Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022
Tim Bruijnzeels <tim@nlnetlabs.nl> Wed, 23 March 2022 11:03 UTC
Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 158283A15F2 for <sidrops@ietfa.amsl.com>; Wed, 23 Mar 2022 04:03:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2NHJSO4LhTle for <sidrops@ietfa.amsl.com>; Wed, 23 Mar 2022 04:03:28 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:65::8:228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2080E3A15F4 for <sidrops@ietf.org>; Wed, 23 Mar 2022 04:03:27 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 3403F95C; Wed, 23 Mar 2022 11:03:20 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net []) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1648033399; bh=RQAjg/KAmT60VQdnW8f4QlR4ZoCNASc+8LhEUX95j9U=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=NVEJSP3EnDwX0SVwd3abvuE/LKl6spoNeSv6105qWyluuQ0vWQch2rWQpZdRbQutB bJSEvkxDHSn3ju3oY0bORi88ek1RHI6Wqg5+ABxHKuGmRdkEm3af9HWQ7EzmIxyJOg oqxVCdLpbzlVLyiGlEVj8PqiimvC7pRzfuSdyAl9lYhbairhpByhkru+lvzu3300nV QYqP6fadQ/YZ/4wxzN4+f1daipqfko7VmL9OGLZIRGrMKQYWKvYOS7sFxKe5dA38M5 hBuyv83aPFuEzlKwK6AjAPsoQ3V0VLgYi9fOZHHSP15tcEUnfQEh52/iz1oPy1a0iZ jOuihu1txarIA==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <m235jqa2fk.wl-randy@psg.com>
Date: Wed, 23 Mar 2022 12:03:17 +0100
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C4AF324E-A168-44FE-B5C9-6B0CDC333EC9@nlnetlabs.nl>
References: <BYAPR18MB26961DE9F15501CCA12ECCF1C13D9@BYAPR18MB2696.namprd18.prod.outlook.com> <851649A5-9075-4956-8B57-E51F612DF6BD@nlnetlabs.nl> <m235jqa2fk.wl-randy@psg.com>
To: Randy Bush <randy@psg.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/iBWgNEN9d03tGdTABYofuZKjwK4>
Subject: Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 11:03:33 -0000
Hi Randy, As I said I don't oppose the single VRP per ROA recommendation. On the contrary. > On 10 Mar 2022, at 04:53, Randy Bush <randy@psg.com> wrote: > >> This is an issue if, per Randy's example, the entire ROA is withdrawn first, >> the RPs fetches and revalidates and sends withdraws for VRPs to the router, >> and then the new ROA is published later, validated, etc > > no need. CA publishes old an new ROAs. RP fetches both and processes > sequentially. oups! > > and now we can expect to hear folk suggest that the RP should swallow > and digest the entire ROA set (think of the scale of this a few more > years out), reconcile it all, and only then send the reconciled VRPs > to the router. if the current state of RP software is any indication, > i would not want to bet my routing on this. Indeed. Typically what happens in practice is: 1. CAs will publish objects as a set 2. RPs will fetch objects as a set (and reject failed fetches per mft-bis) 3. RPs will do a full analyis of fetched objects to make a set of VRPs 4. RTR servers will send the diff in VRPs to routers and do work to avoid duplicates and race conditions I did not dig up all the normative language in specs, but in my understanding the above is what is specified. There is a lot of text - some of it is being discussed but not yet published as RFC - I may have missed something. In any case if it's bugs or scaling issues that you are worried about, then I think it would good to spell that out in the draft. I am not opposing that at all - and indeed single VRPs per ROA may help to keep things simple. But as written it seems to say that current implementations do things they are (to my knowledge) not currently doing and I think that is confusing. Furthermore.. this draft is informational and avoids using normative language.. so am I correct in concluding that it does not try to forbid combining multiple prefixes? Essentially it gives advice to CAs. For example the APNIC AS0 currently has close to 14k prefixes. They could of course be split into as many objects but that's a lot of objects.. This is of course an extreme case. But what about a 100 for example? Would that be enough to decide to combine prefixes in a single object? It would be useful to me to hear from RP implementers what they believe a good threshold value might be, or that they prefer to have separate objects always.. it would help me to set sensible defaults in CA software. Including possibly: don't aggregate unless specifically instructed by the operator. Thanks Tim > > randy > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] [WGLC] draft-ietf-sidrops-roa-considera… Keyur Patel
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Rob Austein
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… George Michaelson
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Tom Harrison
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Tim Bruijnzeels
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Di Ma
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… chku
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Ties de Kock
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Ties de Kock
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Ties de Kock
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Geoff Huston
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Geoff Huston
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Randy Bush
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Stephen Kent
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Tim Bruijnzeels
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Tim Bruijnzeels
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… YAN Zhiwei
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Christopher Morrow
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… YAN Zhiwei
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Ties de Kock
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Keyur Patel
- Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-consi… Ties de Kock