IETF Logo Mail Archive

Re: [Sidrops] Alvaro Retana's No Objection on draft-ietf-sidrops-rpkimaxlen-12: (with COMMENT)

Ben Maddison <benm@workonline.africa> Wed, 10 August 2022 10:56 UTC

Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C3BC15948B; Wed, 10 Aug 2022 03:56:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61EaXaUYdV0v; Wed, 10 Aug 2022 03:56:35 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60085.outbound.protection.outlook.com [40.107.6.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92C8BC14F738; Wed, 10 Aug 2022 03:56:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hcFwMgfz96ymkShVVGjDLUUMWNUL5L3yjWuIGwePr0z2/SPYNfLxMJcksra1ZCGlTpeuYnf8lOFege4u9WfU6vY1PVZdpimn95vTSrsVX27UdTkjmDY9OxJkD9Wa1JRMpB/RjU+Uka+pon5mr1c0mTJFdTuaGmU9//vlaVknPEpAvX13aQ4l7le2UYs0OuZPW9CFskzqsktSI395SK7G3oWaW8lV9S5IhuK3OJkMKDbOyjTg29nTqXJQq0OVwPbMumJyexlKK3xjIKm1EFFGikzKOs1Z6ZTfqYW+D4ieIJVq/bxkd8qU44QqDY/5VkASX068ma3J+oQ2lJun/fbQFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CC7WyqvQflzTv6vBJHd6IKwAJOzQj4e0q7IS1iyoHD8=; b=k3gquxRhRrunyUy3cJZECVry4UvxZ9y8gftGIp/Nm7X63nvLF5igpoEF2ONnEu4QqrV0q+CE5gpXiXoKg+aBAOPhZ93wF9dOgjgoVrb2MXMTfWEn5GQjRybbo/CbJIOO9hXX8ozZlgeQCaZGgzMXp0cDaQCAIUu2Qzlv8ndkYicC4fn0v3SCfitkYUt8vjt7q47Mo52HiJOzHFmbHynZzmjChX8Rsx16corOXyKF6Iq9T8xEVWlnqx7H28vTGJBHqKcd7PgLsCEhEAoglLlaXnd4cYI80kqy/Du+174H43jsV8aQWwQIzGOFoZa8co9H11RXwGmGliW0g/rhEya8EA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CC7WyqvQflzTv6vBJHd6IKwAJOzQj4e0q7IS1iyoHD8=; b=Rz+XT7DbXvzXtJWNbPh63raB5j3tsVnAlrKDCAdmrwKKFQma2re3tjnKxPzEJGe/kXlCelxOtlDY96EjtM4MudrxPU0YeI1gnJ14M9YBEIP672EJao2KZFEmIN/Q3HXYgD3/OsW0IL3aRiW9DmW3EtXD9/gB//Q+ETgZ9hiccyI=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=workonline.africa;
Received: from AS8P190MB1078.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:2e7::13) by DBAP190MB0933.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:1b1::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5525.11; Wed, 10 Aug 2022 10:56:26 +0000
Received: from AS8P190MB1078.EURP190.PROD.OUTLOOK.COM ([fe80::24e3:a696:db62:47e8]) by AS8P190MB1078.EURP190.PROD.OUTLOOK.COM ([fe80::24e3:a696:db62:47e8%8]) with mapi id 15.20.5504.021; Wed, 10 Aug 2022 10:56:25 +0000
Date: Wed, 10 Aug 2022 12:56:18 +0200
From: Ben Maddison <benm@workonline.africa>
To: Alvaro Retana <aretana.ietf@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-sidrops-rpkimaxlen@ietf.org, sidrops-chairs@ietf.org, sidrops@ietf.org, morrowc@ops-netman.net
Message-ID: <20220810105618.yueivflxkx72b24h@benm-laptop>
References: <165999488384.24516.14815105547545369665@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="7phjixghhmzvojiy"
Content-Disposition: inline
In-Reply-To: <165999488384.24516.14815105547545369665@ietfa.amsl.com>
X-ClientProxiedBy: CT2P275CA0071.ZAFP275.PROD.OUTLOOK.COM (2603:1086:100:27::11) To AS8P190MB1078.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:2e7::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 960cd49d-4036-47a2-6461-08da7abef879
