IETF Logo Mail Archive

Re: [Sidrops] [GROW] Any credence to AS_SET in the *middle* between AS_SEQUENCEs?

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Thu, 21 July 2022 16:46 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D08C15A739; Thu, 21 Jul 2022 09:46:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.689
X-Spam-Level:
X-Spam-Status: No, score=-3.689 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.999, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X4wSXkgb5F2n; Thu, 21 Jul 2022 09:46:48 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2109.outbound.protection.outlook.com [40.107.91.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79E8DC157B3E; Thu, 21 Jul 2022 09:46:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YTMMzX/C3ybejO86QrKfpkvwTxjxSQ843iwQPzykIfT9OHucHJdiKByw06ifW2LDl5zu3PjgnaWBN1/fNm8bg/ZtthWSZCN63biW90cN6bpf7mEM7yUdosm64ZiqzlRWiiFTGEBHQjmpFVQQIG2X5tFD7uTwPYRaklyLHx77nGwXYm+KnVYzYV6/d802DVicaYE3qLPa8tbwCI9QZIl4HB1j8DYVuJ0NDTyyUjmxeu3i9cQEjhps/7IZE3lf3tuQWP6R4yvFF69YnTj99RFsiP0O43WD1HEx5oUVoC6wbTj4eMvTz7r0ePW7vXfxY1Wrz5x/CuZKF9Mq/S/LZIiuRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kiG12w3bmZ13+m0iNpAaaYfdjnm8qJqqhX8WzYrxv8I=; b=fe3p/j3Qso/fV8Ud7REHZ2nnOivQRKLFPDZWY7AUeitf2lgO7rxdwuXoO2yn2tgr7PsNJ2NhGz9LRQyzsjqWmLUKFLBRMJUVLyF07YuwSZFhEuD/JixwWlbUOESMBwiaqcE3BDMk1xNtgwRC4D2LxxJd/CF3LOwvUc/KPjAW34u5s9qu6T7luQYmXP3JVUQP6GdqdzSBuc0wY0p/FfJMf1vN+lGSfdNMChJzbWg/zg6FyvrMrWLUhfEV24TJLJGyhboDI/KdzeztUCGruX0TONdCkbtasOGS5LqEgSK3chR6RlzVrqDC8I9Yvv8IoBYEDccvY4amvIXGz2TFQPJKPQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kiG12w3bmZ13+m0iNpAaaYfdjnm8qJqqhX8WzYrxv8I=; b=XKV4jYfm2u8w2afbPuR6nQwHfHcnsqKORsGXRui8+tpVYLwD5mnthDza53LFtSd5vL2IOePCL1+/q2k60vTuTqL6qB4yYhJ+mI62ynd44Im9C6C7aLeAENpO4DrIGDq376kRoes4U0MTDoMOAoZXmrWjUivAbpr3hvPlekdSdp0=
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by BLAPR09MB6274.namprd09.prod.outlook.com (2603:10b6:208:2a6::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.18; Thu, 21 Jul 2022 16:46:40 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::e468:3642:30f4:8f64]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::e468:3642:30f4:8f64%4]) with mapi id 15.20.5438.025; Thu, 21 Jul 2022 16:46:40 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Jeffrey Haas <jhaas@pfrc.org>, Nick Hilliard <nick@foobar.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, GROW WG <grow@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>, "a.e.azimov@gmail.com" <a.e.azimov@gmail.com>
Thread-Topic: [GROW] Any credence to AS_SET in the *middle* between AS_SEQUENCEs?
Thread-Index: AQHYm6b3nHaOc2w6EUSXBKZiVD7GSq2IgsKAgABHaoCAADbjJQ==
Date: Thu, 21 Jul 2022 16:46:40 +0000
Message-ID: <SA1PR09MB81421D152AC2DA200EDE1D9784919@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB8142D357A98BFAAF206C387C848F9@SA1PR09MB8142.namprd09.prod.outlook.com> <66814cfa-8425-8063-9193-272bc8b28291@foobar.org> <1F8421AA-8514-41FB-A047-EEDAF975B934@pfrc.org>
In-Reply-To: <1F8421AA-8514-41FB-A047-EEDAF975B934@pfrc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: 2b0815e9-032a-17e8-277d-ca9f7924719d
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 764e0131-7604-49b4-182a-08da6b3895cf
