Re: [Sidrops] Feedback for draft-ietf-sidrops-aspa-verification-11
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Fri, 04 November 2022 02:34 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24366C15257E; Thu, 3 Nov 2022 19:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.912
X-Spam-Level:
X-Spam-Status: No, score=-7.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.233, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zH9gSmzks_po; Thu, 3 Nov 2022 19:34:14 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2097.outbound.protection.outlook.com [40.107.91.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE54CC1524DF; Thu, 3 Nov 2022 19:34:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IHA2xjgBwIMkq0+IXfRpX8zezB9nH0g+IBhGiVgd0mqLY9k/D9JkqteKh6VqVCKfdXS56AusWEHmaad76LBDGoeQOu4i+0KJCpQLI1HxEMjj+GSPyGNUEB5V8ZpS37vOL2wslHbmzBp/PkRQzI8oGpXyZ/DdoiXeEh7f3hUHtTn9SVCq0TA1FCzT4Fgk0CBr6SCB297rA0FWLTyz14w9A3/DINC1PS+imXO7OmLiI7BbPMRNC4hVs5NvJK7+dQ6xvDOzziEjWexojIjYyUXdy8QyQzqZwJPSA8vDVA6k4TgVP3xbGSca6M9axxIrACUr03jvVmn+sxXrZhfcpIdxzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hJQsFoB7jTBr3OBMBCGxQBMl5Dn6jboIPKVsDGRB6J0=; b=FCK3Uj4UJ17EZxeYC0USsjbzRutwRdE/0ckTsfv6RUSZzh9wOSYZVOJpl1st5xN2DjMNEgDmHKmAibUYadcuCay6g3I91vMeKqq7vZsygiOOg8aPsaY6PCzfGE1iUKgs04vIjkgY7lJtUDpxnGZAlpr9knIwKREzEF4aHTZiceoC/oA7Sk5XdFpydmR1UWiFjMjQ8H5MfF9BNiKVuf2yUKP4YfKUjkNtyQFTfIMz+W+wXDlw2xOvA9PBXZ5QIQwRuNQElA+qWlX6E7SUazOHd9SwWXLn2TEtkxkCwR8/PYh60mHdqyU0+7omk2lk2bnputaylrLGlJ92aKhUuVoHEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hJQsFoB7jTBr3OBMBCGxQBMl5Dn6jboIPKVsDGRB6J0=; b=UYpwI6lGO6RUfkKeYvbYfL6xBTC+gupYOVbtWxrtyfnLOyT5nrhWCP46RGbSNIpjUKAhprO73gboH7kGG1UpqQF+GhKODdlWmJbi3KdE9nvEf2aeCAfhooKDpvsBCGJGVUPBVSSjDlY2CuTh2xfq+GwVdDSy2p5P6ktMGhoZ484g08yUklqaStn9bgN7HDDhzDosyinshVWfS1L06ScOTweF1+SiNtWiJWLAaIzoDItEO0OofFBOX5iz9hxZf9ks0W5FgowSZjbwP0l6pBFA3zWZgnUb4BPsraCjEvThzjcO11IuR+qIOwRLwxSWK18Sn6G9LlZuraY6XZjjGMtYdw==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by SA9PR09MB4942.namprd09.prod.outlook.com (2603:10b6:806:4d::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.22; Fri, 4 Nov 2022 02:34:09 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::fe6:8087:3dd3:1580]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::fe6:8087:3dd3:1580%7]) with mapi id 15.20.5791.022; Fri, 4 Nov 2022 02:34:09 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>
Thread-Topic: Re: [Sidrops] Feedback for draft-ietf-sidrops-aspa-verification-11
Thread-Index: Adjv9QVSUIKuUnQsQR2w2WTw6LRUkA==
Date: Fri, 04 Nov 2022 02:34:09 +0000
Message-ID: <SA1PR09MB8142CA1CF6D8B1B9497CAE1E843B9@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|SA9PR09MB4942:EE_
x-ms-office365-filtering-correlation-id: b91e9ab9-0fc7-46e8-61d3-08dabe0d0d91
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PagvRBv+tSQgvQ1xm/cC+TAOGNX7WGCqgZIkN0kXJCiyp9RA8xvznKOwQg+hu4Efdlsj3nKkEk28fKPQBG8LnpV34WdNJChaiwvPLQrLMpqGiUP8tfjrZHr2LTqVf3ZEw7B3YV8VxJAK7wLfvoG/JItoaJFPOBCZQ4/YYPxbsftOH2WgY6BZCEMgzWpeZF/9LtdFhjOASymVQt0ggPkXTRdT1/AGCEGnCJaDD6ZeMs8TgcrU9mKcrMmZ51RxQo8zuc+wa//3OpHs9jFjvMEMW4hRvTGX+e4rAxdS8d2ZBdBK03tBm+d0pgul+7FPVKu4seP9qlJnbI+aW6xl3GnMbr9d+iMXyXr+dflcVWjhQvVIVtEbSKxaIyvwZYkQDRYxk5auoqWX8SCcmyRFtKeQqbzKT+G/LB4iLMnfDtIynArg5qD3zNqYkKgRb0YdAvdmk3bWIP4e/k0+N74H1H1vdzJbG1kRwkgVhIjLHUrZ30k3CS9PdCm/bkSA6yJky9cWEP+bAHnT7kTneXBIEq6jGVuICY1QjMUIzvA3Bp1evCg9o7rGk+PVvBRaUIuFEKKSxlCNiI2kbyOteyD365uLxTTpqKuHzAO3LeXuZqTlJKNsEszuu049AROlsmfVCCi7F1Enid1xfw15WbByPqq3+INb2rz8IRhPiteO/AO7Jy40A260Lw7C6jKrJQ3Dm0CfUzvUL/YupCZyM4kP+KUupQudV+gOu4vgEG3+OO8NvzWY+QNEyn1dXbyIGutpkBhS7GN3g6mHFQUvlU60vRM5jg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(366004)(451199015)(38070700005)(6916009)(5660300002)(54906003)(66556008)(33656002)(6506007)(7696005)(66476007)(8676002)(64756008)(15650500001)(66946007)(76116006)(52536014)(26005)(4326008)(66446008)(8936002)(9686003)(71200400001)(55016003)(83380400001)(66574015)(186003)(82960400001)(122000001)(86362001)(498600001)(38100700002)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wcGH2WVCgbJKn651YhJeI40GJqXRZ88PT3jWGr3bWFBYC1MmL51dlvG9DMejd3DA7nzxNZpn/edBWCpBDSeETGJ1f9Jaml9M5L6P7qo3TwhXYgH8nngZ9R5aFQVWWzmEBwA/NePJ23W/9wbhI2jvJM4saqtU95ZmNYGBWCVpPYZUJAqGb67Zptyb0qvW6qROaB1xbyqwg9wpaaIBbHwOaU8fkSizySvgMuFYyvcySjufl6g2fDlt4D1WYuATWZpTaLnWDQ7EU0JH2DwcvEsnDCKqQMxlxe+4u7ySSoxRR/D7E4klA8kQ2hrTKmIyTxBvSClzgXC3wD7ne0EWgFIQcghWe0eejiLbQflRuWA5N9kLXIA3+apbMUGIqYAF+ASlaQsYfp+GI7V9ovB0qFqo17/5sXyL9pE/goCeLmHm1CNcmWhUp/CxZUEkCk4neXFPhkHQGZfYr/MyG4f4VwC2z4oWQe7N1fOydIShYVM8gSRaUS7c2k+FkYxwoaoZRRNZtjhnBqNmi6+nLUp0ac/8PRpv2+kViGMRLI6crviARSP49DrLjQQJJ7X34HKDigEi4QVlt1z6s7/iAb6Nxx4klCvNol+opj8oglOXLXozZHWN2F1z7LhqFVl6aGl1hEI63zLC6xkgiaIqfqOh1wlM5h3U1n5Cca6IhLozJYBaSf7qweH5y12K3lvPNziYPt1WBbrl4RArIDb+6GUNY3OGf0YSwoakugODkwdM2W1TCxCFpZ7amdvA7qbjLaSH39yyvgkVzejbpiZs2pcvpIlJ/q0GNuh0z0/IMKXfshnPVO6heNtqz69YiuLxNoEjBQMwe3xFBNkjUTm24kmAwwtPVmJqa5EfI0Kqn+YZ31zxpLZoi/FxgeCNkoISJSp4IVT+AIWYpzDVyqalmKpJ+DCFCM3TvHSnHNDnvM+k/twk1Q7PKUbcbRHI+fnbXPMpqWF7oFuCJamAyOp9gmcd1H3v6yh4iQtqer7ROXZOHirEvsrK6gQHGUQx738zUnNjrGm1VRI4ElS0aM18a7tYrVmQNxmwt+ZudPmYuyiM3Dnap1l2yxtX00On/1TwL8rK7w5dK76JoUu5z6LB8J6x+ZLILLW22KgRkzQl7RMJFJCF7RkDp1cOmTtZpUnLPr9/MWwb2QRxz7AmnZW1m/AKq/w5TPI0JXIaxxFBuTqRJkAfBgli1ORRlMTZBeUS/Jsp/rSjabOmB4vRqKfNghwXeq7pzrHoXMmxyIkz38spClgF7Y5TnJt1gviXellDvDpMEFFqQvLuLeh6UWqhpux0klMFd9B8G0k5EkhMN+DX8icXkq9V1FNSTwqfxmqMl7QYcHEoLJz2pNvGPK8G2N2yMLVyi1TeuOC//Nc33E0pxD9OGui7zIbsgs7zfNKgo30QKvoY6aViddpkvdt4/+AHZCYwJIWm7BYhtCD3Gq+m9hBnNFetOHSPo3j/VRoN+heQdmVF/1tg3F4IDkL0AnovaS2bFZS7sPIhFwfpDZKAN4pJWnNoh3Ac/tBrjy4eqidWkVN6xAg/yMg5FFmpRXvg5dSL3ANhZwJsQAr5BedhO5OpQJWaE3Dn6/kjns7xwQITxn3D
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b91e9ab9-0fc7-46e8-61d3-08dabe0d0d91
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2022 02:34:09.7506 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA9PR09MB4942
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/cWcF2Y0msvko73zY912Y3cQj7SM>
Subject: Re: [Sidrops] Feedback for draft-ietf-sidrops-aspa-verification-11
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2022 02:34:18 -0000