X-MS-TrafficTypeDiagnostic: DBAP190MB0933:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: YpwITrsiryfBdhjSj+LmDwbdtvv3Uk0EkjQEJouxqRfNZxGVJamcjrdUwTIfgekjlsSf9Q5ugNBiUQw1b3o4vM1FA6Zk7zFfHnHxDivU8eqhVG4W7Zlb2DwYiHUM8ld6pzdc9Zekyn3a1qcbcUoCcItuRc95aoDK8F52OxjXeLVXNJYsPRscw1tX2IAn2iX9C6fYHYKek9N++6n+T8b2OPUHYitAfh2Nz3KY9mbyIXXvXD6kmS8NSXU5Advq5a3/R1BGCxlwzajTTCeFByCovmGtJhLKlc5BjSAGF40CkHq0FA593nh4UN2Q3LQi+AleuFJd6RQCHr029HW/qezRFKRfTJAYrgKcTxM5YeX8WzJ6lf3Cx1JkfJi9fdkvrwAeIXZWynk1RsUABrCRQqm+TQ9v5MKZKyPbJiuDBWhaRuYhJQ7zLI3hatCAuFaqyE4b3xh+aDEbqgu2GVN6TvxXvd4qO08NtU1eqBBaE5rJ8oGTfIOLtRvEhr8GN2rX74V2leqTFWz5MtdD0OtIuW5eM+lZ9zfcSm0AEHQKD9qkPw+c2aqKDsBzpC036F7nQuhB43Kkt+ii8lrr7sIRXA8DbtOdPsXnt+u/sp5Dj1HUT59CZsZj2ehVQFfBbsM16YkLvs1SnO5RHhZZdhK2vhqhzCVSZ6R0S2wNPl+1ZYKYSR7DQqBJ+EYaBPu/T4oWBXzNPRVVM8cN7bE2Kvw7sseMv+XL17yhXnhP0lJS65yOAhL75cHxEBjm637Mkk8ot7XUnJbSM9VvGqKB67CZ8pVXVhBEDbVCSHGXdOeaSO9IqNAHAlZY+p4zu6eK+aU/peYo5vNuoc+kSETh0iKbuDtTHlx2NNTczgJbS3Y+FVIx4Ro=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8P190MB1078.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(7916004)(346002)(136003)(396003)(366004)(376002)(39830400003)(33716001)(44144004)(38100700002)(52116002)(38350700002)(41300700001)(83380400001)(6666004)(6506007)(186003)(1076003)(21480400003)(26005)(6512007)(2906002)(9686003)(8676002)(66556008)(66946007)(4326008)(66476007)(316002)(6916009)(5660300002)(8936002)(6486002)(478600001)(86362001)(46492015)(2700100001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: jgH7HjN/wqgKrn8zwe9yLjb8t0E0FBrH/kVYe9loxqC0GEef+XLFDG+2yFEv3EuNfwTDyfzBGL1IN9jYzC7rZdZ3kvq+g7gwOWKPaaLnqA2qfRiaPhzzBXNLMWdgaYl0fRIjJPCBqtzox6j3xKTuP4zYlnm/QjiOiW3L5K7G1T47BEGhgIusIkyw657NnfWEuxqVoKh9mHA/oz74eqbjd7ClcM+UCE0ey6HW6kqzkn7uxJv8y/UZ5L6bksRslKagNOD3kpqHpBpMZt3q4B1ZfphkaTaxkleo9w6I0WHOjJMVghXcGO8rsC8EcmC4QE+PNRrXSJ6J7cMzQ7nzi98H0Y4Rc2and0GHNPNSJGBnnkQenrlwF7T0VqtMcTHveC6Wki7CmhikqiaZXILcCtbU+KJjdagsvN7MUo7A7cr8BiE0O9bBcBJMVcSyZToL7cr8BfgDt5lkz3UyGNqbzUppy9aUmOh/uoq3Y6Fwzg6ZJRG1P8ixMIW5msmyeVeWes8CHgdYSJ7kLrusWaR7k9fes5RJu5qAePDWL+Hzzs9bGhLfk8esnPqBtcrFlKtfGbwkE6lPT8t7g8I64QmA5ZPAUX0w8I5yZoQ9PmgmzRQ9z7AgMnbTFZT4Hx8ez6Y3ubNaDm1v6n8Dq/iebX4CQl8je0NBivkSH9kT8pNMBsomoZ8ctsvanCjDifOf/k5Aj71/m/IkJS5vMbfJE62fzsxYU7D1rE96t83w/O2KN563A/0fy1AdEVHo9hr2uoKPBOJIglFUs7VS8jWWN6lHFh5otelDja7biNwk+e64kSNZpbC5InRzuZv2YovGl/Q6tgt699nogzN27/iLnxei/9gk6cXlSG+VTJHK66Q270s5a5rySKCa0PKuYAgpNhJvOcNKju3Y2ed9QQ0qMYgqpMYF4aJUThqtjSGMmblvGGz8eNOMkQhYBHuqY+DGCXiEN5YNSrNWgnrcHlz4km7vyNpKODdytUa87OxmwTNGGzVJMsCeEnnX1x+8HUvLbP9LXHNmxUvJJABMMnoMOxz1AHrpHtUoU9qdo5beTVTGdNVp/eCOhe2D/ZgGZ6FXHWV1G5GosmhfBkmsbgU3b3wt5QM+NuNFYvQ1a5QWhZLkAZMMKFbnnR7WOI3exOzqkzcAm9ToHEoaLCO3DnqIy68JLm5n48V+ZtM/gY7LqrjF+uNcdmqdHWjo1Dz17QRbXWHn528F8uVK4cEnSghumcJsws4X73BJU3lMDiPI2l9o190Msi3U7HwnMk5tG7XU+07pn9mv3E0RkjpKuhzfA8KS15sh9lnUVTUC1up35jqxFwjrZoW0uIkqNCjRWs+sjIXa67GiTLmt/71b0bvFtvCPrlh7GYKNNI26WCnVfDTt978BauScUVYNgkmXqkAkAJWtcVvRfOUG8iXyBrlAaama4nTEWF/z85yeGp3iogJn4L4QQ7+jLs++THKI/zl94YRKhMrH1iHM6NFc/aMU1YzazxTvuDColg0VYGg5YmBvsBxZYsZd2M0rkfD+mRjZLANIiUNycGbiDaj4nLbBgqjwqrrBOK1gJ4Dbfkd/7eNIko3sJPw6nnkKiKSFGJhAk7WLdxMy
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: 960cd49d-4036-47a2-6461-08da7abef879
X-MS-Exchange-CrossTenant-AuthSource: AS8P190MB1078.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Aug 2022 10:56:25.8845 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: kQ4vmxaJ9y4JLpqlj097s3gonqxAR947rCwjeYIfKGoz+uQhNrnzp7lVl+aml3F0yKD53qniFR01cRijA4ucsQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAP190MB0933
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/nSnWggZtiQrY7HJvnHjnYsLpKNc>
Subject: Re: [Sidrops] Alvaro Retana's No Objection on draft-ietf-sidrops-rpkimaxlen-12: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 10:56:40 -0000