x-ms-traffictypediagnostic: BLAPR09MB6274:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KP1w4JauhCmxMNMWG9zSfPKcoUgmk9PyVwHwH7KA8pPOktKWKKYgqbb1QTqOnM+qCLGjezPL7lY7LdNyGDHjp47R3Ol9JAOBoyfzxI5+ymNRMuomPCKt+l+Cru5/WBvT808TGq6u6jQrdMBbJtTDGC6sMkM3R1/fkyZMoSCWCq550qxQb+yT6us8i1ZjCGwp6oDSPk+PI7/EBuCDX09tJYitKnuS6wXjWTbQMm9g9biy/ZzGDOzCcWCoHaMmJfBrMHWBUzrFmy3tCVbWMt7kTAFvNXQ4Gz/oux26JWcB0W2Ld9Z4zMN3ATZ89vPsqPtJikqFvbxTDdy7Jjnz9s7PBA7lexJt3wslTPFEkirenzIaaaTxC7bokE57iMRS46oeNc+ITx+NG1vBOBEz5omptti0NwrkzjFTDXOdY3CudFbGsphGVPihq4id2JcLd9ZLYLZ1rzgebbLc/GtAXg9/y5vIYm2MKcX0ysBL/TzwOBL+Xd4oEdz2vbX+3x64LK/Dokyux3242tuKngohD9lPTDuFJnhRUvEOxKGS06wkO7NyO/zk32ZAQNC+a9zeBcTGtkyGzINQnsKhZSQ+67a93oWOKk5oBmlQ26banwaJI9I8CiUSC4xH0CM8l9EjixfUJjpOoynqadC5w8Trse9NX/A7zhxTzeWFsxFC3p0jMJcEXiZlRYc/gMZHLFgROGJe7Yihu5ShxGyxRt16kFOtNhftdwTTNj2TWe7/MVKSYfkJeWdQkI1y10TnzQK9eMS7pApq1aN00G2NbOQENFgrLCcXZylrF6whVRjRxG4WuIOXssv2m0mmmFq680QaDvMW
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(82960400001)(71200400001)(66574015)(9686003)(498600001)(38070700005)(6506007)(86362001)(26005)(53546011)(54906003)(186003)(66556008)(7696005)(8936002)(76116006)(5660300002)(55016003)(64756008)(66446008)(66476007)(4326008)(91956017)(66946007)(83380400001)(8676002)(52536014)(33656002)(38100700002)(2906002)(110136005)(122000001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Yxg4XjQipiGYAjczs/7E1rdOYTcs5QV6vmlSqAbPmFMzqlreS3kE1QdxNRfF7JcVlrZSjGd1RZbCnaIqnk1PNCh5jUJl9atH2stFX1yIml17b83I8MBIR0DyOtVlzYefUe+5czWfotZvx03sITpBB9PKsDLsFQHq4bcuvE4K5MgO3fi7DmMPLN//Pq3iJ4C9YzXsRmCQwVbzBM+cM0dcyvCQTZ9wcHZp24ki0RkECNaWsylBwkIbffBzYCW1+36P467cmsOZVbqd0zipOgR2hV8feSEGAS1JvfdgoNIZnzIz1+HWkn75grDyNGruUcQqGD31lrSwVBDraUk5KSGz4qi2Z010SkJka1W1iI+fXT8mzoh+ETxE7oxnwcxgxfEtLWWKsdS/hpO+vnwbXrQxRPNyR0TyPfwjGAhdPqGX4ZZO32oY0IPQuvz5NS1/5zynbvufNuGBuWIPP+LPtlsbD/XxK+Gm1pzoKl0c0fxytCmNZ0tdgUgK1OZqJcvsaryqwyVEOl0ctSoTasn8picNt1TjPHGz0H1bXtpGR0EI4Wwaa0aRE/XIXn13OR7jLit/PoaxZ4dB3T2+MlCvwbr82IZ02OPU0ShExtY5QnVZelOeknyu1i1gWoDNMGil1q9MTyRtxWzpnA/7rVDC7GAi7ZwCYLbh8ZMPlyvbNyg9dWmySQ+tzMZ0q3jnLhV7glRnhLmq92mJO8UOC4Zd51hlqytEGzgdQE6eoadbvzBMPljZoUnv65RHYJh5bgVNIcybxk4PVO05TL5AD4mG72wg8Nfos4eDv9jEKLcNMPLibQokPJXcpzAPKQxsTANGWMkYPa0/d29krtE3jq2EkwL2xzqE7gbh580vRndNXqYfdy7+hhN/nh3wZCikQhLbjuF4c5+q3lUCTiXM2/XPRiB3EBGVSzzsvMehxOYQqgVKnoWRn5yXdzxhclz6Qdudf0T4DQihLXcBkczRn4Uz3Nl66tlDDacU9EWvKR2HSpPYp1xQR41qqjW0aFnSZLq4XGHkEAAwgWBg8bMR0nHvGGKGkIsTyE+n/XyE8h39y9sSur51z/CPO2p7mM9UgCsYrwqGpFuZZbi1eX0YQdFy43BEYa/aJYp9UAwL59xe9i5F+HO+j924x3UK/X9ual216YDwfvUSAETadR1tNdfmKVpRQhVHS8b9ZktN5OFbGcUicqDEOLQ8w/+0j2E7Vxu3hQKrH8rB+8F3eZKJ2Q8Rw2D0jP5iyoFlnd63AAiUJJoZbQsFpWpwXFwY/kyWZ9As5Eo5A5tif0fRhwxGHXWSsyu0ldL6xBSbPc0MHte3Batll5j+qm29iWtEGGEky+LsLf9oBvCzKA0pC/EjBNCJShK4Ura1LKKFCcUZi3JcrHJoGfyVaykLXWAX8xtzfyoqHsKCVtWjYtC3BaNnMdePxuyrr+4lZvSE8ATBFVHkXh5+aYtSsI9yUis/3p8TJpy9qr9YcFEEWi1ikG+Qd8U/N6wi2yZ5NEwhKBZ8KjWjq+8REdfd4xTQwcUrf6cqBDq3ck7dlAR1vlNL1bbSAoxah15BsLR8BjpjBPAjTvu0VXz8wxs=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 764e0131-7604-49b4-182a-08da6b3895cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2022 16:46:40.1908 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR09MB6274
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/UlkYXHb5Vp_EuSaW5eEGWKwPflw>
Subject: Re: [Sidrops] [GROW] Any credence to AS_SET in the *middle* between AS_SEQUENCEs?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 16:46:52 -0000

