IETF Logo Mail Archive

Re: [Sidrops] ROV with ATOMIC_AGGREGATE

Ben Maddison <benm@workonline.africa> Thu, 12 March 2020 15:57 UTC

Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A124F3A0C76 for <sidrops@ietfa.amsl.com>; Thu, 12 Mar 2020 08:57:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72cSjaibc-Rl for <sidrops@ietfa.amsl.com>; Thu, 12 Mar 2020 08:57:07 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0625.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::625]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DF5B3A084B for <sidrops@ietf.org>; Thu, 12 Mar 2020 08:57:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Bj2EwNoMmXf7hV+ud24UmXpjG/9H2EvMB09ycbeQPFKay+ADxt74PBEeRwN5VvkAOG15OQC322bXcAfkGAQA5daOxMe3d3sbq01j0TJH7wOptRs7tuMTtFYSEIcj07INEOvJpylRvUhRpgwYcw9kBWxjve5Q01fFte5/LCb1kj0x2okQWkQv/B5p3ExJ2hnHIYykO1gmV1BuzKDNRkFyEdWNeIwY1/MpVgDy9OQ564gsLKkFv3GxRQz9Ec4eU4yVfeFp0VuPXU5cEnUK15wGxAqDqa0s/i3tXFME2HYA0L3HkJaEpZWpX8fXKoipvK6CetFQaSCAHWz45j0uKwGkyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=/sn2KoxvQnh/3EOz/stmblCM02a3+Qcrj92qCozVGPo=; b=Gc5V8L96kpMMnwvORGOfsz+BOQVKTtBJPCzj2CNzKImIiZXtZVW/xIyGPH1qiWekUKolGPFHxc0buHDQMhOajW7V95hnOx+CukwVI3LKD/vio0kdHi599wfXy6OSe0t2ychIxzDDnzCc171cIwC43JpaWOrGnk88b3yU4nq29J7xwgQabjOGFOw1SLZS7QoESeUUEsnMkymRAYEAkNkn1wxeLY/q/YPANKpLR+wakkNgliGrauXx0pE88pwyhPqRGs6IidySzR7JdlOnHKiVWKCTWv883uHHIaE3be4nXQtan2JAYf5++I7ZqOngx6rVaQloKLJCrG2YpC0/vYOGow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=/sn2KoxvQnh/3EOz/stmblCM02a3+Qcrj92qCozVGPo=; b=rPefkSnbCh3m7a6d2fu35VBwkU2U+DDYl3KU0xf2hkyB0nvAQZyDTns2H2Pd8EwAiGPEsWaVySWZZhLfBN7cho/gkrJbM8JMDcDYj+RyyxaWXWnYgRwi5HbhjuGy5+c3ihnoMT5jLLmuLqBglDDRsZhMCg57Dpw1XK/WQiUeVcw=
Received: from AM7P190MB0583.EURP190.PROD.OUTLOOK.COM (52.135.56.21) by AM7P190MB0613.EURP190.PROD.OUTLOOK.COM (52.135.56.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.14; Thu, 12 Mar 2020 15:57:03 +0000
Received: from AM7P190MB0583.EURP190.PROD.OUTLOOK.COM ([fe80::994a:aedb:e28a:2252]) by AM7P190MB0583.EURP190.PROD.OUTLOOK.COM ([fe80::994a:aedb:e28a:2252%7]) with mapi id 15.20.2793.018; Thu, 12 Mar 2020 15:57:03 +0000
From: Ben Maddison <benm@workonline.africa>
To: "jhaas@pfrc.org" <jhaas@pfrc.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] ROV with ATOMIC_AGGREGATE
Thread-Index: AQHV+E0wwUyxqbDFp0uB5piITHtFQqhEzEIAgAAd+ACAACIYgIAAEM4A
Date: Thu, 12 Mar 2020 15:57:02 +0000
Message-ID: <0460943d5eedd3b31b68659d2942adeff42f906f.camel@workonline.africa>
