Re: [Sidrops] ASPA: Is this really a leak?
"Jakob Heitz (jheitz)" <jheitz@cisco.com> Wed, 16 December 2020 19:57 UTC
Return-Path: <jheitz@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id C32E73A0E93
for <sidrops@ietfa.amsl.com>; Wed, 16 Dec 2020 11:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001,
USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=cisco.com header.b=FvTBYLtL;
dkim=pass (1024-bit key)
header.d=cisco.onmicrosoft.com header.b=xUBi7yhD
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ORgodBnoHSeG for <sidrops@ietfa.amsl.com>;
Wed, 16 Dec 2020 11:57:58 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76])
(using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 036C83A0E94
for <sidrops@ietf.org>; Wed, 16 Dec 2020 11:57:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=cisco.com; i=@cisco.com; l=1866; q=dns/txt; s=iport;
t=1608148677; x=1609358277;
h=from:to:cc:subject:date:message-id:references:
in-reply-to:content-transfer-encoding:mime-version;
bh=RBNiMMQJ1LmQBwGDg4n4iMgdGrq+Td4+Tss9DbJxQHg=;
b=FvTBYLtL3Me1nnZD1kMlYP1Tgy/b1TlvyW4KsGQHCL9rfDWr0UfkKrUy
6p/gpEyCrxj+JejHVQT2U7vRd1FJfmudBMSim/Btqpwu3y9PUy+SBFNzc
XyB+7v53rW0Tm4jfM7ZO4QDY7uZuTh4DCnuzvLV5VeDJvlGtgEVmrPGIq w=;
IronPort-PHdr: =?us-ascii?q?9a23=3Ab+nsxx+JrCyQLv9uRHGN82YQeigqvan1NQcJ65?=
=?us-ascii?q?0hzqhDabmn44+7ZhSN7+9kgVXUR4Od7OhL2KLasKHlDGoH55vJ8HUPa4dFWB?=
=?us-ascii?q?JNj8IK1xchD8iIBQyeTrbqYiU2Ed4EWApj+He2YkJPEcv0ekfU5Hqo4m1aFh?=
=?us-ascii?q?D2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw?=
=?us-ascii?q?=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DfAQBjZtpf/5xdJa1iGwEBAQEBAQE?=
=?us-ascii?q?BBQEBARIBAQEDAwEBAUCBT4FSUQd1Wy8uiAcDjVsDmQqCUwNUCwEBAQ0BARg?=
=?us-ascii?q?LCgIEAQGEBkQCgXACJTgTAgMBAQsBAQUBAQECAQYEcYVhDIVyAQEBBAEBEBU?=
=?us-ascii?q?TBgEBLAQHAQsEAgEIEQQBAR8QJwsdCAEBBA4FCBqDBYJVAy4BDqIiAoE8iGl?=
=?us-ascii?q?0gQEzgwQBAQWBNwKDexiCEAMGgTiCdYowJhuBQT+BEUOCVj6CXQEBAgGBXoN?=
=?us-ascii?q?IgiyCEoEZDUQCExssPAciKl+mWZE2CoJ0iSOSSqI9nxKWGwIEAgQFAg4BAQW?=
=?us-ascii?q?BbSOBV3AVO4JpUBcCDY4hg3GFFIVEdAI1AgYKAQEDCXyGfS2BO1wBAQ?=
X-IronPort-AV: E=Sophos;i="5.78,425,1599523200"; d="scan'208";a="571782053"
Received: from rcdn-core-5.cisco.com ([173.37.93.156])
by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA;
16 Dec 2020 19:57:54 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14])
by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 0BGJvsxX021601
