Re: [Sidrops] ASPA verification algorithm error

"Jakob Heitz (jheitz)" <jheitz@cisco.com> Thu, 11 February 2021 02:27 UTC

Return-Path: <jheitz@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDA263A0EEA for <sidrops@ietfa.amsl.com>; Wed, 10 Feb 2021 18:27:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.62
X-Spam-Level:
X-Spam-Status: No, score=-9.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=KZpZUi7a; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Euyhztoy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52PNuKjGsi2J for <sidrops@ietfa.amsl.com>; Wed, 10 Feb 2021 18:27:34 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 297833A0EEB for <sidrops@ietf.org>; Wed, 10 Feb 2021 18:27:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2167; q=dns/txt; s=iport; t=1613010453; x=1614220053; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=zbYYyijymcud+KHxNbzGtqYzr6fqaHADf9QTPVScMBQ=; b=KZpZUi7acv0i+GphB3WB8igzyZwi6dt+ttlNVQrzcwJ1iH1xP6cr1lVC UXx4hdXLXJCXL6iLbIG7ze5xKNeSG7ZIwtNknyKPyxTDttEL9oqPAyN8F 3C653oXyXiQ5oqgmfgg5VARImL3bSBusyuhXBK+kQigU3b3i2074BUs/C M=;
IronPort-PHdr: =?us-ascii?q?9a23=3A01S5bxauK7N30euj5Hu7Ux3/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el21QaRD4HH8fMChveF+6zjWGlV55GHvThCdZFXTB?= =?us-ascii?q?YKhI0QmBBoG8+KD0D3bZuIJyw3FchPThlpqne8N0UGHNrkZhvfvy764TsbAB?= =?us-ascii?q?6qMw1zK6z8EZLTiMLi0ee09tXTbgxEiSD7b6l1KUC9rB7asY8dho4xJw=3D?= =?us-ascii?q?=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ALAAArlSRg/5pdJa1iGgEBAQEBAQE?= =?us-ascii?q?BAQEDAQEBARIBAQEBAgIBAQEBQIE7BQEBAQELAYFSUQd2WjYxiAkDhFmJNwO?= =?us-ascii?q?ZHIEugSUDVAsBAQENAQEYCwoCBAEBhAdEAoIDAiU0CQ4CAwEBCwEBBQEBAQI?= =?us-ascii?q?BBgRxhWENhkMBAQEBAwEBJRMGAQEsBAcBCwQCAQgRBAEBAR0BECcLHQgBAQQ?= =?us-ascii?q?BDQUIgmmCVQMuAQ6lFQKKJXSBATODBAEBBoE3AoNSGIISAwaBOAGCdYpHJhu?= =?us-ascii?q?BQT+BEUOCVj6CXQEBAgGBXoNIgiuCRG4UPQJbPWtIuUAKgnqJNpJzoyiQAoQ?= =?us-ascii?q?0iyuWTAICAgIEBQIOAQEGgVU6gVdwFTuCaVAXAg2OH4NxhRSFRXMCNQIGCgE?= =?us-ascii?q?BAwl8ij1aAQE?=
X-IronPort-AV: E=Sophos;i="5.81,169,1610409600"; d="scan'208";a="850685495"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Feb 2021 02:27:32 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 11B2RWmA021492 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 11 Feb 2021 02:27:33 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 10 Feb 2021 20:27:32 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.792.3; Wed, 10 Feb 2021 20:27:32 -0600
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 10 Feb 2021 20:27:32 