASPA. ASPA essentially says > whether paths are plausible, and BGPSec (valid path) says what > actually happened. Yes, the above is an accurate summary. > Though if ASPA informs that an adjacency is invalid then this could > perhaps be valuable input to BGPSec path validation with regards to > downgrade detection. Only time and research can tell whether it is a useful signal to transfer from one plane to another plane. Regards, Job
- [Sidrops] Fwd: [routing-wg] misconceptions about … Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Di Ma
- Re: [Sidrops] [routing-wg] misconceptions about R… Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Di Ma
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Geoff Huston
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Jeroen Massar
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Jeroen Massar
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Jeroen Massar
- Re: [Sidrops] [routing-wg] misconceptions about R… Montgomery, Douglas C. (Fed)
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders