Re: [Sidrops] draft-ymbk-rpki-rov-timing-00.txt
Tim Bruijnzeels <tim@nlnetlabs.nl> Wed, 22 April 2020 12:59 UTC
Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F50D3A0BA1 for <sidrops@ietfa.amsl.com>; Wed, 22 Apr 2020 05:59:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnERluGywKwO for <sidrops@ietfa.amsl.com>; Wed, 22 Apr 2020 05:59:22 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66A993A0BA8 for <sidrops@ietf.org>; Wed, 22 Apr 2020 05:59:22 -0700 (PDT)
Received: from [IPv6:2001:981:4b52:1:143e:3685:6859:5dc0] (unknown [IPv6:2001:981:4b52:1:143e:3685:6859:5dc0]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id A745C16D62; Wed, 22 Apr 2020 14:59:20 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1587560360; bh=JRMbWWOKMun8MWTTzpipHMyoeGkugFKm2HonlawoGaU=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=ndfu+eMk1TjOzwMhlixdUAuy0ir6CHZoIrS2Ejq9Vqnu+Ma2AFFYTFoBu2wHyZWMb j905g/CN1GMLYYSU3vjBinFGdVltg1J+1NFXdLGEQJ9J9DG0jUC6AYYxFk6rYoefXm JHd3s1CfUAqtjxJvx8JiCV4rwS36qZa6ZvlG+H+8=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <m2h7xbg0vo.wl-randy@psg.com>
Date: Wed, 22 Apr 2020 14:59:20 +0200
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <437D9E9B-D44F-42A0-8BCF-58D0AD272BA9@nlnetlabs.nl>
References: <m2k128harb.wl-randy@psg.com> <98A4118B-83F0-4BBD-BA22-794ADA475731@nlnetlabs.nl> <m2h7xbg0vo.wl-randy@psg.com>
To: Randy Bush <randy@psg.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/npdx5HELRazdl_tVg353nNrCNAI>
Subject: Re: [Sidrops] draft-ymbk-rpki-rov-timing-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 12:59:25 -0000
hi, > On 22 Apr 2020, at 14:28, Randy Bush <randy@psg.com> wrote: > > mornin' tim, > > thanks for review! > >> s/rcynic/rsync/g > > massimiliano already beat me up on that this morning. he had done a PR, > i merged it, and then let spell check revert it <blush>. > >> Furthermore, I think the document could use some words on the chain >> before the CA. i.e. timing of creation of ROAs in the CA w.r.t. >> changes in announcements done. > > i am not understanding. do you mean possible CA to publication point > delay? No I mean the delay between deciding to make a change in routing announcements that one does, and using one's CA to create the ROAs. I.e. before section 4 in your draft applies. > >> I would say that for planned changes ROAs should be created in >> advance > > yes. this was discussed many time in the design team. the ddos defense > folk essentially said that most of the 'customers' come running in the > door in panic and had never thought to do advanced planning. while i > have some sympathy for that, i am not sure what we can say here other > than > o try to constrain the propagation time > o point out that roa creation in advance of operational changes, be it > circuit moves, ddos sinking, ... should be done sufficiently in > advance. > > i'll try to do more. > >> As a side note. We are discussing moving from rsync to RRDP in another >> thread. I believe that RRDP will help reduce propagation times. > > i tried to say that. will look again. You did, this was just a lead to the following. > >> I have no doubt that further improvements can be conceived in future. >> It helps to have guidance for maximum propagation times to serve as >> guidance for requirements there. > > i am not understanding. maybe some coffee will help. What I am trying to say is thank you :) In more words, hopefully less confusing, I find it useful to have this document say what the operational expectations are w.r.t. total propagation times: Planned: 1 - Create ROAs in CA (implied in section 4, but logically a step before the next) 2 - Let CAs publish (your section 4) 3 - Let RPs fetch and valid (section 5) 4 - Let routers fetch and apply (section 6) 5 - Do the actual announcement Unplanned: 5 - Do the actual announcement Becomes: 0 - Do the actual announcement But then you will still need to keep in mind how much time 1-4 takes, because until 4 is reached your announcement may be dropped. RRDP has a limit of 60 seconds for fetching, w.r.t. point #3 (section 5). I think it will actually scale up to something faster if needed. Alternatively one could thing of push mechanisms or some flooding protocol in future. That said, it's only one kink in the chain. E.g. if there is a delay of an hour between #1 (create ROAs) and #2 (actual publication) then this won't matter much - yes, I am using a hyperbole to make a point :) In any case, knowing how long the propagation from 1 through 4 can reasonably take will help guide what to improve. > > thanks again. > > randy
- [Sidrops] draft-ymbk-rpki-rov-timing-00.txt Randy Bush
- Re: [Sidrops] draft-ymbk-rpki-rov-timing-00.txt Melchior Aelmans
- Re: [Sidrops] draft-ymbk-rpki-rov-timing-00.txt Tim Bruijnzeels
- Re: [Sidrops] draft-ymbk-rpki-rov-timing-00.txt Randy Bush
- Re: [Sidrops] draft-ymbk-rpki-rov-timing-00.txt Tim Bruijnzeels