Re: [Sidrops] ROV with ATOMIC_AGGREGATE
Ben Maddison <benm@workonline.africa> Thu, 12 March 2020 15:57 UTC
Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A124F3A0C76 for <sidrops@ietfa.amsl.com>; Thu, 12 Mar 2020 08:57:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72cSjaibc-Rl for <sidrops@ietfa.amsl.com>; Thu, 12 Mar 2020 08:57:07 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0625.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::625]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DF5B3A084B for <sidrops@ietf.org>; Thu, 12 Mar 2020 08:57:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Bj2EwNoMmXf7hV+ud24UmXpjG/9H2EvMB09ycbeQPFKay+ADxt74PBEeRwN5VvkAOG15OQC322bXcAfkGAQA5daOxMe3d3sbq01j0TJH7wOptRs7tuMTtFYSEIcj07INEOvJpylRvUhRpgwYcw9kBWxjve5Q01fFte5/LCb1kj0x2okQWkQv/B5p3ExJ2hnHIYykO1gmV1BuzKDNRkFyEdWNeIwY1/MpVgDy9OQ564gsLKkFv3GxRQz9Ec4eU4yVfeFp0VuPXU5cEnUK15wGxAqDqa0s/i3tXFME2HYA0L3HkJaEpZWpX8fXKoipvK6CetFQaSCAHWz45j0uKwGkyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=/sn2KoxvQnh/3EOz/stmblCM02a3+Qcrj92qCozVGPo=; b=Gc5V8L96kpMMnwvORGOfsz+BOQVKTtBJPCzj2CNzKImIiZXtZVW/xIyGPH1qiWekUKolGPFHxc0buHDQMhOajW7V95hnOx+CukwVI3LKD/vio0kdHi599wfXy6OSe0t2ychIxzDDnzCc171cIwC43JpaWOrGnk88b3yU4nq29J7xwgQabjOGFOw1SLZS7QoESeUUEsnMkymRAYEAkNkn1wxeLY/q/YPANKpLR+wakkNgliGrauXx0pE88pwyhPqRGs6IidySzR7JdlOnHKiVWKCTWv883uHHIaE3be4nXQtan2JAYf5++I7ZqOngx6rVaQloKLJCrG2YpC0/vYOGow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=/sn2KoxvQnh/3EOz/stmblCM02a3+Qcrj92qCozVGPo=; b=rPefkSnbCh3m7a6d2fu35VBwkU2U+DDYl3KU0xf2hkyB0nvAQZyDTns2H2Pd8EwAiGPEsWaVySWZZhLfBN7cho/gkrJbM8JMDcDYj+RyyxaWXWnYgRwi5HbhjuGy5+c3ihnoMT5jLLmuLqBglDDRsZhMCg57Dpw1XK/WQiUeVcw=
Received: from AM7P190MB0583.EURP190.PROD.OUTLOOK.COM (52.135.56.21) by AM7P190MB0613.EURP190.PROD.OUTLOOK.COM (52.135.56.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.14; Thu, 12 Mar 2020 15:57:03 +0000
Received: from AM7P190MB0583.EURP190.PROD.OUTLOOK.COM ([fe80::994a:aedb:e28a:2252]) by AM7P190MB0583.EURP190.PROD.OUTLOOK.COM ([fe80::994a:aedb:e28a:2252%7]) with mapi id 15.20.2793.018; Thu, 12 Mar 2020 15:57:03 +0000
From: Ben Maddison <benm@workonline.africa>
To: "jhaas@pfrc.org" <jhaas@pfrc.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] ROV with ATOMIC_AGGREGATE
Thread-Index: AQHV+E0wwUyxqbDFp0uB5piITHtFQqhEzEIAgAAd+ACAACIYgIAAEM4A
Date: Thu, 12 Mar 2020 15:57:02 +0000
Message-ID: <0460943d5eedd3b31b68659d2942adeff42f906f.camel@workonline.africa>
References: <bb9da4b2e853897b95a878f344c8e44193b2f632.camel@workonline.africa> <B15A5A6A-6CC9-43C3-AEEE-65CD886D0C8E@pfrc.org> <e7c908238186300d6e3a7b60a50a2fbf656f13a8.camel@workonline.africa> <C266F9BC-3938-400C-AEC8-A72EBD6D5569@pfrc.org>
In-Reply-To: <C266F9BC-3938-400C-AEC8-A72EBD6D5569@pfrc.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=benm@workonline.africa;
x-originating-ip: [41.13.220.201]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 287c54bf-a44e-4b7d-eedd-08d7c69e0197
x-ms-traffictypediagnostic: AM7P190MB0613:
