IETF Logo Mail Archive

Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022

Ties de Kock <tdekock@ripe.net> Wed, 11 May 2022 14:23 UTC

Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8A45C15EB32 for <sidrops@ietfa.amsl.com>; Wed, 11 May 2022 07:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4YN5X0fgWthd for <sidrops@ietfa.amsl.com>; Wed, 11 May 2022 07:22:59 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86343C159A23 for <sidrops@ietf.org>; Wed, 11 May 2022 07:22:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Message-Id:Cc:Date:From:Subject:Mime-Version:Content-Type ; bh=wKo3t09gvl1NyHgmphCUe1gkGPnUdXDFI5sI36tZkOk=; b=tR1g7eamwvF5+G/dFBj1tCn6 bCmiQTePUwHyegoNjR//cbaCmmrN4lNgVOSIricldgYT22BRFihkGPWvg1AhLunF98/9bB3fd2ee8 kUShKr4rtU95DGVwdsZa4oJUV4lFBNu6mGVQ7+758s0tSL3pCOsEQm8KLHvPETGLBxeaLOli5dFMp LEtLVa/kFdb5osvR7ZsL0IxJZwAc+NyW9Lz54bCJka70o9jBAOlgb2R1igKzk8suvW1ya4QM6aTeW xO4a7V29Wc4lJR2DgCLnEc4KzPII/hvaaCqir9EipMwMKVWkPY2LTsdEAjWtTD9LqRHuYZopyUJUA la8+5/aNAw==;
Received: from allealle.ripe.net ([2001:67c:2e8:23::c100:170c]:42472) by mahimahi.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tdekock@ripe.net>) id 1nonEu-000973-HD; Wed, 11 May 2022 16:22:56 +0200
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by allealle.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tdekock@ripe.net>) id 1nonEt-00007Z-V6; Wed, 11 May 2022 14:22:56 +0000
Content-Type: multipart/alternative; boundary="Apple-Mail=_E4437582-3F66-4C38-966D-1FC52EB0323F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: Ties de Kock <tdekock@ripe.net>
X-Priority: 3
In-Reply-To: <D24AE34D-35FC-4EE0-9AF3-21233AD34B5C@ripe.net>
Date: Wed, 11 May 2022 16:22:54 +0200
Cc: sidrops <sidrops@ietf.org>
Message-Id: <F258B08E-9745-4D5B-BE6E-41D21E9F7B34@ripe.net>
References: <BYAPR18MB26961DE9F15501CCA12ECCF1C13D9@BYAPR18MB2696.namprd18.prod.outlook.com> <20220307010632.8FFE72EA00F6@minas-ithil.hactrn.net> <202204181052163056836@cnnic.cn> <CAL9jLaaXJt9heaPKs7HEWeqcVTcDCEYwgouCghceavABeTMkTw@mail.gmail.com> <202204241043170000699@cnnic.cn> <D24AE34D-35FC-4EE0-9AF3-21233AD34B5C@ripe.net>
To: YAN Zhiwei <yanzhiwei@cnnic.cn>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e103ba54faa2ec8e978ac1a228058acb4f
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/iwIjlbTDbg9LkrcnEvd27y27KaQ>
Subject: Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2022 14:23:03 -0000

Hi Zhiwei,

> On 25 Apr 2022, at 08:26, Ties de Kock <tdekock@ripe.net> wrote:
> 
> Hi Zhiwei,
> 
>> On 24 Apr 2022, at 04:43, YAN Zhiwei <yanzhiwei@cnnic.cn <mailto:yanzhiwei@cnnic.cn>> wrote:
>> 
>> Hello, Christopher, 
>> Yepp.
>> 
>> And all, 
>> Then if there is any special scenario (from either CA or RP consideration) in which aggregation can maintain stability, please feedback.
> 
> I provided you with motivated scenarios in an off-list thread.
> 
> Instead of a call for more explanation about scenarios where aggregation
> increases stability I feel that the draft should first try to clarify what risks
> the advice tries to guard against.
> 
> For example, in this thread, you mentioned overclaiming. In the off-list thread,
> you mentioned, "if one ROA was signed mistakenly, the influence can be reduced
> if “one-prefix-per-ROA”". It helps if these scenarios are clarified and included
> in the draft.