References: <bb9da4b2e853897b95a878f344c8e44193b2f632.camel@workonline.africa> <B15A5A6A-6CC9-43C3-AEEE-65CD886D0C8E@pfrc.org> <e7c908238186300d6e3a7b60a50a2fbf656f13a8.camel@workonline.africa> <C266F9BC-3938-400C-AEC8-A72EBD6D5569@pfrc.org>
In-Reply-To: <C266F9BC-3938-400C-AEC8-A72EBD6D5569@pfrc.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=benm@workonline.africa;
x-originating-ip: [41.13.220.201]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 287c54bf-a44e-4b7d-eedd-08d7c69e0197
x-ms-traffictypediagnostic: AM7P190MB0613:
x-microsoft-antispam-prvs: <AM7P190MB0613AB23FBC32438A3B1D524C0FD0@AM7P190MB0613.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0340850FCD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39840400004)(376002)(136003)(346002)(396003)(199004)(91956017)(66446008)(64756008)(76116006)(8676002)(66946007)(66476007)(4326008)(71200400001)(2616005)(66556008)(26005)(8936002)(186003)(316002)(62860400002)(2906002)(81156014)(81166006)(508600001)(55236004)(6506007)(6916009)(53546011)(6486002)(5660300002)(6512007)(86362001)(46492006); DIR:OUT; SFP:1101; SCL:1; SRVR:AM7P190MB0613; H:AM7P190MB0583.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: workonline.africa does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZkD5JH3ZA9zyYcXX3xnwvYMd7gpZ3y3tbJt2oUBxHddX6TioYvP0tzfcGi+BvomgRFGnNkg5e0h/GfEkuJC2kzWQkkNBlxy2r8WnDXVHwuo7EPk46zymxzYv6Y6GGS1K+tfsgZjQpXwEtzLPoIEEmn3tfJIhw/7S3juu1A5pm5mseDPJNYTBwM1UK95xF/lndtEILiLyju/QaXeevAe4YQSevhcLIjy9OlUoHST1A5SgcAWn5SRDtF8tieVvAZp9Cppxawo//4FafNfcC9u44L8mJbBE1wzGFcB0ZQeHKE2kktua93WdoLq8eo+evrBLBMSYis0ZPRMl6skfSnG56BQmmfFqP5g6rcgluQIUmlmGmOcbolO1xjhR8rQYkX4j6XI6detU4DxcYfo06sNMwr/FcROdVGTtf++xZwV49dNP7X/qWRALa1D8gI6UZHTBQ0a+OBe4A47+NTs1gRGIcHXo967vLy3Ygix5wVqWHNCOzVx4B9BCfkEn+SPnB3Hj6FI8wY9Sljj21tQL4SED0DeSmSEPtmZeK32CUyR/31ldW5nAh3Ly1vmNXPQ1gslE
x-ms-exchange-antispam-messagedata: u+yt393ZpeOvdRahJXEVA/T+J+qZVhLWyTNeNOHqTXNoMi8oeIpX6NGHb/gkQ6LSROavlWKZxwEdL/1xdpIMSjv7aPKfOUqqexLpf+p1FUO4IC6MMj37gH7PRPj4T5TCqgrC/P9JF537o2AQFFFDRg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <49E923CF25AE3B498955A17B95BDE968@EURP190.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: 287c54bf-a44e-4b7d-eedd-08d7c69e0197
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2020 15:57:02.9055 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kU9abVseqftGaKh3X1yAP8TrFnbzkXEvGAkk4yKNU1H8x0wzWVEbEWusbNFE9mKjMMG39JgVQRuAvLAKaONp9g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7P190MB0613
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/pdiUGV5VLfq8ETolw4R3RWkGTBY>
Subject: Re: [Sidrops] ROV with ATOMIC_AGGREGATE
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 15:57:10 -0000

