Re: [Sidrops] question on draft-ietf-sidrops-aspa-verification-04

"Guyunan (Yunan Gu, IP Technology Research Dept. NW)" <guyunan@huawei.com> Wed, 06 May 2020 07:12 UTC

Return-Path: <guyunan@huawei.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E550F3A079D for <sidrops@ietfa.amsl.com>; Wed, 6 May 2020 00:12:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqiPv-CuxzDH for <sidrops@ietfa.amsl.com>; Wed, 6 May 2020 00:12:12 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8768F3A0798 for <sidrops@ietf.org>; Wed, 6 May 2020 00:12:12 -0700 (PDT)
Received: from lhreml703-chm.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 4319D1050092CE86DBBF; Wed, 6 May 2020 08:12:11 +0100 (IST)
Received: from lhreml703-chm.china.huawei.com (10.201.108.52) by lhreml703-chm.china.huawei.com (10.201.108.52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Wed, 6 May 2020 08:12:10 +0100
Received: from DGGEML422-HUB.china.huawei.com (10.1.199.39) by lhreml703-chm.china.huawei.com (10.201.108.52) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1913.5 via Frontend Transport; Wed, 6 May 2020 08:12:10 +0100
Received: from DGGEML532-MBX.china.huawei.com ([169.254.8.111]) by dggeml422-hub.china.huawei.com ([10.1.199.39]) with mapi id 14.03.0487.000; Wed, 6 May 2020 15:12:05 +0800
From: "Guyunan (Yunan Gu, IP Technology Research Dept. NW)" <guyunan@huawei.com>
To: Alexander Azimov <a.e.azimov@gmail.com>
CC: "rv@nic.dtag.de" <rv@nic.dtag.de>, SIDR Operations WG <sidrops@ietf.org>
Thread-Topic: question on draft-ietf-sidrops-aspa-verification-04
Thread-Index: AdYdy08vebzctU/sRBSjzmRHyKjH2ACpL0yAALmBBzA=
Date: Wed, 6 May 2020 07:12:05 +0000
Message-ID: <C01B0098369B2D4391851938DA6700B717A0C386@DGGEML532-MBX.china.huawei.com>
References: <C01B0098369B2D4391851938DA6700B7179F9EAB@dggeml512-mbs.china.huawei.com> <CAEGSd=APMCnnd5mrnMKtti-QWy1m7r5JfJsf7HynZqyXWwsZHg@mail.gmail.com>
In-Reply-To: <CAEGSd=APMCnnd5mrnMKtti-QWy1m7r5JfJsf7HynZqyXWwsZHg@mail.gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.108.203.151]
Content-Type: multipart/related; boundary="_006_C01B0098369B2D4391851938DA6700B717A0C386DGGEML532MBXchi_"; type="multipart/alternative"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/fsJ4uXhR84xZzI4hj3c0LmMGTqo>
Subject: Re: [Sidrops] question on draft-ietf-sidrops-aspa-verification-04
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 07:12:15 -0000

Hi Alex,

Thanks for the elaboration, which totally makes sense to me. A suggestion here, the description of how to deal with the P2P relation using ASPA (just as what you described below) can be added to the draft for clarification.

Further, Section 5.2 says:
When route is received from provider or RS it may have both Upstream
   and Downstream paths, where a Downstream follows an Upstream path.

The “downstream” refers to both P2C path and P2P path, right? If so, I suggest to change the usage of “downstream” to “non-upstream” or similar wording to avoid confusion.

Another point to confirm with you about Section 5.2:
Additional caution should be exercised when processing prefixes that
   are received from transparent IXes, as they don't add their ASN in
   the ASPATH.

To my understanding, that in this draft, you assume by default that RS prepends its own ASN to the AS_Path, right?

And a final question about Section 7 Siblings (Complex Relations), regardless of the current description of what sibling relation is, do we think that sibling ASes are ASes that belong to the same operator? So any type of transition is free of charge?


BR,

Yunan

From: Alexander Azimov [mailto:a.e.azimov@gmail.com]
Sent: Sunday, May 3, 2020 2:54 AM
To: Guyunan (Yunan Gu, IP Technology Research Dept. NW) <guyunan@huawei.com>
Cc: rv@nic.dtag.de; SIDR Operations WG <sidrops@ietf.org>
Subject: Re: question on draft-ietf-sidrops-aspa-verification-04

Hi Yunan,

Let say that that AS1 is the originator of the prefix, and has created ASPA records. Since AS2 is a peer it will not be included in the list of providers. The AS2 isn't creating any records + making the leak and AS3 is performing ASPA verification procedure.
The 5.1 says:


   When a route is received from a customer, a literal peer, or by a RS

   at an IX, each pair (AS(I-1), AS(I)) MUST belong to customer-provider

   or sibling relationship


In our case, AS3 needs to check that AS1 -> AS2 belongs to c2p pairs. It will check the existence of ASPA record for AS1 - it is present, then it will check the presence of AS2 in the list - it will not be there, thus making the path invalid.

Let me know if you have further questions.

ср, 29 апр. 2020 г. в 05:21, Guyunan (Yunan Gu, IP Technology Research Dept. NW) <guyunan@huawei.com<mailto:guyunan@huawei.com>>:
Hi Alex and Ruediger,

To continue our discussion at the meeting, let’s use the example you provided yesterday. Both lateral peering between AS1—AS2, and AS2—AS3.

First question, does AS1 or AS2 sign any ASPA object for this pair and how?  I see description for Sibling relation representation in Section 7, but haven’t been able to find any for P2P.

Second question, if yes to the above question, how does AS 3 use any of the ASPA object(s) to detect the leak? And if no, how to detect the leak anyway?

Thanks.

Yunan



[10.1.1.0/24]



[AS 1]

[AS 2,AS 3]





--
Best regards,
Alexander Azimov