[Sidrops] AD Review: draft-ietf-sidrops-roa-considerations
Warren Kumari <warren@kumari.net> Sun, 08 January 2023 19:12 UTC
Return-Path: <warren@kumari.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A20EFC14EB1E for <sidrops@ietfa.amsl.com>; Sun, 8 Jan 2023 11:12:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.853
X-Spam-Level:
X-Spam-Status: No, score=-5.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z9VMbfCxY2qy for <sidrops@ietfa.amsl.com>; Sun, 8 Jan 2023 11:12:35 -0800 (PST)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9596BC14F719 for <sidrops@ietf.org>; Sun, 8 Jan 2023 11:12:35 -0800 (PST)
Received: by mail-qt1-x82a.google.com with SMTP id bp44so6464509qtb.0 for <sidrops@ietf.org>; Sun, 08 Jan 2023 11:12:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=aabaa+8JEjPQWiITGDjJzCW2CZnfpYsndVSqnHaUSjw=; b=CbaITZfvC/YPjdaqkKbcmoDq8obQjhyrUk8mIj9E1vXnsEZQF2OXQC/aPDkuv1UrNB MS5V/bPOhTK41wLDfMn+FHGuURYFbY3syy4EBRqUElDa4XVuxjcTaP4+ScwweIj2/KYs HC/T/Ua2fKEjCg3i0tBw0zfBJENnki+ACJt6EpcQ079PDUOmEWndvkl64xTmQVTxivxE wisNf12KEiF6JGTLKuwxfs6cQM/BGyROaiP7TKohRqR/PdZw6CMUR9TfkmWxKPls19su MtWzD6LjN/qRDd8CKiFCpFpZDYDMWCYBi1TCEW9x2txNaj0w0rCYlBWrhMlC0GGC6XRB 96rA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=aabaa+8JEjPQWiITGDjJzCW2CZnfpYsndVSqnHaUSjw=; b=Bz1qBqt/b7VcL+sHGIxEnDX/LoTVBl3pav/Acr1p1kbaKqLMFAgshL4rocP5LoEBo7 o0s7Lk4V1ey/Lc9rablX7QPhBaclnQC9OCzB/yE4Bw1r0WMMa9Q4YY0yotq7HjJEwBb+ w17KBxUTuGjuQJfVns6+S1VwCgglpZagr7SgsyPUTStzqDloVE5hoVWlQtRTTjszT6Qd UnD/UXdiJXTFarBMMfVDx4Ixg17aa9wyHhzpohXNfnsPJpRK3s/hTQ5+b55vwqk6anOt aZQ8NP2FW460/vRjoteh7aMpe7gIK3JWsJesW0i96eYCiZkwHR1eU6niqHNTHIHT8jBu jJVQ==
X-Gm-Message-State: AFqh2kpIlYEw7nc81UFmxfLCRYBKqI2TpiG2/0oFPQecSgkN2jKVwWNo YzerpPoD5IrknK5hQAc574F6zpHnvldI4x1HZrRMaeTxlk8R5VEft80=
X-Google-Smtp-Source: AMrXdXvHyLZ/94gwPgfAWTCqHuJmoEocjjiemDUbTAHtcDSKS4XF4zdfod5tLTU+wetBTYvE9lnPBKVMaKl/yPdQkkk=
X-Received: by 2002:ac8:4416:0:b0:399:ba6b:d782 with SMTP id j22-20020ac84416000000b00399ba6bd782mr2888943qtn.27.1673205153711; Sun, 08 Jan 2023 11:12:33 -0800 (PST)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Sun, 8 Jan 2023 11:12:33 -0800
Mime-Version: 1.0
X-Mailer: Superhuman Desktop (2023-01-06T23:05:55Z)
X-Superhuman-ID: lcnr4utb.ea0d653e-3241-462b-bf86-3bdeaf072d88
X-Superhuman-Draft-ID: draft00991fcdf9475b9e
From: Warren Kumari <warren@kumari.net>
X-Superhuman-Thread-ID: draft00121199325c2390
Date: Sun, 08 Jan 2023 11:12:33 -0800
Message-ID: <CAHw9_iLwdoeH93SEPrToroXJu+USP07LvhwD-16BfowRr9DnSg@mail.gmail.com>
To: SIDR Operations WG <sidrops@ietf.org>, draft-ietf-sidrops-roa-considerations@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d2ded205f1c56e5b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/uZNtu1JWFdQM_s3LzVdD10eI-og>
Subject: [Sidrops] AD Review: draft-ietf-sidrops-roa-considerations
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jan 2023 19:12:41 -0000
Hi there, authors (and WG),
Thank you for writing this document.
I think that what it is trying to accomplish is useful; but, unfortunately
I think that it needs a fair bit more work to be clear enough to publish.
The entire document seems to be "A ROA is an atomic entity, and can be
either be valid or invalid. As a single invalid prefix makes the entire ROA
invalid, it is recommended that ROA creators minimize fate-sharing by
ensuring that each ROA only contain one prefix. Unfortunately this may not
always be feasible, and so this document includes guidance on deciding when
to include multiple prefixes in a ROA." (actually, it doesn't really seem
to do that latter — Suggestion #2 just seems to say "Well, sometimes you
can't, so… ¯\_(ツ)_/¯ ")
I think that the suggestions / recommendations section needs a fair bit of
work and discussion; I'm trying to decide if I should return the document
to the WG for focused discussion or if I should continue to hold it.
Again, I do think that the purpose of the document is good. Once it is
sufficiently clear and understandable, I think it will be very useful.
Comments / questions:
1: Abstract:
"This memo analyzes some operational problems which may arise from ROAs
containing multiple IP prefixes and recommends avoiding placing multiple IP
prefixes in one ROA as possible."
