Re: [Sidrops] The Horizontal INR Conflict-Detection Algorithm: Revealing INR Reallocation and Reauthorization in RPKI
'Job Snijders' <job@fastly.com> Fri, 09 July 2021 10:48 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 704563A1C78 for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 03:48:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id guRm3O2_nYuQ for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 03:48:36 -0700 (PDT)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 500993A1C74 for <sidrops@ietf.org>; Fri, 9 Jul 2021 03:48:36 -0700 (PDT)
Received: by mail-ed1-x531.google.com with SMTP id s15so13106497edt.13 for <sidrops@ietf.org>; Fri, 09 Jul 2021 03:48:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=yAXWjWx/K3pJpkY7gzH1B/tVEH0FrVDhZNQJlHFZxRY=; b=EyvQmUetIDX+HIMtRtpZaN+GoaAlPfoKY27t5evNk8oN+WHUTnaBZwPtv2SZZw9Kae MiNjQMv7eVp1Frf+n/X7u0tG8l/rU//OHDrDxtzzWfMOh7LfXDPeG2cOufCsTttVkzid n5WLimdQVhlxubM+dUP7CtCWBZ1sTNFjjer48=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=yAXWjWx/K3pJpkY7gzH1B/tVEH0FrVDhZNQJlHFZxRY=; b=EQZgHPzakH1RB2S62vvKOby8Yu2pUF939J3iUbbvvxndEFOeXLKEPJtg22cHpqnaf1 BaOSGkIxw1Y2Zp71HzUS4ui9BhRu5m+mUL5+EQwyaUApBPq7W8BRlV0h8KKmjxgv7CZH QcX1NlC+ITSWi+o/NUOro9lUXhjXbShRY1bqG+JTCrrw283S92dbHj8RIq0wPMJ3BNE/ g1n13KMVyrXv5tWmAu49pcm66gcgzanMPWiXXOz/fVvwWfT/hL2HDZR4rd/Y+fmrWkYn 0O7Alf5K0MGzQa+H3iY8zcrV9Ev+jiMs5xoKu2+AU9uhZ00NYf1nF96CLG1xBmqw5Fuj AqUw==
X-Gm-Message-State: AOAM5308H8gpo6IbBP5isUfcc7mzCWWJboaFiS4up1sSRErlaTf21z7x LlcCNUodUIVVnX5WKqc/1t9p1g==
X-Google-Smtp-Source: ABdhPJyhAaSE6FkpO+Zq651AdZwyehSYx1N3rexpvK2bDkMci3m5R3US/lDc/vzM+dl0h/dhFAXnPw==
X-Received: by 2002:a50:9556:: with SMTP id v22mr44784005eda.360.1625827710206; Fri, 09 Jul 2021 03:48:30 -0700 (PDT)
Received: from snel ([2a10:3781:276:0:21e:c2ff:fefb:f388]) by smtp.gmail.com with ESMTPSA id u20sm2794942edr.50.2021.07.09.03.48.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jul 2021 03:48:29 -0700 (PDT)
Date: Fri, 09 Jul 2021 12:48:28 +0200
From: 'Job Snijders' <job@fastly.com>
To: 邵晴 <shaoqing@zdns.cn>
Cc: 'SIDR Operations WG' <sidrops@ietf.org>, 'Di Ma' <madi@rpstir.net>
Message-ID: <YOgpfIptbwoJp6k0@snel>
References: <60e7c889.1c69fb81.75226.d4f6SMTPIN_ADDED_BROKEN@mx.google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <60e7c889.1c69fb81.75226.d4f6SMTPIN_ADDED_BROKEN@mx.google.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/jC6R3NTjGG8FNaHMqVFU2qY60kw>
Subject: Re: [Sidrops] The Horizontal INR Conflict-Detection Algorithm: Revealing INR Reallocation and Reauthorization in RPKI
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2021 10:48:42 -0000
Dear 邵晴, On Fri, Jul 09, 2021 at 11:54:32AM +0800, 邵晴 wrote: > I am one of the coauthors of this paper, and this paper is as > attached,which can be accessed via > http://dl.ifip.org/db/conf/im/im2021mini/211035.pdf Thank you, I've read the paper with great interest. note 1: On page 3 there is a small error: "Up to now, APNIC [12], RIPE NCC [13] and AFRINIC [14] have published AS0 ROAs covering the undelegated IPv4 and IPv6 spaces under their management [snip]" At this moment RIPE NCC and AFRINIC do NOT publish AS0 RAOs for undelegated space. It is my hope it will remain that way, as the introduction of so-called 'AS0 Trust Anchors' adds considerable brittleness and fragility to the ecosystem :-( note 2: How would it be possible for "INR conflict A" to exist, if the superior CA has not listed the resource as subordinate. Such objects are 'uncovered' and RPs reject those objects. note 3: "INR conflict B" is an interesting case, because one can argue that different TAs are completely unrelated *different* PKIs, as each TA has their own Certification Policy (CP). In such an interpretation there is no conflict. So rather than considering it a 'conflict', one can argue it is a duplication of information (a coincidence) and exists to support redundancy across multiple different PKIs. I for one would welcome discussion in the RIR community to understand if the RIRs can set up a service in which they 'mirror' certain delegations under certain conditions for the resource holder in the other RIR. I would feel safer if I can publish ROAs via both RIPE NCC and ARIN, while the INR remains administratively managed by RIPE NCC. These need not be entirely automated or 'free' (gratis) services. Duplication of information can be a robustness feature. conclusion: Thank you for putting in this work! Whether conflicts should be considered detrimental 'conflicts', or are productive 'coincidences' remains an open question, but whatever the name of the thing, monitoring the global RPKI to spot duplication of information is a worthwhile activity. I appreciate the hands-on approach in Section E to help resolve issues. Kind regards, Job
- [Sidrops] The Horizontal INR Conflict-Detection A… Di Ma
- Re: [Sidrops] The Horizontal INR Conflict-Detecti… Job Snijders
- Re: [Sidrops] The Horizontal INR Conflict-Detecti… Randy Bush
- Re: [Sidrops] The Horizontal INR Conflict-Detecti… 邵晴
- Re: [Sidrops] The Horizontal INR Conflict-Detecti… Di Ma
- Re: [Sidrops] The Horizontal INR Conflict-Detecti… 'Job Snijders'