x-microsoft-antispam-prvs: <AM7P190MB0613AB23FBC32438A3B1D524C0FD0@AM7P190MB0613.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0340850FCD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39840400004)(376002)(136003)(346002)(396003)(199004)(91956017)(66446008)(64756008)(76116006)(8676002)(66946007)(66476007)(4326008)(71200400001)(2616005)(66556008)(26005)(8936002)(186003)(316002)(62860400002)(2906002)(81156014)(81166006)(508600001)(55236004)(6506007)(6916009)(53546011)(6486002)(5660300002)(6512007)(86362001)(46492006); DIR:OUT; SFP:1101; SCL:1; SRVR:AM7P190MB0613; H:AM7P190MB0583.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: workonline.africa does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZkD5JH3ZA9zyYcXX3xnwvYMd7gpZ3y3tbJt2oUBxHddX6TioYvP0tzfcGi+BvomgRFGnNkg5e0h/GfEkuJC2kzWQkkNBlxy2r8WnDXVHwuo7EPk46zymxzYv6Y6GGS1K+tfsgZjQpXwEtzLPoIEEmn3tfJIhw/7S3juu1A5pm5mseDPJNYTBwM1UK95xF/lndtEILiLyju/QaXeevAe4YQSevhcLIjy9OlUoHST1A5SgcAWn5SRDtF8tieVvAZp9Cppxawo//4FafNfcC9u44L8mJbBE1wzGFcB0ZQeHKE2kktua93WdoLq8eo+evrBLBMSYis0ZPRMl6skfSnG56BQmmfFqP5g6rcgluQIUmlmGmOcbolO1xjhR8rQYkX4j6XI6detU4DxcYfo06sNMwr/FcROdVGTtf++xZwV49dNP7X/qWRALa1D8gI6UZHTBQ0a+OBe4A47+NTs1gRGIcHXo967vLy3Ygix5wVqWHNCOzVx4B9BCfkEn+SPnB3Hj6FI8wY9Sljj21tQL4SED0DeSmSEPtmZeK32CUyR/31ldW5nAh3Ly1vmNXPQ1gslE
x-ms-exchange-antispam-messagedata: u+yt393ZpeOvdRahJXEVA/T+J+qZVhLWyTNeNOHqTXNoMi8oeIpX6NGHb/gkQ6LSROavlWKZxwEdL/1xdpIMSjv7aPKfOUqqexLpf+p1FUO4IC6MMj37gH7PRPj4T5TCqgrC/P9JF537o2AQFFFDRg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <49E923CF25AE3B498955A17B95BDE968@EURP190.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: 287c54bf-a44e-4b7d-eedd-08d7c69e0197
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2020 15:57:02.9055 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kU9abVseqftGaKh3X1yAP8TrFnbzkXEvGAkk4yKNU1H8x0wzWVEbEWusbNFE9mKjMMG39JgVQRuAvLAKaONp9g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7P190MB0613
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/pdiUGV5VLfq8ETolw4R3RWkGTBY>
Subject: Re: [Sidrops] ROV with ATOMIC_AGGREGATE
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 15:57:10 -0000
Hi Jeff, On Thu, 2020-03-12 at 10:56 -0400, Jeffrey Haas wrote: > Ben, > > > > On Mar 12, 2020, at 8:54 AM, Ben Maddison < > > benm=40workonline.africa@dmarc.ietf.org> wrote: > > > > Thanks Jeff, > > > > You can be kinda hard to parse sometimes! > > Sorry, this was pre-coffee. > :-) > > > > On Thu, 2020-03-12 at 07:07 -0400, Jeffrey Haas wrote: > > > > > > If the origin AS, sans sets, is correct - the implementation > > > should > > > believe it. > > > > > > > You're saying that: > > > > ``` > > o Route Origin ASN: The origin AS number derived from a Route as > > follows: > > > > * the rightmost AS in the final segment of the AS_PATH > > attribute > > in the Route if that segment is of type AS_SEQUENCE, or > > > > * the BGP speaker's own AS number if that segment is of type > > AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is > > empty, > > or > > > > * the distinguished value "NONE" if the final segment of the > > AS_PATH attribute is of any other