Hi Alvaro,

Thanks for the review. Some responses to your comments below...

On 08/08, Alvaro Retana via Datatracker wrote:
[..]
> (1) The running example makes the text clear -- but by being a minimal example
> (only a couple of prefixes are involved) it may oversimplify the potential
> operational complexity of maintaining a set of minimal ROAs.
> 
> In particular, operators with short prefixes and many advertisements of both
> IPv4 and IPv6 may have a harder time keeping up with changes.  I would love to
> see some text around the challenges that applying the recommendations at scale
> may bring, which may also "result in a self-inflicted denial of service" (to
> use the description in §7).

I doubt that such an operator would fail to see that their situation is
more operationally complex than the example.

Perhaps something along the lines of:

    The recommendations made in section 5 are likely to be more onerous
    for operators utilising large IP address space allocations from
    which many more-specific advertisements are made in BGP. Operators
    of such networks are encouraged to seek opportunities to automate
    the required procedures in order to minimise manual operational
    burden.

Even the above seems a bit tautological to me! Thoughts?

> (2) This text in §5 talks about the maintenance steps (review, replace, repeat):
> 
>    Operators that have existing ROAs published in the RPKI system SHOULD
>    perform a review of such objects, especially where they make use of
>    the maxLength attribute, to ensure that the set of included prefixes
>    is "minimal" with respect to the current BGP origination and routing
>    policies.  Published ROAs SHOULD be replaced as necessary.  Such an
>    exercise SHOULD be repeated whenever the operator makes changes to
>    either policy.
> 
> I assume that throughout the document "SHOULD" is used because, even though
> this is a BCP, the practice is only recommended.

Correct. MUST feels weird in an Ops BCP. Maybe that's just me.

> That is not an issue for me, except for the last recommendation above:
> the "exercise SHOULD be repeated whenever the operator makes changes
> to either policy".  If the recommendations in this document are
> followed, a review of the system should be required, not just
> recommended.

I think they should either all be MUST or all be SHOULD. Changing only
the last sentence would mean performing a review initially is
operational, but performing subsequent reviews is required, which I
think is poor advice.

I generally think MUST is odd in this kind of doc, but I'm happy to
accept guidance on this.

> (3) I find the Security Considerations misleading because none of the potential
> issues (even ones that could "result in a self-inflicted denial of service")
> are listed there.  I realize that previous versions had text that was moved
> elsewhere -- I won't insist on changing it back; this comment is here just for
> the record.

Ack. The whole document is really an enumeration of security
considerations, and reiterating every conclusion in that section for the
sake of form did not seem to be productive.

> (4) "The recommendations complement and extend those in [RFC7115]."
> 
> It seems to me that this document should formally Update rfc7115 as there are
> related considerations mentioned there.  I checked the archive but couldn't
> find a related discussion.  Was an Update considered?

To the best of my recollection, no.

I'm inclined to agree that this should probably update 7115. Given that
the original author of that document has indicated he is, at best,
lukewarm about this draft, I'd appreciate some guidance on the etiquette
here?

Cheers,

Ben

v2.23.0 | Report a Bug | By Email