(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL);
Wed, 16 Dec 2020 19:57:54 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-004.cisco.com
(173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2;
Wed, 16 Dec 2020 13:57:54 -0600
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-aln-001.cisco.com
(173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2;
Wed, 16 Dec 2020 13:57:53 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (64.101.32.56) by
xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server
(TLS) id
15.0.1497.2 via Frontend Transport; Wed, 16 Dec 2020 14:57:53 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Ox1NQY+6oVu5VOHwWDvLgFN7V3uJKKVk4S8J7ljWf6enG/vLmo/M9Jqitq5v1yTK/U3iszN3GCplvPkcZ84GGleopI4JgsRO6YkFHxLLrg8xTf9mf1Oq92YqFZu0FS0AiqhJG8FUm83Di2WfP3/9VQDqFR98TBAVXSTiPiSUBI96V3N5wdsLdo8BOPdUpht5XNHr8out7mGG1TLYZ23VJ25Ff5qAigydNb2EhAwMwrFwGqUahPdPQ5qd0UlrOxENAKLw+EWkySOdDz3f/6Ajzuflr0jftzLZwq1Zq/fApElMD1KuPf09IUVyplb8WINYHXeEk3/3ghZOCG6eJDhz6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Ynn68dFr0Dc8+NjPw4XxiM2U6Ran1I4Ocx7wqZ+g2wc=;
b=icHRhq0orR3nZBKghRkoFgh5UIKMyahZeIhK2FAgX2/NY7b6yk3sbOXd8WciNXfcPAzjBkuIrrSI1J7rdILC5hd3Ekyki53QkE2GFo2Aipz2r/vFjrYDM6blIcuLzvPz3ene6DGz0wouoUbqveQt3AN5mzE+iUzWWxQ12IYhJumOxpU8hfKPicvoAEDPfmuHqDrbuery6IdaOtqVy8wWhAWvynBnvTej7z/5bfTxlGHfZkS/GTApRhoaVhc3bEUZuICqrSuXgp3ccd33HwkLbApxDH9tR2WTGz1Bw9qnCc8aYZakLEdvBZM02hLolSiH2FDsOKMe96X/94KTpbmjCg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com;
dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com;
s=selector2-cisco-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Ynn68dFr0Dc8+NjPw4XxiM2U6Ran1I4Ocx7wqZ+g2wc=;
b=xUBi7yhDKzbifoa+21PTVupOkMCIYQEagcje1enyOprXbb/OMHNE+DeEqU/GrcumvY7sJeibphCcdzaFMLZt2qFoPYzDJUwvp2E623YR1Lv8oNLsdphQkLeantCjXODOK1ZI4N8hBlx6z/w1h5d4AC8JVfEIuo+XdModciVU8tM=
Received: from BYAPR11MB3207.namprd11.prod.outlook.com (2603:10b6:a03:7c::14)
by SJ0PR11MB5149.namprd11.prod.outlook.com (2603:10b6:a03:2d1::17)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.13; Wed, 16 Dec
2020 19:57:52 +0000
Received: from BYAPR11MB3207.namprd11.prod.outlook.com
([fe80::2581:444d:50af:1701]) by BYAPR11MB3207.namprd11.prod.outlook.com
([fe80::2581:444d:50af:1701%4]) with mapi id 15.20.3654.025; Wed, 16 Dec 2020
19:57:52 +0000
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: Jay Borkenhagen <jayb@braeburn.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] ASPA: Is this really a leak?