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jvxjuk8zqaMs4AMKn3u2kLIEaG5vWaHvQXxSB3sX3hYx0yhmhmA1cDhr6Bd5+fuhHcuce7V1f5wBwQvmNP5mZbVzwC40hWnunoX5mCBVlXvEKSFFCORDr04zXNSApUB0cRAxhJBFNWwVPFrMr/TM1MvTaj3qCCejucfKWjxbqMgJtRB7oJc4Tq8gpUZ1fmkwvMB1FnOtbwvVZwxMMd0bg/PHcPZpTDYMvb1N4ZC9x804HGyltOQu1zDdAsWFE7+LEZlGlkI5Ufm3660FDP3+ahAjejmxHXfiKHitkM2RRRB6qGzP96S0SqaK1nFNySTwA9njMaA6JXhIGWBm4Ng1wg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CwoRdWkePQq7Thb19r/Ncf0FZuf089uuepmZuoswi+E=; b=jnKvW5B41+EVgvVwL3sQY4lgI/mIszfFbqfZ/aljFBUGbHMwV22rQVXyyQvxgg2fiOHdCvaqlaX4EGZ4unYPvQjYPLu2cc3kSBlz6inGuH3FljzgrCVZoHJ2JcGS/6X10VnFGfNbk9lTin7i3WPbhjpTf8gbiiuwEk8B7jBZjrW5malOQZ6ODXYO4cfCFtlukThDE74Ji7nA3iY3H+dmiwm4ubHyA4ZugBOPCyGFdouDaYG0vC5nShvjNaVamAarxOZ7VwRebDa3YSXZNaRZKyfK9xqXyEQJYUHX+5/Xw74JITDFVRYMpXN4Ig74rg+m3eyhG9vG7SDpgLyKAB1M0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CwoRdWkePQq7Thb19r/Ncf0FZuf089uuepmZuoswi+E=; b=EuyhztoyvUMv2U8us2ZsOiwqxsXH5kjSx+qoDJvEkeG0+G+BAevfGusIiJkbTdyvaN6/im4XLGgDgQ97OmXVEKCscf5dKlfs6ut8L8pfwTjYv5YwNn/juOGJ/OyYocH/xywlNa6LPvtvMt4fIz9QNNwbNZRIQvQo/0V6E7AAuFc=
Received: from BYAPR11MB3207.namprd11.prod.outlook.com (2603:10b6:a03:7c::14) by BY5PR11MB4069.namprd11.prod.outlook.com (2603:10b6:a03:191::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.25; Thu, 11 Feb 2021 02:27:31 +0000
Received: from BYAPR11MB3207.namprd11.prod.outlook.com ([fe80::c951:3ae4:1aca:9daf]) by BYAPR11MB3207.namprd11.prod.outlook.com ([fe80::c951:3ae4:1aca:9daf%3]) with mapi id 15.20.3825.030; Thu, 11 Feb 2021 02:27:31 +0000
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: Lukas Tribus <lukas@ltri.eu>, "Jakob Heitz (jheitz)" <jheitz=40cisco.com@dmarc.ietf.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] ASPA verification algorithm error
Thread-Index: AdbwhlK9z1axTpzkRWyI9nY082H2KAPh4G+AAANgFnA=
Date: Thu, 11 Feb 2021 02:27:30 +0000
Message-ID: <BYAPR11MB3207BD021F246199C7E4CCD6C08C9@BYAPR11MB3207.namprd11.prod.outlook.com>
References: <BYAPR11MB320714401DE9AFBF5D24C832C0A09@BYAPR11MB3207.namprd11.prod.outlook.com> <CACC_My906OxmEphW=DOrGhwSagZKf--hd5oLR9uF=24kuA24ag@mail.gmail.com>
In-Reply-To: <CACC_My906OxmEphW=DOrGhwSagZKf--hd5oLR9uF=24kuA24ag@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ltri.eu; dkim=none (message not signed) header.d=none;ltri.eu; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2601:647:5701:46e0:a466:79fe:7183:c553]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e0e52d33-172e-4648-7d5b-08d8ce349553
x-ms-traffictypediagnostic: BY5PR11MB4069:
x-microsoft-antispam-prvs: <BY5PR11MB40698767821A5126FD0BB714C08C9@BY5PR11MB4069.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YT4nn00QKAmLZAAj3LazzLL6VkzGoLCsj6MILTBLoWwf082HCoaYqiku5rOA0AE+awBVY5J5NzFocEtLI1mGj+6vUKz4/1MNJekj/ydcSXTxRv3zvz+f4ot4o1z87vLH5p5Jj6mM4botr7/Y94Xa8W5JRlkkknr2MnJ1A3i/9Kg6iGU2CM4Cz8NWqrd85j+dShZka9IQ9xpKxiOZIWqvTC7BRRLcBnFPpDGVjNynidQ8Yz4r56WFubq28vrBLZf2snmUSJS8fpG95Q510QonTuwx5HTsM1MBtu/TKwIvySqZ6FLw4jJIv7a8e1qt/JMDVbgwVju18D3FSpUFGF6QNobWPvHV32tuRbPcoBLyi+/eA3yBef1K7s72Rgh3QDI0bySSjWVG7rhuPR4sM3gK0wI8ZzZ8KvOGW5WOXP9C4Iq4/QFiedP6OoO0u0FJqQauoDBTabu6yZ7r5+nsVMvIHB3oWucUJQmlfBaAHzFwZPpiXK8UhIAhT0pUPMC/VJebtinDgDbj2FKj4F0YF9hVPICpg+CzdQ9JUO4LMWK1crDFxpipkygsOEK7KfshYeuiquGomNpmdtY9PX7hIjvREd8mj67gwAkC7O1gRnnjyKs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB3207.