IETF Logo Mail Archive

[Sidrops] Comments on draft-ietf-sidrops-validating-bgp-speaker

Jeff Wheeler <jsw@inconcepts.biz> Wed, 07 February 2018 21:12 UTC

Return-Path: <jsw@inconcepts.biz>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B373B12D7F1 for <sidrops@ietfa.amsl.com>; Wed, 7 Feb 2018 13:12:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=inconcepts-biz.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKaU_13u8Xoi for <sidrops@ietfa.amsl.com>; Wed, 7 Feb 2018 13:12:00 -0800 (PST)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A89C012785F for <sidrops@ietf.org>; Wed, 7 Feb 2018 13:12:00 -0800 (PST)
Received: by mail-vk0-x230.google.com with SMTP id x203so1455699vkx.10 for <sidrops@ietf.org>; Wed, 07 Feb 2018 13:12:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inconcepts-biz.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=7lbEdi4sIpOaDlMYCBSb4TAUlfB4tziTahGGb44zjrA=; b=0T2pkXc8ZNZj/uxzkMMZZLh/kPAwAIUAWBlR0fsAmAnIf0u3DSld3RlPumLXv1dITe UiozwEsl4mvY6hPH5GU7i4JRQQkG0W5LXCDVMcBBt2rrHNAhK82D0BeAKTjYOsAjCJbT DMjf+Up7X/Bt1jtzOBw28PM+1K9bkuajyUhWTqQQsXv2J6z4cMsh1geI0wYkSRNebjlf N6rclIxgFUvyG53CrjnX7mhxy2YQ0R+BSGJCMtHDe6HyTf2Zj1kNAPOCK4zklT8R6D5S bVRIY2z1A4gHc6IsWtLmMY7m4hij0xIdKMkPpe018YZ+P4rqtmbybNdT3FVEaoN4dTAc aNlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7lbEdi4sIpOaDlMYCBSb4TAUlfB4tziTahGGb44zjrA=; b=leH1HiXwzm9wPi6uo7dOhTIENhbqI55Z56gRzZnYh4tOd8YFQ69tURCe7Z2xdg+py+ ZLdxikjsLpdI08q8sEI1osg3+nBIoRqXTDcNwSDUyKEVLL64iE1/tBFy1UND960ig6We SsdCaxhqcHrz1IB6n7tgfvN4l01Rzbk8vVV0Gljl4NBP4H6vxAw0OgDUabvuvRrvkqwH y8NyGrIZGLDJR9UPyyeY8cGPq/B7qp4omtP6Ka6Fz9mNroX4YQJ6P914oZvYIFZ8DfbE K3esSfOJxga3xxYSezmxjyObTVzfb+SEinl9oM/lKLUTCKZlzX36dUIy657dR+wi4DrD JgHQ==
X-Gm-Message-State: APf1xPD6jtEgQiuChar6iUHZQPFFgxJ6V5SMeR8wC3LHD/mSiESjsmL5 F76oWoZU6Zh8NK9CjmkSEBATFRlh6DQ2NtiYzBJgmP1K
X-Google-Smtp-Source: AH8x226wp+UxMeQTDzJQVrXJSCDiq4w3SQSNK/x7p8Il5dbxoUya9doDEQLsukR9Gg0rPE1IbPU8Cb8ZcyNaKCt0ufM=
X-Received: by 10.31.87.69 with SMTP id l66mr6666289vkb.132.1518037919428; Wed, 07 Feb 2018 13:11:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.103.61.151 with HTTP; Wed, 7 Feb 2018 13:11:58 -0800 (PST)
X-Originating-IP: [74.130.6.149]
From: Jeff Wheeler <jsw@inconcepts.biz>
Date: Wed, 07 Feb 2018 16:11:58 -0500
Message-ID: <CAPWAtbJJ3mWXP-d314CbY7n9LSh4KmNjXBCP93Ag_i=0gcAd8Q@mail.gmail.com>
To: sidrops@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/hF3SjjIkyJs1GloqmiHf9w0XwDE>
Subject: [Sidrops] Comments on draft-ietf-sidrops-validating-bgp-speaker
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 21:12:02 -0000

A colleague brought the recent draft titled "Signaling Prefix Origin
Validation Results from an RPKI Origin Validating BGP Speaker to BGP
Peers" to my attention.


The authors clearly recognize a hazard of implementing this draft --
trusting the claimed validation state received from an eBGP neighbor.
The draft makes this explicit in both sections 5.2 (..receiving the ..
extended community) and section 7 (security considerations.)

Rather than depend on neighboring networks to configure their devices
appropriately, the draft introduces what I believe is a novel / unique
handling for an extcomm, namely, it is transitive yet only for one
hop, and has to be deleted instead of propagated to any neighbors.

This requirement seems like a significant obstacle to implementation.

It also sets up an incorrect expectation that you should be able to
trust if you receive this extcomm that you got it from the
directly-adjacent BGP neighbor, and not from a distant device.  This
won't be true until the neighbor updates his software, and normally in
BGP, we would expect a Capability to be signaled so implementations
have explicit knowledge of neighbors' relevant BGP features.  The
draft does not call for a Capability.

In light of all this, I think a Well-Known BGP Community makes more
sense than an extcomm.  Operators are already familiar with signaling
and filtering them and this would avoid the need for vendors to write
code for the special propagation scope of the proposed extcomm.


I further believe this draft might be misguided as a whole, but I
imagine the authors, being IXPs, may have their members to answer to;
and are perhaps trying to create transition tools to satisfy everyone.
My colleague reminded me that you must actively mess yourself up to
cause your IP address space to fail RPKI validation.

Perhaps it is unwise for IXP route-servers to propagate invalid routes.

-- 
Jeff S Wheeler <jsw@inconcepts.biz>

v2.23.0 | Report a Bug | By Email