Re: [Sidrops] New Version Notification for draft-sriram-sidrops-drop-invalid-policy-00.txt
Jay Borkenhagen <jayb@braeburn.org> Fri, 09 March 2018 16:29 UTC
Return-Path: <jayb@oz.mt.att.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1445612D82F; Fri, 9 Mar 2018 08:29:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mAtiSFFqYMT5; Fri, 9 Mar 2018 08:29:24 -0800 (PST)
Received: from hrabosky.cbbtier3.att.net (hrabosky.cbbtier3.att.net [12.0.1.25]) by ietfa.amsl.com (Postfix) with ESMTP id 49B1912D810; Fri, 9 Mar 2018 08:29:16 -0800 (PST)
Received: from oz.mt.att.com (zoe.cbbtier3.att.net [12.0.1.45]) by hrabosky.cbbtier3.att.net (Postfix) with ESMTP id 364B31E39D; Fri, 9 Mar 2018 16:29:15 +0000 (UTC)
Received: by oz.mt.att.com (Postfix, from userid 1000) id 28898A402C2; Fri, 9 Mar 2018 11:29:15 -0500 (EST)
X-Mailer: emacs 24.3.1 (via feedmail 11-beta-1 I); VM 8.2.0b under 24.3.1 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23202.46675.595670.703736@oz.mt.att.com>
Date: Fri, 09 Mar 2018 11:29:07 -0500
From: Jay Borkenhagen <jayb@braeburn.org>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>, "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>
In-Reply-To: <BYAPR09MB2773819AB3961189CDA9B4D784D90@BYAPR09MB2773.namprd09.prod.outlook.com>
References: <152029076512.12908.14537578849320525718.idtracker@ietfa.amsl.com> <BYAPR09MB2773819AB3961189CDA9B4D784D90@BYAPR09MB2773.namprd09.prod.outlook.com>
Reply-To: Jay Borkenhagen <jayb@braeburn.org>
X-GPG-Fingerprint: DDDB 542E D988 94D0 82D3 D198 7DED 6648 2308 D3C0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/nRklAJHOizj-OJa7gnhk49aqAOQ>
Subject: Re: [Sidrops] New Version Notification for draft-sriram-sidrops-drop-invalid-policy-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Mar 2018 16:29:35 -0000
Sriram, I can appreciate this motivation for your draft: Suppose Popular Site X does not know what they're doing, and they publish a bad ROA that makes the only route announcement for their address space be invalid. ISP-A competes with ISP-B, and Customer-C multihomes to both. ISP-A implements route origin validation and drops invalid routes -- including that route to X. ISP-B does no route origin validation, so they accept and propagate the route to X. Customer-C does not know or care about origin validation -- they only see that ISP-A cannot reach X while ISP-B can, so Customer-C thinks ISP-A sucks and decides to give ISP-B more business. ISP-A should not be punished for trying to do the right thing, but before we conclude that this situation deserves a technical workaround, consider: (1) Those who care about Internet routing security/sanity should attempt to educate the folks at Popular Site X, to teach them why that ROA is wrong. This education can be done even before lots of providers employ a 'drop invalid' policy -- in fact I know some subscribers to this list have received emails from me saying "Y'know, you're currently announcing some invalids." Later on, that education will happen the hard way when Popular Site X finds they cannot be reached from many networks who by then drop invalids. (2) Who's to say that an invalid-only route is invalid because of a bad ROA, and not because someone other than the legit owner is squatting on that address space? Clearly squatting can happen on Not Found space, too, but there could be reasons why they prefer to squat on this space that happens to be covered by a ROA. I think it's a better outcome for people to realize what a ROA actually means and how it gets used, rather than guessing that someone made a mistake. I'll stop here for now, but I'll also note that I would not want any of my router vendors to implement the DISR Policy. I'll save those reasons for later. Jay B. Sriram, Kotikalapudi (Fed) writes: > We have requested the chairs for time on the SIDROPS meeting agenda to discuss this work: > > https://tools.ietf.org/html/draft-sriram-sidrops-drop-invalid-policy-00 > > The authors would appreciate comments/discussion on the list as