Thread-Index: AdbSrCwFetkGBNO+QeG28ivY3Q354wBHfvcAAASgXmA=
Date: Wed, 16 Dec 2020 19:57:52 +0000
Message-ID: <BYAPR11MB32070C5D14ED8CF368D05785C0C50@BYAPR11MB3207.namprd11.prod.outlook.com>
References: <BYAPR11MB3207E12FA868D4ECCF064161C0C60@BYAPR11MB3207.namprd11.prod.outlook.com>
<24538.14458.724169.315853@oz.mt.att.com>
In-Reply-To: <24538.14458.724169.315853@oz.mt.att.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: braeburn.org; dkim=none (message not signed)
header.d=none;braeburn.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2601:647:5701:46e0:e82d:ab03:2132:19e4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7db092a5-7b0f-46eb-9a8c-08d8a1fcdf96
x-ms-traffictypediagnostic: SJ0PR11MB5149:
x-microsoft-antispam-prvs: <SJ0PR11MB5149F4E31FF4B181E9DF8717C0C50@SJ0PR11MB5149.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: reFwzqkBKRSD3LdT7kirIipuF+Mb4PLyxreiJEP+JvYMssPSWcYb0g1GIo7PY4Zg5pv/E5sDTIuKZGFNdfoe4YOSgHd/kbtD+ly8Wx0vOiSjnSkRfQKgO75LM+vG8TlZ19L98gugWeCowrWLijnIJFngMGs8ozkTQlo6qzw+/4OrcS9FyCKQSS9uzAUqBR2Aas7Do0CjKe4iXt606bbSbS1kzN31OypSo+Psk76Cc1CXuMheDePla6UFECmxQA6IlLY5JhbGiSNHlOUOLK+shSo2cFqbjMWelmzHFttBYG1+MNdItYT0rmlo2Q3BTMJirF4MencVrN5vqm+repHH2OCFoA+FARksx0SLSW9qKO5KYrTMfkazG6EFqCEeytIl1XDSRCj5FhqQSGp5EpG7pA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:BYAPR11MB3207.namprd11.prod.outlook.com; PTR:; CAT:NONE;
SFS:(366004)(39860400002)(136003)(346002)(396003)(376002)(66946007)(64756008)(53546011)(66446008)(52536014)(66476007)(316002)(83380400001)(8936002)(66574015)(71200400001)(66556008)(86362001)(55016002)(8676002)(5660300002)(9686003)(966005)(7696005)(2906002)(478600001)(186003)(6506007)(4326008)(6916009)(33656002)(76116006);
DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?iWTL+vLO62SJMYJ6hsy56ZC5709A8xdwuylhYSqYaZiSFTGipHx9MKz45lMB?=
=?us-ascii?Q?BE/boQwRpCEmYCAfH9rVUccAxHe0JInLDSJ2srK9I7spbfG85tuYC9BYj3cB?=
=?us-ascii?Q?qlLwxjtnrcJmFdPI8W1rAnYcj3mXDthv9aOExDWIU2BS6O3JnAcbCBigP3iH?=
=?us-ascii?Q?6Xk7kehpQH24+NSEoTVjrKsaJh3Yse4K/UYfhA7Dj3UP1w1YBmCHW8/t8wQw?=
=?us-ascii?Q?mNMbEqnQB9HL3etvfHkDtmhE2/1LzzNl94CQeXoQypa+7VjypGk7RTRMdYqD?=
=?us-ascii?Q?WoyceAxxBXWtigU/Aw7fwi+PErz7B40xFMArHZ059kwMTIEYs/08uI9/cfC4?=
=?us-ascii?Q?AuT+qoUrmNX2aThOihZUMdl3XtFmHitufEdVZ64bV6f2ZqJzCF207TQuc+et?=
=?us-ascii?Q?FuYBK6OqmEFdT2Bm3jXBJGpwd/J0EqXFRv+LeJqAbmBJIAbkjzNsbInXxzhz?=
=?us-ascii?Q?TN0vZU3ydQK3slRyT49pK4L+lhDj3UPeh7+UTevKnkbpJENwksThRki13EEM?=
=?us-ascii?Q?3nPQ8TkZP1mdv/c52sbNvWNeGbMh081EsbFsFuelsUTDR6CgXr7wYk8I6hED?=
=?us-ascii?Q?+YLPxH9qZSVVE6Qh1sABkGS0MczEp+Yx7qFeMftiNlLFly9sLpfjtK8SyElb?=
=?us-ascii?Q?vSNjIOoRm+4ZWxKzedCxGNRaimEEKrfXaLd9zgRUDQw+BNJwcAB8QcsrVmUj?=
=?us-ascii?Q?eWDgmrOjVd/0uK0pEak8uKldG/HFjxzP24ZXmYWaLIVbThBSmT442yyBk2IU?=
=?us-ascii?Q?saHnIj2ShuZjYm8egCJ2tfTjKb8sc+ZAij5Op9B3LLvhIL6dzOVC1J78/ceM?=
=?us-ascii?Q?ghyMFKkqPi1zFxy7CMul7YpWUOjRbdr7zJ+g2M8rFYoYHxltmHlp/U4DMQWD?=
=?us-ascii?Q?OkMrIgE9D2NtGuijxx8NSY64uYu1EtTAe4yn/n5qqlF7pxk+BOm925CvE4U5?=
=?us-ascii?Q?YJ5m/1Dq7v+iZ1MHYIcK6cCQkiBKTNgoZnLuWJi9hvJJN6qxkspuXAJU1vWu?=
=?us-ascii?Q?788fjCtAuY9OTmiBUIJFoTsKzRka9L1l1M9FDNPZeFo906A=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3207.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7db092a5-7b0f-46eb-9a8c-08d8a1fcdf96
