IETF Logo Mail Archive

Re: [Sidrops] [GROW] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt

Job Snijders <job@instituut.net> Sun, 15 January 2017 14:49 UTC

Return-Path: <job@instituut.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3BDF129547 for <sidrops@ietfa.amsl.com>; Sun, 15 Jan 2017 06:49:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=instituut-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8bmpSRbkWVd for <sidrops@ietfa.amsl.com>; Sun, 15 Jan 2017 06:49:49 -0800 (PST)
Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB7512959D for <sidrops@ietf.org>; Sun, 15 Jan 2017 06:49:49 -0800 (PST)
Received: by mail-wm0-x244.google.com with SMTP id d140so7988158wmd.2 for <sidrops@ietf.org>; Sun, 15 Jan 2017 06:49:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=instituut-net.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=bRNcgxHz2WZoD+YlloeSJ2li6WpkppFwtFR+CbmGT1k=; b=UT7bVIXK1sP+e3aeF7j3dVe2XGF78RQnJ7W5n87sQyEeMZ0QrE6DeaI8X5zHyiQGdP LBzu9oP4+S98MYjluFHhMd+pKgxfVUgBkGB23IvprIdJlIaL+TpP7eWN//ZO5YrPDdv9 rsCCAUiu52pP8BxFjRK0zJrf0t9SsoTFlHmAe28oULrF64DgFNRmPq/pQSsP/3gkOQ07 WVg00i1VwlSmv85ULlyy0AHrQM4GTDkUlsEN2Rxa/kcTwTsuMUE/aJ0GVGKemE85seJj 086wwdQ0rN482K9QDpdTomR+PdhPeuffd+PBGpzmy8DDUbKsB8fdzT1MIMtU7EeW2AKg hw3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=bRNcgxHz2WZoD+YlloeSJ2li6WpkppFwtFR+CbmGT1k=; b=EDgYHcIqa5+WlMi7amr6gSunoETEKI7203H8ie3td92Cp1YAv0mXkXaVqul8NLproH 7YE8T5j9KQPYgNSCh83DM9CxrYVTwgam6WT7tEfHh4TSlAzHQbLocOhqdEyxlzMhCpjq YFL905/Lwo6Z7zdGrUFb0Mwi5gClBNmeq1m/pMgjAUrrntbRilklH2DxZbsh4rkDv+JD 6yxZZrqMO0T7Of/f4TbNfBt+UCjn/YCkmtL0NOSmsIA1ey+HC4bdW6bK8s5QbfxHUvqH bwcdNjrEZH08nC4Tmg2h4euh9p6s8TejBb54GpMGsFb84eJeFSzKATWLPQ5wWEvgo+sU E/gA==
X-Gm-Message-State: AIkVDXJbYsU2NX9+7hAkDBOJjDcW2rIaBzHtDturKNTycfpgd03yrg7SpxsiOW5acpaC9w==
X-Received: by 10.28.126.146 with SMTP id z140mr9933467wmc.84.1484491787565; Sun, 15 Jan 2017 06:49:47 -0800 (PST)
Received: from localhost ([2001:67c:208c:10:61ed:4291:8634:b837]) by smtp.gmail.com with ESMTPSA id w7sm21400037wmd.24.2017.01.15.06.49.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Jan 2017 06:49:46 -0800 (PST)
Date: Sun, 15 Jan 2017 15:49:43 +0100
From: Job Snijders <job@instituut.net>
To: Marco Marzetti <marco@lamehost.it>
Message-ID: <20170115144943.GF1062@Vurt.local>
References: <7f08f967-247e-4060-b643-52bc45d8ab29@Spark> <1E278B10-A5BF-40BE-95C4-7A9B6AF6C817@gmail.com> <c55845cc-ca06-45c8-9b2e-075421d0447c@Spark> <m2lgueejxr.wl-randy@psg.com> <CAO367rX1jjOdenqgouzbTRBfeaWz+TFoUjGFJVtUr9tifwAw3g@mail.gmail.com> <20a8eefe-06e5-e1c9-04f8-3c4a66bc38f1@bogus.com> <CAO367rWdDkG7f7eF+FPj9VONsajZHYjTk7cEpWsxQKR1V9dnWw@mail.gmail.com> <44b83365-8ada-4e35-e485-885caa150f44@bogus.com> <m2eg05cgdl.wl-randy@psg.com> <CAO367rX_2SOhFGw5RnA13UdZcjZH7+Hks0XUmGD57SRKQk3VHA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAO367rX_2SOhFGw5RnA13UdZcjZH7+Hks0XUmGD57SRKQk3VHA@mail.gmail.com>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/e343f6wNRYRDOc8baps4Dq5mX9w>
X-Mailman-Approved-At: Sun, 15 Jan 2017 09:08:19 -0800
Cc: Randy Bush <randy@psg.com>, sidrops@ietf.org, GMO Crops <grow@ietf.org>
Subject: Re: [Sidrops] [GROW] I-D Action: draft-ietf-sidrops-route-server-rpki-light-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 14:49:52 -0000

On Sun, Jan 15, 2017 at 03:39:37PM +0100, Marco Marzetti wrote:
> On Sun, Jan 15, 2017 at 1:32 AM, Randy Bush <randy@psg.com> wrote:
> > [ first, i do not use route serves (because of the data/control non-
> >   congruence), so my opinion here is worth even less than it normally
> >   is. ]
> >
> >> An ixp route-server is not a transit provider, all of the nexthops
> >> exposed are in fact peers. So no I do not consider such a  device an
> >> "upstream" it exists to service the policy needs of the peers on the
> >> fabric  rather than that of the exchange operator.
> >
> > to repeat my previous; those policy needs might vary across ix members.
> > some may want the ix to enforce origin validation for them, some may
> > not.  those exchanges which offer validation today offer the choice.  i
> > think that is the right thing; let the member make the choice at set-up
> > with the route server.
> 
> I think RSs should do RPKI by default and allow for two behaviors:
> 1) Drop (default)
> 2) Add ext-community as this draft suggests (upon request)

Or perhaps we consider a Route Server to be "Just Yet Another Autonomous
System"? Why should there be a difference between Autonomous Systems
with regard to routing security recommendations?

If the recommendation is to drop/ignore/reject "RPKI Invalid"
announcements, then that applies to Route Servers too, if the
recommendation is to just attach an Extended BGP Community, then that
will apply to all ASNs.

Kind regards,

Job

v2.23.0 | Report a Bug | By Email