type. > > ``` > > (https://tools.ietf.org/html/rfc6811#section-2) > > > > Applies, as is, irrespective of the possible presence of > > ATOMIC_AGGREGATE, right? > > Exactly. > Thanks! > ATOMIC_AGGREGATE these days[1] means that aggregation has been done > at some point in the life of the BGP AS_PATH for the NLRI in > question. > > Once it has been added, subsequent aggregation could have been done, > and may have set elements added to it. In such cases, the current > desired behavior is that the route cannot be used for origin > validation purposes. > > However, similarly, subsequent aggregation may be done and further > information lost from the AS_PATH; we don't get more than one > ATOMIC_AGGREGATE marker and it has no counter. > > My general observations on aggregation with respect to origin > validation have been: > - Parties that have the "right" to aggregate (prefix ownership, or > owner of prefix that more specifics have been delegated from) can > aggregate and it'd still match RPKI policies. > - Proxy aggregation by other parties will fail RPKI policies. > > The first case means that ATOMIC_AGGREGATE ("brief") style > aggregation is fine and fits the intent of RPKI origin > validation. The second case doesn't fit the intent and will fail > regardless fo whether there's a set or not. > > It's this set of properties that has me being an objecting party to > the movement to completely kill set behaviors in BGP as-paths. it > has more than the usual incremental deployment issues to be > conformant with actual "deprecation" and doesn't help with the > desired intent. I'm quite happy to say "don't do that" and let RPKI > slowly extinguish the feature's use. > I'm in agreement with all of this, except that I'm not sure that I see how the argument against deprecation follows. Surely the "Treat-as-withdraw" handling is just a stronger "don't do that" signal. In fact, in an imaginary strict-ROV-everywhere-world, they come down to the same thing. Except treat-as-withdraw is probably easier to troubleshoot. > > > > Cheers, > > > > Ben > > > > > If you want path validation, we need bgpsec. > > > > > > > Depending on what you want to validate it *against*, you may need > > ASPA. > > But that's a different conversation. > > Indeed. Relevant to this particular conversation, if you're > concerned about truncated paths, which is what ATOMIC_AGGREGATE is > intended to help signal, you may care that the route's origin AS was > actually originated by that AS. > I'm mostly interested in the ~12k false-Invalids that I'm currently seeing on the implementation that I'm testing and need to deploy! If anyone else thinks that I shouldn't tell my vendor that they've written a bug, please say why, soon? Cheers, Ben
- [Sidrops] ROV with ATOMIC_AGGREGATE Ben Maddison
- Re: [Sidrops] ROV with ATOMIC_AGGREGATE Jeffrey Haas
- Re: [Sidrops] ROV with ATOMIC_AGGREGATE Ben Maddison
- Re: [Sidrops] ROV with ATOMIC_AGGREGATE Jeffrey Haas
- Re: [Sidrops] ROV with ATOMIC_AGGREGATE Ben Maddison
- Re: [Sidrops] ROV with ATOMIC_AGGREGATE Jeffrey Haas