Re: [Sidrops] request for adoption call for draft-spaghetti-sidrops-rpki-doa
Mikael Abrahamsson <swmike@swm.pp.se> Wed, 20 April 2022 07:50 UTC
Return-Path: <swmike@swm.pp.se>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AA393A0E7A for <sidrops@ietfa.amsl.com>; Wed, 20 Apr 2022 00:50:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=swm.pp.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id txr_AWjk_1Ja for <sidrops@ietfa.amsl.com>; Wed, 20 Apr 2022 00:49:59 -0700 (PDT)
Received: from uplift.swm.pp.se (ipv6.swm.pp.se [IPv6:2a00:801::f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEEE53A0E56 for <sidrops@ietf.org>; Wed, 20 Apr 2022 00:49:59 -0700 (PDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id 15636B0; Wed, 20 Apr 2022 09:49:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1650440994; bh=szhUO4Vpx9D15XrCPmdtdT+tfXtzLoNg9mfbT6nVJeo=; h=Date:From:To:Subject:In-Reply-To:References:From; b=0lYdNTMRDQVHNHQKeP+gQdbh9BCdG/pNROG5A4lcc1ho8N1MvIMe3GvvQ11fXAVBn hmTBntGCT/TzeA1upQhd1G8E/SFptWMG7PiRFPTOS65JGPh85/k0wbE7kktl/Jo+4+ 7ElDVxE/bcWKXLL9zO9ueYlDDjVEiNyIrJPuStbE=
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id 13376AF; Wed, 20 Apr 2022 09:49:54 +0200 (CEST)
Date: Wed, 20 Apr 2022 09:49:54 +0200
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: sidrops@ietf.org, Jay Borkenhagen <jayb@braeburn.org>
In-Reply-To: <25182.60478.748013.831196@hrabosky.cbbtier3.att.net>
Message-ID: <alpine.DEB.2.20.2204200929570.9518@uplift.swm.pp.se>
References: <alpine.DEB.2.20.2204191544470.9518@uplift.swm.pp.se> <25182.60478.748013.831196@hrabosky.cbbtier3.att.net>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/jRXf7C7z6TWINnhjDgLYCViFR4I>
Subject: Re: [Sidrops] request for adoption call for draft-spaghetti-sidrops-rpki-doa
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2022 07:50:09 -0000
On Tue, 19 Apr 2022, Jay Borkenhagen wrote: > Before discussing WG adoption, please help me understand more about > your intent for DOA. Allow me to ask it this way: > > --------------- > > I agree that there are situations in which it makes sense today for a > service provider to accept rpki-invalid announcements from their > customers. As the draft points out, RTBH is one such case. Another > case is for traffic engineering: my customer has a /23 with a ROA. > They assign one /24 to one site and the other /24 to a different site, > both sites connected to my network. They have no need for the entire > DFZ to learn the /24s, so there is no need to publish ROAs for the > /24s. > > Service providers must continue to maintain prefix-list route filters > on all their customers (and ROAs can play a big role in that, as has > been discussed). > > If this service provider wants to allow its customers to send it RTBH > or TE more-specifics in apparent opposition of published ROAs, it can > require those more-specifics to come with suitable communities: > > - "We will accept rpki-invalid RTBH route announcements from > customers IFF (a) they are accepted by the prefix-list > route-filters AND (b) they carry the RTBH community." > > - "We will accept rpki-invalid TE route announcements from customers > IFF (a) they are accepted by the prefix-list route-filters AND (b) > they carry our community signifying they are for use only within > our network and will not be propagated further." This community > could possibly be no-export, or perhaps some other community > defined by the service provider. > > --------------- > > Given the above description, is there a gap that DOA helps to close? I don't disagree with anything you wrote above, they're all valid use-cases, with the comment that running strict prefix-list for permitting routes is not feasible for all customers due to the poor quality of IRR/RPKI. Also, there is no way for the customer to delegate the RTBH creation to their upstream and have the upstream signal this to their peers/upstreams if that's desired. However, I'd like to see us move towards a more automated/secure future (both when it comes to sourcing information but also pushing out updated information into the network) with less hands-on when it comes to managing prefix filters, and one way is that everything that needs to go into these filters, goes into RPKI, and is continously updated/pushed to the routers. This is partly to solve the problem that we've seen problems maintaining huge configurations with prefix lists that are batch run/updated periodically. It's a problem both where the information that goes into these lists come from, and how they're stored on-device. With DOA going into RPKI we shift the mechanism to a system where the prefixes are not stored in configuration, but are stored in a different way on the device, plus it's signed, and the customer administrates it using the regular RPKI tools. Each step towards a future without IRR but with information instead residing in RPKI would enable us to have less hands-on with prefix list changes and have smaller configurations on the routers. One argument that I've had regarding DOA is that it's quite specific and question is if a more generic mechanism should be created, perhaps for other use-cases. My experience however is that as soon as we aim for something more generic, the work scope explodes and the time to completion increases by years. There is a tendency to let perfect get in the way of good. -- Mikael Abrahamsson email: swmike@swm.pp.se
- [Sidrops] request for adoption call for draft-spa… Mikael Abrahamsson
- Re: [Sidrops] request for adoption call for draft… Jay Borkenhagen
- Re: [Sidrops] request for adoption call for draft… Randy Bush
- Re: [Sidrops] request for adoption call for draft… Mikael Abrahamsson
- Re: [Sidrops] request for adoption call for draft… Job Snijders