Hi Jeff,

On Thu, 2020-03-12 at 10:56 -0400, Jeffrey Haas wrote:
> Ben,
> 
> 
> > On Mar 12, 2020, at 8:54 AM, Ben Maddison <
> > benm=40workonline.africa@dmarc.ietf.org> wrote:
> > 
> > Thanks Jeff,
> > 
> > You can be kinda hard to parse sometimes!
> 
> Sorry, this was pre-coffee.
> 
:-)

> > 
> > On Thu, 2020-03-12 at 07:07 -0400, Jeffrey Haas wrote:
> > > 
> > > If the origin AS, sans sets, is correct - the implementation
> > > should
> > > believe it.
> > > 
> > 
> > You're saying that:
> > 
> > ```
> >   o  Route Origin ASN: The origin AS number derived from a Route as
> >      follows:
> > 
> >      *  the rightmost AS in the final segment of the AS_PATH
> > attribute
> >         in the Route if that segment is of type AS_SEQUENCE, or
> > 
> >      *  the BGP speaker's own AS number if that segment is of type
> >         AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is
> > empty,
> >         or
> > 
> >      *  the distinguished value "NONE" if the final segment of the
> >         AS_PATH attribute is of any other type.
> > ```
> > (https://tools.ietf.org/html/rfc6811#section-2)
> > 
> > Applies, as is, irrespective of the possible presence of
> > ATOMIC_AGGREGATE, right?
> 
> Exactly.
> 
Thanks!

> ATOMIC_AGGREGATE these days[1] means that aggregation has been done
> at some point in the life of the BGP AS_PATH for the NLRI in
> question.
> 
> Once it has been added, subsequent aggregation could have been done,
> and may have set elements added to it.  In such cases, the current
> desired behavior is that the route cannot be used for origin
> validation purposes.
> 
> However, similarly, subsequent aggregation may be done and further
> information lost from the AS_PATH; we don't get more than one
> ATOMIC_AGGREGATE marker and it has no counter.
> 
> My general observations on aggregation with respect to origin
> validation have been:
> - Parties that have the "right" to aggregate (prefix ownership, or
> owner of prefix that more specifics have been delegated from) can
> aggregate and it'd still match RPKI policies.
> - Proxy aggregation by other parties will fail RPKI policies.
> 
> The first case means that ATOMIC_AGGREGATE ("brief") style
> aggregation is fine and fits the intent of RPKI origin
> validation.  The second case doesn't fit the intent and will fail
> regardless fo whether there's a set or not.
> 
> It's this set of properties that has me being an objecting party to
> the movement to completely kill set behaviors in BGP as-paths.  it
> has more than the usual incremental deployment issues to be
> conformant with actual "deprecation" and doesn't help with the
> desired intent.  I'm quite happy to say "don't do that" and let RPKI
> slowly extinguish the feature's use.
> 
I'm in agreement with all of this, except that I'm not sure that I see
how the argument against deprecation follows.
Surely the "Treat-as-withdraw" handling is just a stronger "don't do
that" signal. In fact, in an imaginary strict-ROV-everywhere-world,
they come down to the same thing. Except treat-as-withdraw is probably
easier to troubleshoot.

> > 
> > Cheers,
> > 
> > Ben
> > 
> > > If you want path validation, we need bgpsec.
> > > 
> > 
> > Depending on what you want to validate it *against*, you may need
> > ASPA.
> > But that's a different conversation.
> 
> Indeed.  Relevant to this particular conversation, if you're
> concerned about truncated paths, which is what ATOMIC_AGGREGATE is
> intended to help signal, you may care that the route's origin AS was
> actually originated by that AS.
> 
I'm mostly interested in the ~12k false-Invalids that I'm currently
seeing on the implementation that I'm testing and need to deploy!

If anyone else thinks that I shouldn't tell my vendor that they've
written a bug, please say why, soon?

Cheers,

Ben

v2.23.0 | Report a Bug | By Email