IETF Logo Mail Archive

Re: [Sidrops] WG-ADOPTION: draft-borchert-sidrops-rpki-state-unverified-01 - ENDS: 2019-03-12 (mar 12)

"Montgomery, Douglas (Fed)" <dougm@nist.gov> Thu, 28 February 2019 00:09 UTC

Return-Path: <dougm@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97B79130EA7 for <sidrops@ietfa.amsl.com>; Wed, 27 Feb 2019 16:09:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sUrwzDh8wZtb for <sidrops@ietfa.amsl.com>; Wed, 27 Feb 2019 16:09:23 -0800 (PST)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-eopbgr830119.outbound.protection.outlook.com [40.107.83.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC5EA1279E6 for <sidrops@ietf.org>; Wed, 27 Feb 2019 16:09:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iy7SWv8B2jia2lzkqGPnkowK0hbS9YhfzU0/Umw+rIA=; b=PVnej5eu4AmrSj46tdr9rFCRD/FZRUCIuHuClyVAOc35s6wDOuiQgTaeDUPWKbnGrZUWW5QgsdsGWPl+sThMQRoLDlrbPLEdIYvpIAfBdmyl2qzVc0q9tQhF5ltZgw6AhwqX0WEvNSnMDmd1YQ3wdedwJWt9+lh5w7e//sTnUZQ=
Received: from DM6PR09MB3244.namprd09.prod.outlook.com (20.178.3.144) by DM6PR09MB3241.namprd09.prod.outlook.com (20.178.3.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.14; Thu, 28 Feb 2019 00:09:19 +0000
Received: from DM6PR09MB3244.namprd09.prod.outlook.com ([fe80::7804:8385:141:8a49]) by DM6PR09MB3244.namprd09.prod.outlook.com ([fe80::7804:8385:141:8a49%4]) with mapi id 15.20.1665.015; Thu, 28 Feb 2019 00:09:19 +0000
From: "Montgomery, Douglas (Fed)" <dougm@nist.gov>
To: Randy Bush <randy@psg.com>
CC: Russ Housley <housley@vigilsec.com>, Jeffrey Haas <jhaas@pfrc.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] WG-ADOPTION: draft-borchert-sidrops-rpki-state-unverified-01 - ENDS: 2019-03-12 (mar 12)
Thread-Index: AQHUztKTbd7Dl9/bdEmNmyGXwzeBcaX0L5oAgAAE5gD//66+AIAAbPkA//+yAwA=
Date: Thu, 28 Feb 2019 00:09:18 +0000
Message-ID: <0B6FBEFD-DF57-4613-9B66-ED4A9E8302A2@nist.gov>
References: <m2fts968ei.wl-randy@psg.com> <BD686FC4-58B7-48FC-85EC-EEC5C2F30B53@vigilsec.com> <20190227215142.GB21642@pfrc.org> <3EF81391-A613-4F10-B636-E29ABB5643DA@vigilsec.com> <7735E727-E19E-493B-ACAE-38F6A1A4BA75@nist.gov> <m2ef7s4wtx.wl-randy@psg.com>
In-Reply-To: <m2ef7s4wtx.wl-randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190220
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dougm@nist.gov;
x-originating-ip: [2610:20:6222:140:71a8:a290:585c:23ac]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f69458f2-afc7-4af4-51e5-08d69d10fbdd
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR09MB3241;
x-ms-traffictypediagnostic: DM6PR09MB3241:
x-microsoft-exchange-diagnostics: 1;DM6PR09MB3241;23:9mt2yp92uArqjdM0OVfTixhxctH2LciCxtFk0qgCnBseexT2hq0mijeiubYmhd8J/F0rv/ZYZrcpbgqtl6BIDdw1LV+WiEF7c1dHgEjDKN4kpQep0WKpO/kRQQlsyYR8yxwJ8nbvAUsHyCo3VdT8CK9xw533Dwf3crmNiDA3uyJLyL7WwOqndPtLwF/802MOMGlktusfpZodl43t3sR4DnUxF5yIreuUmVIyKVGg7ETLRy22j5Sy5Eh+OHhQmopCiXGeQx0E1r5dlyfMESaVcOoXN7PUFz9kYrixAynuzxjyco1dL4f8HahJU67IzyZfV4D5LAQvbdEHRmonXhrTbTQAxGVVKTKDxpaK10yCyfuXnERF73+4s5xLJKpy3GKOYEFJyC/DRImOJP71RLDx2nsM4976ddzXNq2uFIopapk0yLVf2TzR97zARhFF8fcB45UjOttvRQUnmx1K/2MKEnqa4uJIpOQFNtSprmzTZqoH+yba/yaW38U5Uu285+E4zpNraIs4Vn+Avpun63m1hF0LNGc46++2gKUx0dHXVAEOa/Awm3DiV3EmI2EPpNQm5R33pShk26d7ldlYlKeWdmOULmYrdW7C9hmMjefkMeEAQYVbLw5eOjzkIH7qWmEKgtMmf6bSrY69FK1+yhj0xV/nOgPZ4UWjkWm22HtDzPaEc5E98nbANoS8mIyGfejvdtVXHmAozKMUvLd/pmXi/jy7Nvb1lJ11yjWiPbFFcbImsQxMZpdfyPUAhHPVAsjH8IxRi7+eq3CGFfsimjlsvH2sfA65ZJMew73MfyLvWJovK7JAzl+JEB+wClogv6tHoHZoVE5QWm8At+7WDDFoj2/gvem2p0IQMxeyHoS77y7GGIVuEIrFPmOWVmsa+jU0GUuzh8m4hkP5en9JLUxKTCt8Ax9RN+4iYgvpDrtHcHFJxm5/hoqXs6YiVHwk4wjGLf+H3zp8MD8q7j0yBeYFAvUIPa2rd0lndKdAbrRHe9DehDuKdXA7hwVSOPUxMcjFqPBt/a2mqK3ZDQFy6Y4XX04sTv1oTDvKdbu1Gc2jKzeaWa5hs9TZlTvD//7/pP5WEFSQqP09ou65gcvcmW/dYu+fI9EhLsdPTZ9wVSAthp/gLu+mKNQ1sPcqvSBxNyWU1DO+kOTvplntG3f2U8ESn4n1EE87vkwAeTy2JpVa+WlZzWIz0EZ4wIDNofGaZrx0B9Gc6M4PtMz3cVgDZ7BHLpm9jSR8zO73UlvaRohikvQqRDJryBmWyFiyrlf/azWb
x-microsoft-antispam-prvs: <DM6PR09MB3241453D76912E3F8E2B75C2DE750@DM6PR09MB3241.namprd09.prod.outlook.com>
x-forefront-prvs: 0962D394D2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(376002)(136003)(396003)(366004)(189003)(199004)(93886005)(97736004)(82746002)(36756003)(68736007)(33656002)(14444005)(256004)(81166006)(6916009)(102836004)(99286004)(6506007)(71200400001)(71190400001)(305945005)(81156014)(229853002)(7736002)(76176011)(83716004)(8676002)(6486002)(6436002)(6512007)(8936002)(53936002)(25786009)(46003)(86362001)(5660300002)(106356001)(14454004)(105586002)(54906003)(66574012)(478600001)(6116002)(4326008)(2906002)(6246003)(2616005)(11346002)(446003)(486006)(186003)(58126008)(316002)(476003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR09MB3241; H:DM6PR09MB3244.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: sP1x1M4IU90WBND2QbVr/ckuHfzpG6GuxTclY+lxDm27kMDwuZWAqbqC/wkQTmQ8wwfwf8WkCcD9XnyS7Ku+V7VCwg9bUZEcTPplPHh993An00+i/qgIMkI2Ms9jFwQk0MY2IUSagT+LcYSYOw4KzyRRcJX1ll+yB82maAftMR5/TYBhO5wuXw1Xvelc9EG4a0BEep1Z/gP/6eBl2GteiS1f0gRxzVgoH3H1ZsSsEENc5kNM9MdsqeTYsIQ+0++nv92MqKP3Y4n+wGGjOL3ecZZAhoKi5JASYdcuLoqXcA+KeS0cnnUIadSkToLgV7LkQfpDU8qlv9nC07o9ZBR45m8wfLsTsWyWLVKkGewG/HB0L9/NA09lM4vKWwBpvy38JMKb7UTMpHLXzee3/yLBBU/JtjxoR8e9oDQXYYxKCOo=
Content-Type: text/plain; charset="utf-8"
Content-ID: <1B652A6744777743BA0C667DEC48DAC4@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: f69458f2-afc7-4af4-51e5-08d69d10fbdd
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Feb 2019 00:09:18.8535 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB3241
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/tsIKjdPyHICSQ92e9mGHS67O2A4>
Subject: Re: [Sidrops] WG-ADOPTION: draft-borchert-sidrops-rpki-state-unverified-01 - ENDS: 2019-03-12 (mar 12)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 00:09:26 -0000