I have seen the significant changes in -02, and the changes did not address my
issues.

In my opinion, to move forward, this draft needs - at least while drafting - a
more precise overview of what scenarios it tries to improve.

The "Problem statement and Analysis" section has significant issues. As
mentioned earlier, I can not reproduce the issue with traffic between RP and
router. The expiry scenario strikes me as a contrived situation that is either
managed by a CA implementation or reflects CA intent.

While I agree that - depending on the situation - there are motivating reasons
to issue a ROA per prefix, I do not think this draft (sufficiently) supports
this approach.

Kind regards,
Ties de Kock

> 
> Kind regards,
> Ties
> 
> 
>> BR,
>> 
>> YAN Zhiwei
>>  
>> From: Christopher Morrow <mailto:christopher.morrow@gmail.com>
>> Date: 2022-04-22 22:56
>> To: YAN Zhiwei <mailto:yanzhiwei@cnnic.cn>
>> CC: Rob Austein <mailto:sra@hactrn.net>; keyur <mailto:keyur@arrcus.com>; sidrops <mailto:sidrops@ietf.org>
>> Subject: Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022
>> 
>> 
>> On Sun, Apr 17, 2022 at 10:52 PM YAN Zhiwei <yanzhiwei@cnnic.cn <mailto:yanzhiwei@cnnic.cn>> wrote:
>> Hello, guys,
>> 
>> As Rob, George, Di and others mentioned, there are two sides to everything. Especially for a security service, the basic motivation of RPKI is for more secured routing system, while it will surely introduce other new risks. We want to optimize it during its designing, but it’s more important to deploy and test it with a more simple logic. I totally agree with Tim, there are some specific situations (…AS0 ROAs for unallocated space that some RIRs publish…) where the resources are more stable and with low risk wrt overclaim, it’s worthy to pack the ROAs together to improve the RP’s efficiency. Then if we have rough consensus about this principles, what we need to do are:
>> 
>> 1) Describe the one-prefix-per-ROA as a basic advice of CA operation;
>> 
>> 2) List the specific scenarios which have low risk wrt overclaim as the optimization situations CA may consider.
>> 
>> 
>> sounds like your advice is: "largely do 1 / prefix", with guidance on when to expand that, perhaps an algorithm even...
>> Is it worth noting that at the top levels there may be more skew toward aggregating  vs singular records? (or would that fall out of the research being done perhaps?)
>> I'm pretty sure a 'one size fits all' will not work :) so your plan seems reasonable to me.
>>  
>> BR,
>> 
>> YAN Zhiwei
>>  
>> From: Rob Austein <mailto:sra@hactrn.net>
>> Date: 2022-03-07 09:06
>> To: Keyur Patel <mailto:keyur@arrcus.com>
>> CC: sidrops@ietf.org <mailto:sidrops@ietf.org>
>> Subject: Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022
>> I support publication of this draft.
>>  
>> Two comments, for whatever they're worth:
>>  
>> 1) In retrospect, the ability to specify multiple prefixes in a single
>>    ROA seems like premature optimization: it's solving a problem I'm
>>    not convinced we really have, at the expense of creating a new one.
>>  
>> 2) I tend to think about the multiple-prefix ROA problem in terms of
>>    "fate sharing": unless all the prefixes involved are in some way so
>>    closely tied to each other that there will never be a change to one
>>    of them that isn't a change to all, they should be separate ROAs.
>>  
>>  
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org <mailto:Sidrops@ietf.org>
>> https://www.ietf.org/mailman/listinfo/sidrops <https://www.ietf.org/mailman/listinfo/sidrops>
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org <mailto:Sidrops@ietf.org>
>> https://www.ietf.org/mailman/listinfo/sidrops <https://www.ietf.org/mailman/listinfo/sidrops>

v2.23.0 | Report a Bug | By Email