I'm unable to parse this — I think that there is a word or phrase missing
before "as possible".
Perhaps: "in one ROA as a possible mitigation" or just s/as possible././ ?
2: Introduction;
"However, at present there are no mandatory requirements describing that
the address space holders must issue a separate ROA for each IP prefix or a
ROA containing multiple IP prefixes."
I'm a little confused by the wording of this, probably because of the
"mandatory requirements describing" phrasing. I think that what you are
trying to say is either:
1: "However, at present there are no mandatory requirements that the
address space holders must issue a separate ROA for each IP prefix."
or
2: "However, at present there is no guidance to assist address space
holders in choosing to issue a separate ROA for each IP prefix or a ROA
containing multiple IP prefixes."
I *think* that you were trying to say #2 (and that this document provides
this)?
3: Problem Statement
I think that this section needs a bunch more references so that people know
what is being discussed — as an example: "A Certification Authority (CA)
may issue a separate ROA for each of its routing announcements." Are you
actually talking about a CA here? When someone starts reading this document
and comes across this sentence I suspect they will be *very* confused… This
needs (at least) references to RFC6480 Section 7.1, 7.3.
4: Suggestions
I think that these suggestions / recommendations are very poorly worded /
unclear.
#1 seems to be a recommendation, but #2 is more of a "if you cannot do #1,
then do this instead", so I think that there is actually only one
recommendation ("Just one prefix per ROA")?
"1) It's the most important to guarantee the stability and security of
RPKI, and it is recommended to include a single IP prefix in each ROA in
default."
This is really hard to parse - the recommendation seems to be that, by
default, each ROA should only contain a single prefix. Ok, cool… but it
this really to "to guarantee the stability and security of **RPKI**"? And
is that really the most important thing?
Isn't that the important thing here to ensure that the routing
announcement(s) remain valid and stable? And even if this recommendation is
followed, it doesn't *guarantee* this - it does help mitigate issues /
remove complexity and shared fate, but it doesn't guarantee anything.
"2) In some special scenarios, where the resource is very stable, a CA has
operational problems producing increased number of individual ROAs, or to
avoid the possible affects on RP performance, the CA may choose to
aggregate multiple IP prefixes."
This is really hard to parse, and also really low on detail — from a
readability standpoint it would be improved by changing to "2) In certain
scenarios, for example when the resource is very stable or the CA has
operational problems producing many ROAs, or to mitigate negative effects
on RP performance, the CA may choose to include multiple IP prefixes in a
single ROA."
But, I think that this section requires significantly more text to help an
operator make this / these decisions — are these the only scenarios where
they should include multiple prefixes? How many ROAs is too many (either to
expect a CA to be able to create, or where you might negatively affect
RPs )? (as an aside, "RP" needs to be expanded / a reference).
In addition, I don't think that including multiple prefixes in a ROA really
counts as "aggregat[ing] multiple IP prefixes." - but this does raise an
important point which is not covered in the document.
If I currently have 1 ROA containing 192.168.0.0/24 and 192.168.1.0/24,
should I be making 2 ROAs (which the document seems to suggest), or should
I make one ROA containing 192.168.0.0/23? Surprisingly, the document makes
no mention of maxLength / RFC9319.
Nits:
1: Intro
O: "In Resource Public Key Infrastructure (RPKI), Route Origin
Authorization (ROA) is the digitally signed object which identifies that a
single Autonomous System (AS) has been authorized by the address space
holder to originate routes to one or more prefixes within the address
space[RFC6482]."
P: "In Resource Public Key Infrastructure (RPKI), a Route Origin
Authorization (ROA) is a digitally signed object which identifies that a
single Autonomous System (AS) has been authorized by the address space
holder to originate routes to one or more prefixes within the address space
[RFC6482]."
C: Grammar nits, but I also changed "a Route Origin Authorization (ROA) is
the digitally signed object " to "a Route Origin Authorization (ROA) is a
digitally object" — having "the" made it sound like there can only be one
ROA for the address.
2: Problem Statement
2.1: "Besides, the CA certificate issued… "
and
2.2: "Furthermore, the use of ROA with a single IP prefix…"
These both start new paragraphs, and the "Besides" / "Furthermore" make it
sounds like they are continuations of an existing thought. I'd suggest
dropping the "Besides" / "Furthermore" to aid readability…
3: Suggestions
I think that this section title should be "Recommendations", but I'm not
actually sure (see above).
4: Security Considerations
"This memo does not give rise to additional security risks."
Really? It seems that suggesting that e.g: people take a ROA with many
thousands of prefixes and create thousands of individual ROAs *could*
theoretically cause stability issues (and so potentially DoS). Also isn't
the whole purpose of this document to make recommendations which improve
stability? If I ignore these recommendations, and my ROA for 192.168.1.0/24
becomes invalid (because I included some other prefixes) causing my route
to fall off the Internet (and so users follow 192.168.0.0/16 to EvilCorp),
isn't that a security consideration?
5: Acknowledgements
"7. Acknowledgements
The authors would like to thanks the valuable comments made by
members of sidrops WG and the list will be updated later."
It seems like "later" has come - can you please update the Acknowledgements
section?
Thank you again; I know that making edits to address nits can be annoying,
but we are expecting many people to read and review the document, and so
having it polished is important and polite (also, once people start
commenting on nits, they seem to continue :-) )
W
- [Sidrops] AD Review: draft-ietf-sidrops-roa-consi… Warren Kumari
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Russ Housley
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Geoff Huston
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Warren Kumari
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… 延志伟
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Warren Kumari
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Job Snijders
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Randy Bush
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Tim Bruijnzeels
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Randy Bush
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Warren Kumari
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Tim Bruijnzeels
- Re: [Sidrops] AD Review: draft-ietf-sidrops-roa-c… Job Snijders