Which of your N hundred routers will you login to, to do the "show bgp rpki servers"?

We thought the one sending you "unverified" state would be a good clue.

No one was asking for the cross product of any other info ... so I don't really buy the slippery slope logic.

I hope you are right about everyone rushing to join the parade.  

I still see as many folks express concerns about debugging as wave flags.

dougm
-- 
DougM at NIST
 

On 2/27/19, 6:48 PM, "Randy Bush" <randy@psg.com> wrote:

    > Examine the iBGP peer that you thought you configured to do origin
    > validation and determine why it is unable to.
    
    the path of debugging hooks runs far deeper into the mud.  to repeat;
    you are stepping off a cliff here.
    
    there are a number of reasons the match might not have been made: peer
    not configured for validation, prefix in execption list, AS in exception
    list, ...  will we next enumerate them all?  e.g. for debugging, i might
    like to know which of my policies, or combination thereof, caused the
    prefix not to be evaluated.  i am NOT suggesting we go down this rabbit
    hole.
    
    > We envisioned this being useful in scenarios such as: you have enabled
    > BGP Origin Validation on a router that has lost all connections to its
    > validating caches.
    
    % show bgp rpki servers
    
    > At the moment we can't tell administratively disabled from enabled,
    > but failed in some manner.  We see some value in being able to
    > diagnose that.
    
    that is why we have cli-based (and yang etc) debugging tools.  you want
    to know where in all your complex policy some decision was made, you
    need to go through the policy, don't try to encode the cross-product of
    all the posibilities in a result.
    
    > Keep in mind, most of the FUD in this space comes from the fear that
    > operators will not be able to diagnose why routes are/are not being
    > filtered.  This theme came up a lot in the meeting before NANOG.
    
    the game is over.  at&t has deployed and the multitude are hurrying to
    join him.  and the flag-wavers are rushing to get in front and curry
    publicity.
    
    > Not the subject of this draft, but the concept of being able to tell
    > if your iBGP peer actually performed validation will be even more
    > useful in BGPSec, but that is for another draft.
    
    and another century
    
    randy

v2.23.0 | Report a Bug | By Email