IETF Logo Mail Archive

Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-considerations

Tim Bruijnzeels <tim@nlnetlabs.nl> Wed, 08 February 2023 08:57 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A43BC1575C8; Wed, 8 Feb 2023 00:57:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQLDBGbOpU-2; Wed, 8 Feb 2023 00:57:54 -0800 (PST)
Received: from dane.soverin.net (dane.soverin.net [185.233.34.148]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A977C14CE29; Wed, 8 Feb 2023 00:57:52 -0800 (PST)
Received: from smtp.soverin.net (c04smtp-lb01.int.sover.in [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4PBYmY2xJNz2xGf; Wed, 8 Feb 2023 08:57:49 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.100]) by soverin.net (Postfix) with ESMTPSA id 4PBYmX6mrMz9m; Wed, 8 Feb 2023 08:57:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1675846669; bh=GtrpmCIF5daIl/6254OmmS65uE+kYsABkabY8BVgMVg=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=bOI0bL4q7UY+3sySmdHnFz+sOVYbSXRxf5kzWDDAeBb+k8plotG/5/CWelnKvYQXY q7ltjAZMiYVPxMeL5ryIwJoig/UEZvNmkLT2h7Z+gtyDD3ICN7ZIpY+FxEkVGPuRR8 IjqRfpv/1D/30PFpKfKrkVMZCQ4Jd6G+L/r34OucwUVvuUvMq9Ie+sVIu2pxtEGv4V A5D7CI2YnnqSXi5nsDZ82POqUghfg96IgjC8Y6iX0godHTar7HxfDF8YSZV0HQz/LF SEJB4r3XEERWpeMkGty9+3ZakbSTRH+Ay/lgcOsVU7SphvjK749BRtwnVmEPhHFI/n jDuQDcl2ZK6Qg==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
X-Soverin-Authenticated: true
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <Y+KVVFZ9VTNLrng5@snel>
Date: Wed, 08 Feb 2023 09:57:38 +0100
Cc: Warren Kumari <warren@kumari.net>, 延志伟 <yanzhiwei@cnnic.cn>, housley <housley@vigilsec.com>, sidrops <sidrops@ietf.org>, draft-ietf-sidrops-roa-considerations@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A6E2C53-F688-406A-97E3-BE219CC6DA39@nlnetlabs.nl>
References: <2af92c45.3c6.18605c3a595.Coremail.yanzhiwei@cnnic.cn> <CAHw9_i+MCFD_yBxa9D8XUOQr+K-Jfq9KbOb2H=Jy-GmrgM4+9Q@mail.gmail.com> <Y+KVVFZ9VTNLrng5@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/qHm3xakY04VKcjfhX_bkSAs8dn4>
Subject: Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-considerations
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2023 08:57:58 -0000

Hi,

> On 7 Feb 2023, at 19:15, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> On Mon, Feb 06, 2023 at 01:37:31PM -0800, Warren Kumari wrote:
>> I could not easily find a statistic showing the total number of
>> prefixes and total number of ROAs. I did start trying to write a
>> script to calculate this, but got distracted / ran out of time.
>> WG / authors: does anyone have this info handy?
> 
>     TA      ROAs      Pfxs   Unique Pfxs   UPfxs/ROAs   Avg ROA (bytes)
> --------+---------+---------+-------------+------------+----------------
> AFRINIC |   3,020 |   4,341 |       4,210 |      1.394 |     1937
>   ARIN |  60,077 |  73,851 |      69,841 |      1.162 |     2132   
>  APNIC |  23,288 | 104,337 |     104,035 |      4.467 |     1914
> LACNIC |  17,564 |  33,878 |      31,284 |      1.781 |     1969
>   RIPE |  36,365 | 189,446 |     189,444 |      5.210 |     1867
> --------+---------+---------+-------------+------------+----------------
> GLOBAL | 140,313 | 405,857 |     398,818 |      2.842 |     2003
>                         (as of 2023-02-07)
> 
>   [ There seems to be an incredibly strong association between
>     the letter 'P' being present in the Trust Anchor name and
>     the number of ROAIPAddress instances per ROA. ;-) ]
> 
> The size of a ROA (in bytes) seems to mostly be a function of the length
> of the Information Access instances (SIA, AIA, CRL), rather than the
> space the (binary encoded) ROAIPAddress instances occupy in a ROA.
> 
> If everyone would follow the '1 prefix per ROA' rule, the current RPKI
> would roughly triple in size; if all prefixes in DFZ are covered by a
> ROA, it would roughly double again. Doesn't seem too bad to me?

What I like about the draft is that it is permissive - CAs can still
decide to combine prefixes. What I don't like is that to me the
considerations for combining prefixes are vaguely phrased and incomplete.

So, while I still agree with the general advice to use a 1 prefix per
ROA, I think the considerations for not doing so are not worked out in
enough detail. I think this is unfortunate, because I would like this
document to be more useful to resolve discussions about this choice.

As it stands I am afraid that this document will not serve to resolve
discussions about this, but may even turn out to be divisive. Let me
illustrate two cases:


Case A: RIRs with co-hosted member CAs

I believe that the paragraph starting with "In some special scenarios,"
in section 4 does not call out a case that I believe I and others have
raised a number of times wrt the RIR systems with co-hosted parent and
child CAs.

The fate sharing issue is not an issue for e.g. the RIPE NCC system.

The parent CA and child CA are hosted in the same system. This is different
from the RFC 6492 child -> parent polling process used by remote CAs, in
that in this *co-hosted* system the child CAs can be instructed to shrink
their ROAs before the parent CA reduces resources. I know that this is
how the RIPE NCC was coded years ago, because at the time I was involved.

Insisting that the RIPE NCC changes their implementation to use one ROA
per prefix will lead to a big increase in their repository size, but it
will do nothing of value with regards to the fate-sharing problem raised
here. Remember that these CAs also share the same repository, so the parent
(re-issued certificate) and child (re-issued ROAs) will be seen at the
same time at worst - or the child ROA shrink will be seen before the
certificate shrink.


Case B: ROA prefix threshold

Another point: the consideration section does say this: "or a CA has
operational problems producing increased number of individual ROAs".
I mentioned that this is not really an issue for my CA implementation,
but this can cause an issue for RP software. The reason why I implemented
the option to combine prefixes in the first place, was to prevent 14000
individual ROAs to be created for an AS0 ROA as issued by APNIC.

It seems that at some point, but which point is unclear, there is a
tradeoff between fate-sharing and space used.

Currently my software uses a default threshold of 100 configured ROA
prefixes before deciding to start combining them in order to save resources
for RPs. This number is configurable, but people will use defaults..

I have asked this working group for guidance on this default [1]. I am
perfectly happy to increase the default, or even to make it a complete
opt-in setting: i.e. never aggregate prefixes on a single ROA unless
this is explicitly enabled by the operator. But, I got no response to
this particular question.

While I understand that draft-ietf-sidrops-roa-considerations may not
wish to call out any explicit "magic" threshold value, I also get no
closer to an answer to my question about what default behaviour would
be preferred after reading this document.



Kind regards,
Tim






[1]: https://mailarchive.ietf.org/arch/msg/sidrops/iBWgNEN9d03tGdTABYofuZKjwK4/

> 
> Kind regards,
> 
> Job
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.46.0 | Report a Bug | By Email | System Status