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(39860400002)(346002)(396003)(136003)(366004)(71200400001)(4326008)(8676002)(2906002)(6506007)(53546011)(52536014)(33656002)(110136005)(66446008)(64756008)(66556008)(66476007)(83380400001)(76116006)(7696005)(5660300002)(86362001)(478600001)(66946007)(8936002)(9686003)(316002)(15650500001)(55016002)(186003)(966005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?gN7NYqcOtHObbcGO3b24DBNn8T5TF8jNI9B3ElIiZG6QDEXf5Dd3T/Bmfpp9?= =?us-ascii?Q?2KA4gVuthMuiMabcwr7c4d2HgIfvZKO3qa2CwwgrKNeku8Yig4vXRyC+83SI?= =?us-ascii?Q?4mJP5k5XYeH2N16b9kLH0KHUI4h9hpI3RmmsBo7qriLsFCPcEAo8ub5B+qyN?= =?us-ascii?Q?VId+ayUZyprslConBMVkullewPV5yu7uhoqw05JTEU2ymlUUAuT41u0R/aPF?= =?us-ascii?Q?//VmO9EVAjUkGk/+c+bvDl8k6E1ue7QcZvH749DnlMSBWDKo4blfhRuxKDWP?= =?us-ascii?Q?V1/bN27wD2ufDHj/SZTPlc5zHw7UKTfXQApK74aX8bL6r2Hh4wSOqaeIEO5D?= =?us-ascii?Q?f86H5/gD2QA+81Z3RLXgnGyCwz47yAk+GjjwQZrKAqyMXcwwKwVKh3/uLcEx?= =?us-ascii?Q?SZbXLqN1Kq1YQiIrw6/+tE+hpuvN5PsVKjMi3P/2VNfsbcMOX++MB0kxfIYN?= =?us-ascii?Q?vGlz5YO+WPBu7iN6mj1D2xgrIncQ1ez+4cZoEG/bfrEUonG49fqMPY93ovIy?= =?us-ascii?Q?o2W/31nPC/jZ9PVfiSCAdO/kfWaDFqEb3d2PZP6W4MWbtF1xFp5Lm05QhV9Z?= =?us-ascii?Q?6lRibr/n/EDlbMP9MgCzjvAfHQG8arjROyE09A6L7nqEIf8j1VwMMtFgFY4D?= =?us-ascii?Q?cEEeQcScfta88I6CzJ67g36iHevfc8EHJ4Q462SFnWFhn6XUCDC3i5kEsZXz?= =?us-ascii?Q?ZdwGnMQeRMr55zH8UMrjy1iBNhrBsEDfafBfA4TtWarJI7d65tNd89XpwPvL?= =?us-ascii?Q?xcXZaTXUAHTdCL+UX1EAh33iV4HZGPHbtP4gLo6vecmC6q/ZkyrXeZbIWvRY?= =?us-ascii?Q?WloOT4Lh0XW91U3jVdfmoh0IOeVS4g7MbiOV7Wq5OO6TL095BabeSd+y1Vqk?= =?us-ascii?Q?SC5EBGs4b2+qd4RO4/NegRWBmQIad3dnQEWt1t0POM7Ex7JVBpTMbgHgsXRs?= =?us-ascii?Q?ZVGV+R+9jW1Tif9/z1kDMNK/fLgph8XQQit7tGIkNnpd8vcfltSsGxEfVNOs?= =?us-ascii?Q?zH9ERoOhojyYsuli0/Z9vMrh7PtfkrpBdzU0ZHA9KnPkO8U3qI1Qh6kGMLTI?= =?us-ascii?Q?olhfwHJ47cZmw/TOxCftPN5Qdcy/LC9TBu7QDcJIODbaxmvlhiaaKQxQUvQO?= =?us-ascii?Q?Ag+dxWJMgqyU1+956ONmjfVn6N7Zvb4PcFF+qXHF1nVlvlNBmvlC4WXwy3AE?= =?us-ascii?Q?8gM/AOiaFR3L4ZPTIjfGoAlQl2wlAlEh5RQdiF8+tiiuYh5Zy5wV3e7Boarv?= =?us-ascii?Q?7u6VqvH6Q9y4RXFt6n0QzTX3+e3NUyMGfNv7gcM9j3Kuf7ggZ83HaJJTQqJ9?= =?us-ascii?Q?YAZa5oh8dOYB1ozbMN6HvcYHlpKl+4+nmsbzTh7YyvAeNZGaQcDuC7q3rhLE?= =?us-ascii?Q?UWA8fCrrfA47w6RcXWljnigwCFzv?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3207.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e0e52d33-172e-4648-7d5b-08d8ce349553
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Feb 2021 02:27:31.0573 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: w6w4KPhpFzltUMR9Z5RImNh2to9WTW24M3LHkUUeMK2JOgSnzGLzSlj7xYfee0HFdP9zF4EU/Y+hwiqFCNz2lA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4069
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/mNCCdxsxNGlxmcUAb_xHODaXJzU>
Subject: Re: [Sidrops] ASPA verification algorithm error
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 02:27:36 -0000

