Re: [Sidrops] Andrew Alston's Discuss on draft-ietf-sidrops-rov-no-rr-06: (with DISCUSS)
Randy Bush <randy@psg.com> Thu, 25 August 2022 18:21 UTC
Return-Path: <randy@psg.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0475FC1524DB; Thu, 25 Aug 2022 11:21:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIeo_s9RUNoE; Thu, 25 Aug 2022 11:21:49 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F496C1524C2; Thu, 25 Aug 2022 11:21:49 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.93) (envelope-from <randy@psg.com>) id 1oRHUA-001jGh-0e; Thu, 25 Aug 2022 18:21:46 +0000
Date: Thu, 25 Aug 2022 11:21:45 -0700
Message-ID: <m2bks8mbeu.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Andrew Alston via Datatracker <noreply@ietf.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-sidrops-rov-no-rr@ietf.org, SIDR Operations WG <sidrops@ietf.org>
In-Reply-To: <166143374280.8949.4490792736652212362@ietfa.amsl.com>
References: <166143374280.8949.4490792736652212362@ietfa.amsl.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/q_6mXmJGQfPEM9_Q6kuBYZ6D06s>
Subject: Re: [Sidrops] Andrew Alston's Discuss on draft-ietf-sidrops-rov-no-rr-06: (with DISCUSS)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2022 18:21:50 -0000
andrew: thanks for reviewing. > I however would like to discuss the following: > > If the BGP speaker's equipment has insufficient resources to > support either of the two proposed options, it MUST NOT be used for > Route Origin Validation. The equipment should either be replaced > with capable equipment or ROV not used. I.e. the knob in Section 4 > should only be used in very well known and controlled > circumstances. > > My concerns with this are two fold - firstly - it's entirely unclear > what is meant by "well known and controlled circumstances". hmmm. point. do you have suggestions or cites for a rigorous operators test methodology? > More importantly, I'm concerned that this paragraph as written could > lead to a situation that where people read this as "if you can't > support this behavior - forget BGP security" - and that I would think > would be a more dangerous situation than the route refresh behavior. a number of issues here o rov is not bgp security; it presents no real barrier to attack, cf. this week's event. as a fellow researcher said the other month, rov is bgp safety not security o indeed it does say that, if you can not run rov without acting badly, then do not run it. but it does not say do not run any bgp security mechanism, for example gtsm, route filters, ... o but, indeed, the intent is that, if a device can not do rov without the described bad behavior, it should not run rov. > a.) Either say that operators should plan for upgrades - but turn off > RPKI in the meantime well, it kind of says that. but it does not say rpki in general. this spec concentrates on rov. and it does not say the operator shoud turn rov off in general, only on the device(s) incapable of doing full adjribin or saving dropped routes. as close as i could get is If the BGP speaker's equipment has insufficient resources to support either of the two proposed options (keeping a full AdjRibIn or at least the dropped routes), it MUST NOT be used for Route Origin Validation. The equipment should either be replaced with capable equipment or ROV not used. > or b.) Change the wording such that it says something along the lines > of "it MUST not be used for ROV without the informed consent of the > peers" wow! do you really want to go down this path? are there other spec violations that we suggest peers negotiate? exceedingly long as path prepends might be popular this season :) all sorts of operational complexity, e.g. my peer's staff changes next month and the new staff does not like me beating on their routers. all in all, i can see such under the table negotiations happening occasionally. but i am uninclined to put a recipe in the spec. and it would have no actual technical content anyway. > Either option prevents the position where operators running smaller > older hardware are handed an excuse to forgo RPKI entirely - or to > turn it off - because in my experience once someone turns something > off, getting them to turn it back on again, can be a tricky > proposition. again, this is per device, not per operator. and (rpki != rov). the device might be capable of other rpki-based functions. but, having put a lot of time and effort over the last two decades trying to keep the specs achievable on existing hardware, i have great sympathy for the direction you're trying to go. i just don't see how to get there simply and realistically. send more clue. in general, i see your comments in an operational sense. but this is a protocol, not operational draft. it is not a bcp or a bcop. perhaps you would care to work on an rov bcop? randy
- [Sidrops] Andrew Alston's Discuss on draft-ietf-s… Andrew Alston via Datatracker
- Re: [Sidrops] Andrew Alston's Discuss on draft-ie… Randy Bush
- Re: [Sidrops] Andrew Alston's Discuss on draft-ie… Andrew Alston - IETF
- Re: [Sidrops] Andrew Alston's Discuss on draft-ie… Randy Bush
- Re: [Sidrops] Andrew Alston's Discuss on draft-ie… Andrew Alston - IETF