Jeff,

Thanks for the detailed insights. 

I gather that at least Nick and Job are clearly in favor of marking an UPDATE Invalid (i.e., a route leak in the present context) for having an AS_SET anywhere in the AS_PATH. (I.e., forget about having the Unverifiable flavor.) It appears Randy is also in the same camp.

Are you also OK going along with it?

In Section 5.3 (Mitigation), it is also stated:
   If the output of the AS_PATH verification procedure is "Invalid" the
   route MUST be rejected.

Sriram

________________________________________
From: Jeffrey Haas <jhaas@pfrc.org>
Sent: Thursday, July 21, 2022 6:22 PM
To: Nick Hilliard
Cc: Sriram, Kotikalapudi (Fed); sidrops@ietf.org; GROW WG; draft-ietf-sidrops-aspa-verification@ietf.org
Subject: Re: [GROW] Any credence to AS_SET in the *middle* between AS_SEQUENCEs?

> On Jul 21, 2022, at 4:36 AM, Nick Hilliard <nick@foobar.org> wrote:
>
> Sriram, Kotikalapudi (Fed) wrote on 19/07/2022 22:24:
>> Question: Operationally, is an AS_SET ever used in the*middle*
>> between AS_SEQUENCEs? Or, should one simply give zero credence to
>> it?
>
> tl;dr: epsilon levels of credence.
>
> in the context of EBGP connectivity, on the internet, having an AS_SET in the middle of a sequence means that whoever is responsible for leaking that is exposing far more about their internal sausage factory than I ever want to know.  There could possibly be valid reasons, but it's far more likely that this is the outcome of temporary or simply poor quality routing policies.

In principle, "complex aggregation" permitted you to avoid shortening the as-path lengths excessively.

Simple example:

A: 100 5 4 3 2 1
B: 200 5 4 3 2 1

Complex Aggregated path: [ 100 200 ] 5 4 3 2 1; length 6
Simple aggregated path: [ 1 2 3 4 5 100 200 ]; length 1

In practice, the majority of aggregation happens near leaf ASes from provider space delegated to multi-homed customers.  So, "throw it all into the set" works fine for the desired properties.  In the set of ASes with aggregated prefixes, they are expected to have all of the more specifics.

Where brief aggregation gets tricky is where the cut point is for the aggregating AS that will now be the "origin".  Those procedures don't interact nicely with RPKI OV, and are the main detail I've been owing a write-up on for the deprecate as-set document.

One thing very much worth mentioning is that anything clever some provider might want to do with complex aggregation is likely to be undone by anyone else doing aggregation and using the simple mode.

> ASPA somewhat assumes a naive/simplistic routing policy.  Having AS_SET support of this style means that it's entertaining a far greater level of complexity than ASPA's target network might operate. There are echoes of the DNS camel here.

I suspect that for simple aggregation the procedures for ASPA could be clear.  I don't know that I'd try to support complex aggregation.

And that said, ASPA will have the same concerns with brief mode aggregation that OV does.

-- Jeff

v2.23.0 | Report a Bug | By Email