All we have is the attestations.
We don't know the actual relationships.
Thus we need to try all possible relationships given the available attestations.
Using the notation where the arrow points to the provider:
A -> B means B is provider for A
A <- B means A is provider for B
A -- B means A and B are bilateral peers
A <> B means A and B are complex or siblings.
then the possible relationships are:
1 -> 2 -- 3 <- 4
1 -> 2 -- 3 <> 4
1 -> 2 -> 3 <- 4
1 -> 2 -> 3 <> 4
1 -> 2 <- 3 <- 4
1 -> 2 <- 3 <> 4
1 -> 2 <> 3 <- 4
1 -> 2 <> 3 <> 4
1 <> 2 -- 3 <- 4
1 <> 2 -- 3 <> 4
1 <> 2 -> 3 <- 4
1 <> 2 -> 3 <> 4
1 <> 2 <- 3 <- 4
1 <> 2 <- 3 <> 4
1 <> 2 <> 3 <- 4
1 <> 2 <> 3 <> 4
All of these possible relationships represent a valid AS_PATH.

Regards,
Jakob.

-----Original Message-----
From: Sidrops <sidrops-bounces@ietf.org> On Behalf Of Lukas Tribus
Sent: Wednesday, February 10, 2021 4:36 PM
To: Jakob Heitz (jheitz) <jheitz=40cisco.com@dmarc.ietf.org>
Cc: sidrops@ietf.org
Subject: Re: [Sidrops] ASPA verification algorithm error

On Fri, 22 Jan 2021 at 07:21, Jakob Heitz (jheitz)
<jheitz=40cisco.com@dmarc.ietf.org> wrote:
>
> Consider the as-path (1 2 3 4), where
>
> 1 attests that 2 is its provider
>
> 4 attests that 3 is its provider
>
> 2 and 3 make no attestations.
>
> Then the path is valid.
>
> The algorithm in https://tools.ietf.org/html/draft-ietf-sidrops-aspa-verification-06
>
> would incorrectly return "unknown"

I assume 2 is not a provider for 3 (but a peer)? Wouldn't section 5.2.
"Downstream Paths" make this "valid" then?

Are they "special" non-peers? Then "7.  Mutual Transit (Complex
Relations)" would apply (in that case, without attestation "unkown"
would be expected and a positive attestation required for a "valid"
result) - which I believe is what we want.


I think in this case it would be helpful to include the actual
relationship between the AS you have on your mind, not only the ASPA
attestations.



Lukas

_______________________________________________
Sidrops mailing list
Sidrops@ietf.org
https://www.ietf.org/mailman/listinfo/sidrops