well. > > Sriram > ________________________________________ > From: internet-drafts@ietf.org <internet-drafts@ietf.org> > Sent: Monday, March 5, 2018 5:59 PM > To: Sriram, Kotikalapudi (Fed); Montgomery, Douglas (Fed); Borchert, Oliver (Fed) > Subject: New Version Notification for draft-sriram-sidrops-drop-invalid-policy-00.txt > > A new version of I-D, draft-sriram-sidrops-drop-invalid-policy-00.txt > has been successfully submitted by Kotikalapudi Sriram and posted to the > IETF repository. > > Name: draft-sriram-sidrops-drop-invalid-policy > Revision: 00 > Title: Origin Validation Policy Considerations for Dropping Invalid Routes > Document date: 2018-03-05 > Group: Individual Submission > Pages: 6 > > https://tools.ietf.org/html/draft-sriram-sidrops-drop-invalid-policy-00 > > Abstract: > During incremental deployment of RPKI and Route Origin Authorizations > (and possibly under some transient conditions), network operators > would wish to have a meaningful policy for dropping Invalid routes. > Their goal is to balance (A) dropping Invalid routes so hijacked > routes can be eliminated, versus (B) tolerance for missing or > erroneously created ROAs for customer prefixes. This document > considers a Drop Invalid if Still Routable (DISR) policy that is > based on these considerations. The key principle of DISR policy is > that an Invalid route can be dropped if a Valid or NotFound route > exists for a subsuming less specific prefix. > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- Re: [Sidrops] New Version Notification for draft-… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] New Version Notification for draft-… Job Snijders
- Re: [Sidrops] New Version Notification for draft-… Tim Bruijnzeels
- Re: [Sidrops] New Version Notification for draft-… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] New Version Notification for draft-… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] New Version Notification for draft-… Montgomery, Douglas (Fed)
- Re: [Sidrops] New Version Notification for draft-… Tim Bruijnzeels
- Re: [Sidrops] New Version Notification for draft-… Montgomery, Douglas (Fed)
- Re: [Sidrops] New Version Notification for draft-… Stephen Kent
- Re: [Sidrops] New Version Notification for draft-… Jay Borkenhagen
- Re: [Sidrops] New Version Notification for draft-… Job Snijders
- Re: [Sidrops] New Version Notification for draft-… Montgomery, Douglas (Fed)
- Re: [Sidrops] New Version Notification for draft-… Randy Bush
- Re: [Sidrops] New Version Notification for draft-… Job Snijders
- Re: [Sidrops] New Version Notification for draft-… Randy Bush
- Re: [Sidrops] New Version Notification for draft-… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] New Version Notification for draft-… Job Snijders
- Re: [Sidrops] New Version Notification for draft-… Geoff Huston
- Re: [Sidrops] New Version Notification for draft-… Job Snijders
- Re: [Sidrops] New Version Notification for draft-… Geoff Huston
- Re: [Sidrops] New Version Notification for draft-… Job Snijders
- Re: [Sidrops] New Version Notification for draft-… Tim Bruijnzeels
- Re: [Sidrops] New Version Notification for draft-… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] New Version Notification for draft-… Jay Borkenhagen
- Re: [Sidrops] New Version Notification for draft-… Job Snijders
- Re: [Sidrops] New Version Notification for draft-… Borchert, Oliver (Fed)
- Re: [Sidrops] New Version Notification for draft-… Stephen Kent
- Re: [Sidrops] New Version Notification for draft-… Job Snijders
- Re: [Sidrops] New Version Notification for draft-… Montgomery, Douglas (Fed)
- Re: [Sidrops] New Version Notification for draft-… Randy Bush
- Re: [Sidrops] New Version Notification for draft-… Stephen Kent
- Re: [Sidrops] New Version Notification for draft-… Borchert, Oliver (Fed)
- Re: [Sidrops] New Version Notification for draft-… Jeffrey Haas
- Re: [Sidrops] New Version Notification for draft-… Job Snijders
- Re: [Sidrops] New Version Notification for draft-… Jeffrey Haas