IETF Logo Mail Archive

Re: [Sidrops] [routing-wg] misconceptions about ROV

Job Snijders <job@fastly.com> Thu, 24 February 2022 10:55 UTC

Return-Path: <jsnijders@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6219B3A088C for <sidrops@ietfa.amsl.com>; Thu, 24 Feb 2022 02:55:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uEjtK2fLZpmC for <sidrops@ietfa.amsl.com>; Thu, 24 Feb 2022 02:54:56 -0800 (PST)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3CCA3A0897 for <sidrops@ietf.org>; Thu, 24 Feb 2022 02:54:56 -0800 (PST)
Received: by mail-il1-x12d.google.com with SMTP id d7so1376893ilf.8 for <sidrops@ietf.org>; Thu, 24 Feb 2022 02:54:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7ys9n+RWoV6UmaT6QJcxd/eHPHUtB2gU0FLIZaKCI60=; b=AKV/jOCaGKvOk7TJkKaUJyvf0I0GZb04vJUOEFIi9G/RNniYX3Gep3H+g/L8P3t6KJ ao+JMnIsDAIi8f52ar4eBecTrgixUXFEe0d66dSmP74LoqV5frmqgNtdEJCT4ONqzV8v /e7EL8pWa3cUsqUQM6PB7kSY9U+vXIkp+31AI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7ys9n+RWoV6UmaT6QJcxd/eHPHUtB2gU0FLIZaKCI60=; b=xEIuma9rmlgpovGWWqRlSnlsQ8v82ioFqXy6tyqiY1+R0l2RrV+tr+RZddYhBgYJDI EIm4AxfqixYSrSLhDGKl+UcMzqw13X+Gc4erXfQBpahemFMQuol9xEN/xoxtzukRiiYV 3zTjGNXzSTdUL/46pt1zDKkHwDrm/RCT124IfnzUivg/VR7DkGeC3lIcQWG3cbJSGKxn ogaLeyClTE2bBp/5xYJNkhDLQpDsa/CCsURbJab04lBfEwb2Ouv9KrdylL3MyIUEBIcK 9SgATuE0qn1ZQx6O4oEix22iUj6uSAYl5VA/oT1r7Z5S4yUatrYpinJ2DzlEASm8Vsdz PE6w==
X-Gm-Message-State: AOAM533lgv3b44eDb7uDsqt3lfCIuau9pMuISfm46ZvFIxlWbbSi3x6K bhgYEXjt7/Ka4x16aTFua0I5x83me/VQ3dR4CPXoMA==
X-Google-Smtp-Source: ABdhPJysiQhRPwoBTS8KJkq4qdx4OvLzhECeeXxof2xjdvW6SvdwIacL0cZCqh8DTz8BCZMX2MPZIA8As9r8UBXq+o0=
X-Received: by 2002:a05:6e02:174a:b0:2c2:6dbb:4180 with SMTP id y10-20020a056e02174a00b002c26dbb4180mr1879458ill.9.1645700095410; Thu, 24 Feb 2022 02:54:55 -0800 (PST)
MIME-Version: 1.0
References: <015C9C28-4230-40D8-A9F2-7420B726C00F@juicybun.cn> <DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl> <YhS/WR3czIP3jNLF@snel> <ABE3FA29-6C9D-492B-A72A-68C20176E76D@nlnetlabs.nl> <949277FD-27AF-40E8-B557-AA58C62BFEA7@apnic.net> <E16290C1-77ED-4CB1-8712-F6163304ED45@nlnetlabs.nl> <m2k0dmmntj.wl-randy@psg.com> <6D314C7A-8CEC-4B9B-8F80-6B1AC48037E2@nlnetlabs.nl> <85D947F4-E2A4-4FFE-86AF-2D129C49FB9C@psg.com> <8413F0CA-F50A-42B7-B0DA-19A0A90ABE6F@nlnetlabs.nl> <YhdCYjS+yDVsFgNF@snel> <60B6D863-047D-40A6-80DD-95C05391A0BA@nlnetlabs.nl>
In-Reply-To: <60B6D863-047D-40A6-80DD-95C05391A0BA@nlnetlabs.nl>
From: Job Snijders <job@fastly.com>
Date: Thu, 24 Feb 2022 11:54:44 +0100
Message-ID: <CAMFGGcBhm7bGbAL7CRdmHYJVsOtRGRaPD56Tvi=xSW=+Y=n8Rw@mail.gmail.com>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: sidrops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000981fa605d8c16958"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/qlK8gGqHtc7ulPbF4gRS_mbkbLI>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2022 10:55:02 -0000