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Dec 2020 19:57:52.5686 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lVSN74lB7YiSFkie5Dne21yg+vAZiKCx/pLj8CQzcDrE3FSsm4V9fWZzNi/BnAO8xumiAV//s2SAXwXldO+t+w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5149
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/eFcFEOotMFqt7m9__ofi8Y-PpCA>
Subject: Re: [Sidrops] ASPA: Is this really a leak?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>,
<mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>,
<mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2020 19:58:00 -0000
Jay, I disagree that the algorithm in ASPA rejects routes whose AS_PATHs are contra-indicated by the expressed wishes of the AS resource-holders, as communicated by the set of validated ASPA records. I posit that it rejects more than that. Suppose AS1 has providers AS2 and AS20. AS20 is also a provider for AS2. What I am proposing is that AS2 should be allowed to divert traffic that it received from the Internet through AS20 on its way to AS1. Internet --> AS2 --> AS20 --> AS1. The algorithm stated in ASPA prevents that. Nobody is breaking any laws or contracts by doing that. Nobody is seeing any traffic that they are not permitted to by doing that. This kind of diversion happens frequently on the internet and ASPA should not prevent it. The big difference is that AS2 is a provider for AS1. If it were not, then ASPA absolutely should reject the path. Regards, Jakob. -----Original Message----- From: Sidrops <sidrops-bounces@ietf.org> On Behalf Of Jay Borkenhagen Sent: Wednesday, December 16, 2020 8:40 AM To: Jakob Heitz (jheitz) <jheitz=40cisco.com@dmarc.ietf.org> Cc: sidrops@ietf.org Subject: Re: [Sidrops] ASPA: Is this really a leak? Jakob Heitz \(jheitz\) writes: > https://tools.ietf.org/html/draft-ietf-sidrops-aspa-verification-06 > finds suspected leaky AS paths. No, not really. draft-ietf-sidrops-aspa-verification rejects routes whose AS_PATHs are contra-indicated by the expressed wishes of the AS resource-holders, as communicated by the set of validated ASPA records. It's thus up to each party publishing ASPA records to ensure that all necessary upstream and mutual transit relationships are explicitly authorized. Jay B. _______________________________________________ Sidrops mailing list Sidrops@ietf.org https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] ASPA: Is this really a leak? Jakob Heitz (jheitz)
- Re: [Sidrops] ASPA: Is this really a leak? Jared Mauch
- Re: [Sidrops] ASPA: Is this really a leak? Ben Maddison
- Re: [Sidrops] ASPA: Is this really a leak? Jakob Heitz (jheitz)
- Re: [Sidrops] ASPA: Is this really a leak? Jakob Heitz (jheitz)
- Re: [Sidrops] ASPA: Is this really a leak? Jay Borkenhagen
- Re: [Sidrops] ASPA: Is this really a leak? Ben Maddison
- Re: [Sidrops] ASPA: Is this really a leak? Jakob Heitz (jheitz)
- Re: [Sidrops] ASPA: Is this really a leak? Lukas Tribus
- Re: [Sidrops] ASPA: Is this really a leak? Jakob Heitz (jheitz)
- Re: [Sidrops] ASPA: Is this really a leak? Ben Maddison
- Re: [Sidrops] ASPA: Is this really a leak? Lukas Tribus