Hi Claudio, Thanks for your thorough review and very helpful comments. We (authors) appreciate it. Glad to hear that you found [sriram1] helpful for understanding the algorithms described in the draft. Your suggestions for changes are absolutely on the mark. Those are the kind of improvements that I had on mind for the next version. The draft had legacy text that needed some rewriting. Obviously, it still needs some more work for improving the readability. Since you found [sriram1] helpful, I can possibly use some of that notation and style of algorithm description in the draft as well. I will work on generating a version-12 in the next few weeks. Your comments are clear, and I plan to take each of them into consideration while updating. No comments inline below. Will share inline comments after the draft is updated. Sriram --------------------------------------------------- From: Claudio Jeker <cjeker@diehard.n-r-g.com> Wed, 02 November 2022 17:23 UTC Hi Sidrops and draft authors, Here some feedback to draft-ietf-sidrops-aspa-verification-11 now that I started to implement this for OpenBGPD. Section 1 & 2 There is a big bit missing in the introduction which gives an overview what ASPA does. This section would also explain some of the technical bits and jargon used in this draft. Especially explain how downstream/upstream checks work. I found the presentation in [sriram1] important to understand the concept of ASPA verification. Without that presentation I think I would not correctly understand many things in this draft. Section 4 A relying party (RP) must have access to a local cache of the complete set of cryptographically valid ASPAs when performing the customer-provider verification procedure. and The following algorithm describes the customer-provider verification procedure for a selected AFI: 1. Retrieve all cryptographically valid ASPAs with the selected AFI that have a customer value of AS1. The union of SPAS from these ASPAs forms the set of authorized providers. What has an RP to do with the code running on a BGP router. Also the Customer-Provider Verification Procedure is the core lookup function. There should be no step 1. instead there should be a concept similar to VRPs. IMO the above texts should be in section 3. Maybe mention that either static config or RTR can be used to distribute verified ASPA sets and that all sets are merged together. Also I think using the terms "Unknown", "Valid", "Invalid" is inappropriate when it comes to customer-provider lookups. Mainly because "Invalid" is misleading. "Valid" should be "Provider" and "Invalid" should be "Not-Provider". I also accept other terms but mixing Valid/Invalid here with the use in Section 5 (and the final outcome of the ASPA lookup is confusing). The C-P lookup does not define if a path is valid or not. It just tells if there is a C-P relation or not (or it is unknown). Section 5 Is the enforce neighbor-as a proper MUST or is this just la la la nice to have? From my understanding it is an important bit of not allowing empty or wrong paths in. In OpenBGPD enforce neighbor-as is on by default but it can be turned off. So should this be enforced for customer, provider, rs and peer sessions? Also on rs-client session enforce-as becomes more complex (see below). Section 5.1 Please just take all of this behind the barn and start over. The text is a mess, it is not how the code should be implemented. It is confusing and needs a lot of mental gymnastics to follow the text. This part is crucial to properly implement ASPA. Using the same I everywhere is confusing (also I is a very bad letter in text) and then this monstrosity "AS(1),AS(2),..., AS(I-1), AS(I), AS(I+1),..., AS(N)" does not help