On Thu, Feb 24, 2022 at 10:16:39AM +0100, Tim Bruijnzeels wrote:
> > It seems you overlook some deployment aspects, for example: within a
> > given Autonomous System (during the incremental deployment of BGPsec -
> > which may take years) there will be ASBRs that support BGPsec and ASBRs
> > that are unable to negotiate support for BGPsec. For example, it is
> > entirely possible that at a given moment in time only half the
> > adjacencies for 206238_15562$ are BGPsec capable, and half are not
(yet).
>
> Not at all - any adjacencies that are not BGPSec capable would not issue
> any statement that they are capable. So stripping the signatures there
> would be entirely expected.
>
> I am talking about something else: signalling deployment beyond direct
> sessions in order to enable detection of downgrade attacks. If router
> can detect that the *entire* path is not only capable but also
> committed to do BGPSec then removal of signatures can be flagged as an
> attack.

At the risk of repeating myself: signalling at AS-level granularity
seems too coarse for deployment reality. An AS might be able to do
BGPsec in one part of their network, but not in other parts of their
network. Another consideration: not all Autonomous Systems operate with
a coherent backbone, some AS are "islands".

Imagine AS 65000, 65001, and 65002, who all have half their ASBR
footprint BGPsec enabled; neither of those 3 AS can 'commit' to BGPsec;
other than through per-BGP-session negotation. BGPsec islands connect to
each other by virtue of unbroken valid signature chains.


> > See this posting for a similar story on RPKI ROV invalids:
> > https://mailman.nanog.org/pipermail/nanog/2021-April/213346.html
> >
> > Frankly speaking, wouldn't it make far more sense to implement the
> > specifications AS SPECIFIED AND PEER-REVIEWED BY MANY PEOPLE,
> > *before* advocating new object profiles?
> >
> > Especially since the CA side of BGPsec is so straight-forward and
> > simple to implement ... ?
>
> There is no need to shout Job..
>
> I was trying to have a discussion about a possible way to help
> operational future deployment.

I appreciate all the help you are willing to provide, but I question the
soundness of initiating discussion about 'future deployment' while the
first steps have yet to be set on the path towards deployment. How can
anyone meaningfully comment on future operational deployment challenges
without any operational experience with BGPsec "as is"?

> This is in no way preventing the development and deployment of current
> standards. And should the idea be useful and accepted then of course
> it would be handled as a WG document, be peer-reviewed etc.
>
> I know - it's naive to think that that would be what the IETF
> is for. Fine. I will stop here. Discussion once again seems
> entirely pointless.

At times it seems you look to this WG for help, other times you purport
opinion on what the future direction of RPKI / Secure Routing should be,
and then other times you appear to engage in research/brainstorm
activities. It is hard to tell which is which at times.

The current discussion might appear challenging because your positions
appear inconsistent: first you expressed heavy skepticism to the point
that it might even discourage others to consider BGPsec ("it doesnt
scale"), then you pivot to suggesting new object profiles, all the while
writing messages which contain imprecise terminology.

Here you ask for pointers:
https://mailarchive.ietf.org/arch/msg/sidrops/shD2HMkgDrXSf7dLI6GAkOuaoKg/
Here you reply you could find the documents yourself:
https://mailarchive.ietf.org/arch/msg/sidrops/DcbDU25miO0Rcc9Hbd85kaDvDx0/

Here you ask whether there is 'operator demand':
https://mailarchive.ietf.org/arch/msg/sidrops/XOHyvcRKH6VOG310jAUppzRXliA/
But already back in October 2021, you yourself noted: "Wrt BGPSec.. I am
actually very happy to see that so many people are in favor of supporting
it.":
https://www.ripe.net/ripe/mail/archives/routing-wg/2021-October/004454.html

It seems to me that one could extrapolate appetite for BGPsec in managed
CA environments to mean that people also would like BGPsec support in
all other CA implementations.

Let's make BGPsec a reality! It all starts by actually making BGPsec
available to operators.

Regards,

Job

v2.8.7 | Report a Bug | By Email