[Sidrops] Indeed, we are not done yet (Was: [routing-wg] misconceptions about ROV)
Job Snijders <job@fastly.com> Tue, 22 February 2022 10:27 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id E60563A0D9B
for <sidrops@ietfa.amsl.com>; Tue, 22 Feb 2022 02:27:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id qNAlEIbR5G5Y for <sidrops@ietfa.amsl.com>;
Tue, 22 Feb 2022 02:27:52 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com
[IPv6:2a00:1450:4864:20::52a])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 6E4F43A0D3E
for <sidrops@ietf.org>; Tue, 22 Feb 2022 02:27:52 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id h15so18749093edv.7
for <sidrops@ietf.org>; Tue, 22 Feb 2022 02:27:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google;
h=date:from:to:subject:message-id:mime-version:content-disposition;
bh=U5lDc44ZCxlsoE4fZWKXlBJ7k8Xxmn0eqpc/JsqOums=;
b=EjQ0LWtakcq2Wx16b8DAi+CpvP4BhRBSrAQ/JJbV98Gk7h5TGLoCQ+sUtSexFy12Xk
w4Dr2rrrxhpnmGNYfqE1M5mS8dR3OevXfVIG/lfshYowxp5sdE1+9BA5USivNLw1WWyg
/20HVltu1POokXSJzwHp4DZ8itQlugU0oviCg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:date:from:to:subject:message-id:mime-version
:content-disposition;
bh=U5lDc44ZCxlsoE4fZWKXlBJ7k8Xxmn0eqpc/JsqOums=;
b=7sNBBt3Tsb31zxPRm4O/E1Dv+KaWgvIjf0Pb77nfN5B+dvqqPM1YvlGM9RzyW9ASuN
+zlT2enHKGJwJonxww8vAUBBpXX1s9ryThXPcNYNomwJ2L5xB4x48ETuI7A5LKdWxwSK
nreOoO2mx6TJg5by8ER+bjW7IhotlQJOA1Sr0BBKlND//yxw1blTNos0j2iN4SgmLn+x
T5YLcBzmy9M8BYGoLj3m5DfPgdmRAy/crQwSeechHXYUpe4ubx07NjNWh2eswJBSrwQj
MFKzbjjyY7LHmKqUoL7yKjFJ2Y9TCc35UBzCxNaYCBYnsy4DIpy9uSfd+3NsRU6oMRpS
qPRA==
X-Gm-Message-State: AOAM530xMHIdOFIQnDGEd5juvpvap+MSpZJJYcH1d+iDfUELxUcVr2bQ
oOJC/5uuqNvy9bDAh/vO7E2bWtVaCyQI3XD+dgAm/F60QazEGOlLHxE6joZiibsCiQsho5FJznR
bEe3v9RnkQWoD2VOVJ5S+i+LYj0UvctuKBZjNFjQDfKCc0vyuUlxhEM4=
X-Google-Smtp-Source: ABdhPJwO0fVJ7kPYdXP/uqUeJogyb4pjY2wkkGaArRuQArqkb+NqUGSTIbhVEcUBUqo6i2BuOLhbyw==
X-Received: by 2002:a05:6402:847:b0:412:f151:6ad1 with SMTP id
b7-20020a056402084700b00412f1516ad1mr11771473edz.36.1645525669117;
Tue, 22 Feb 2022 02:27:49 -0800 (PST)
Received: from snel ([2a10:3781:276:2:16f6:d8ff:fe47:2eb7])
by smtp.gmail.com with ESMTPSA id n2sm6311417ejl.55.2022.02.22.02.27.48
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 22 Feb 2022 02:27:48 -0800 (PST)
Date: Tue, 22 Feb 2022 11:27:47 +0100
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <YhS6o18CMnvZoMMm@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/joNU_hxS5Lt61zJxHoVo8mTqT0E>
Subject: [Sidrops] Indeed,
we are not done yet (Was: [routing-wg] misconceptions about ROV)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>,
<mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>,
<mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2022 10:27:59 -0000
Hello all, On Tue, Feb 22, 2022 at 09:41:36AM +0100, Tim Bruijnzeels wrote: > Which is why I think it would be very good to re-double the WG efforts > on moving ASPA forward. It probably bears repeating: ASPA and BGPsec are complementary technologies. Each attempts to solve a different problem space. There is no overlap. > It was also suggested in the past few months that BGPSec should get > a new impulse by supporting it in the RIPE NCC hosted RPKI: > https://www.ripe.net/ripe/mail/archives/routing-wg/2021-September/004410.html > > My responses in that thread were a bit skeptical to the point of being > misunderstood as obstruction to the idea. I am not against BGPSec itself. > Far from it. I just want to believe that it can work. At times it is easy to mistake someone's skepticism for a message of Fear, Uncertainty, and Doubt. Especially when considering the finality of such discussions: would you be the one implementing BGPsec in the RIPE NCC RPKI dashboard? Are you the one configuring routers to use BGPsec? Is your personal belief in BGPsec a necessity for the