either. It has no real value (especially the repetition). Also I really dislike that it is the wrong way around. The path is actually AS(N) ... AS(1) since AS(1) is the origin AS. More about this further below. The calculation of the reverse indexes is only required for provider sessions (local role customer). Also it would be nice to not depend on reversing the AS path but instead explain that one can start from AS(N) and backtrack selecting the maximum instead of minimum and then use N - 'found index' as the result. Also note that Section 5.1.1 adds injury to insult by just confusing even more about what the heck is going on. The text should just mention that for Non-Transparent RS sessions the RS ASN should be skipped in the ASPATH and only the reminder checked as defined in Section 5.1. Also detecting this case will be fun: will it be enough to depend on 'role rs-client' and 'enforce neighbor-as yes'? An alternative is to have 'role rs-client non-transparent' as config. I have doubts that this non-transparent IXP check works in real life. While it does work for the immediate rs-client it requires that the non-transparent IXP is listed as provider in all its rs-clients ASPA objects. I guess this should be listed in Section 5.4. At least currently there is nothing like that mentioned in the draft. Section 5.3 Second paragraph (the left and right are confusing especially since it is the reverse of what you normally get (ASPA reversed the ASPATH and so everything is the wrong way). The left-most 'AS(1)' is the origin AS (which is normally the right-most AS) and right-most 'AS(N)' is the neighbor-as (which is normally the left-most AS). If there is an upstream ramp but no downstream ramp or vice versa, then clearly the UPDATE is valid (i.e., not a route leak). However, if both ramps exist, then the UPDATE is Valid if and only if either one or zero AS hops exist between the apexes of the two ramps, i.e., there is no AS between the apexes (see [sriram1] for formal proof). If there are one or more ASes between the apexes of the upstream and downstream ramps, then the UPDATE is a route leak (Invalid) or the presence of a leak cannot be known using available ASPAs (Unknown) [sriram1]. I find 'only if either one or zero AS hops exist ... i.e., there is no AS between the apexes' confusing. If zero AS hops exist then the upstream and downstream ramp touch (both end on the same node). Now they can also overlap but the text totally ignores this here. If there is one AS hop then the two apexes are neighbors (AS(up apex + 1) = AS(down apex). Without context from looking at sriram1 most of this is too hard to understand. Section 5.4 This section is in the wrong spot. It feels more like something that belongs under 7. In general the text in Section 5 is too complex and I fear there will be off by one errors. Without the presentation from [sriram1] I would have a hard time to implement this with confidence of doing it right. There is too much mental gymnastic required to visualize the text correctly to implement this. If one step is missed then the outcome could be wrong. Regards -- :wq Claudio
- [Sidrops] Feedback for draft-ietf-sidrops-aspa-ve… Claudio Jeker
- Re: [Sidrops] Feedback for draft-ietf-sidrops-asp… Sriram, Kotikalapudi (Fed)