global deployment of BGPsec? > My issue was about how BGPSec can be implemented incrementally and > scale *automatically*. I know of the idea that operators turn it on > (and off?) because they somehow know (out-of-band?) that it's safe to > do so. But, (1) I don't see this scale, (2) this can result in outages > if operators get it wrong (path invalid), and (3) I don't see this > work cross-transit - which is probably where the problem of spoofed > origin attacks is worse. Are you speaking from your own experience deploying BGP security measures in IP networks, operating the BGP side of an ISP/IXP/CDN? Phrased differently: is it really important for you to understand how exactly something scales, if you aren't personally (or as organization) scaling & deploying a given technology? What is it to you whether BGPsec is "scalable" or not? How does one even define "scale", what metrics are used to judge feasibility or value? For example, has it been contemplated whether BGPsec offers benefits when deployed at 'small' scale? ('small scale' for example being third-party CDN caches embedded inside ISP networks which use BGP). I share Randy Bush's perspective on this matter: https://mailman.nanog.org/pipermail/nanog/2021-December/217003.html Another point worth mentioning: many people consider "Internet Consolidation" [0] to be a detrimental evolution, however there is a silver lining, an aspect that can be used to the collective's advantage: because of consolidation, fewer market players need to take action to positively impact the Internet experience of the masses [1]. > In my view, this comes from the property that BGPSec validated paths > can only be valid or invalid. There is no 'unknown' - because in a > nutshell then adversaries could do a simple downgrade attack. I'd encourage everyone to use more precise wording: The phrase 'unknown' does not appear in RFC 6811, there is "Not Found". "Not Found" is the DFZ's starting state, because when the Internet was created there were no RPKI ROAs. Thus it must be like that - because how else would one accomplish incrementally deployability for ROV? :-) If one zooms in, the notion of 'Not Found' as a third state really is a complicated one: the cryptographic verification process for ROA EE certificates only has two outcomes: valid or invalid. The origin validation of BGP routes covered by one or more ROAs only has two outcomes: valid or invalid. I view the polarity of the outcome of the BGPsec's verification process in a similar fashion. > All that said, if we could have a constructive discussion about > solving the BGPSec deployment challenges then I would welcome it very > much. Perhaps, it would be possible to signal (with signed objects in > the RPKI) when BGPSec is applicable - and when a downgrade has > happened.. somehow? No, I don't have the answer but we may want to put > our minds together. I'd like to encourage you (and others) to first focus on implementing rudimentary support for BGPsec Router Keys "according to current RFCs", rather than leaping towards defining new signed objects. The definition of new objects should be informed by operational experience, perhaps summarized in a gap analysis. I think that at this stage working towards gathering real world operational experience is a prerequisite before extending the BGPsec protocol specifications in one direction or another. Horse before cart so to speak. :-) Regards, Job [0]: https://datatracker.ietf.org/doc/html/draft-arkko-iab-internet-consolidation [1]: slide 9 https://storage.googleapis.com/site-media-prod/meetings/NANOG84/2488/20220214_Madory_Measuring_Rpki_Rov_v1.pdf
- [Sidrops] Indeed, we are not done yet (Was: [rout… Job Snijders
- Re: [Sidrops] Indeed, we are not done yet (Was: [… Tim Bruijnzeels
- Re: [Sidrops] Indeed, we are not done yet (Was: [… Job Snijders