IETF Logo Mail Archive

Re: [Sidrops] Which 8210-bis error code should be used?

Claudio Jeker <cjeker@diehard.n-r-g.com> Wed, 07 June 2023 13:50 UTC

Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 472F2C15199A for <sidrops@ietfa.amsl.com>; Wed, 7 Jun 2023 06:50:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.893
X-Spam-Level:
X-Spam-Status: No, score=-6.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b2YyLI9IqH2C for <sidrops@ietfa.amsl.com>; Wed, 7 Jun 2023 06:50:28 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5F64C151994 for <sidrops@ietf.org>; Wed, 7 Jun 2023 06:50:27 -0700 (PDT)
Received: (qmail 19713 invoked by uid 1000); 7 Jun 2023 13:43:43 -0000
Date: Wed, 07 Jun 2023 15:43:42 +0200
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: Yangyang Wang <wangyy=40cernet.edu.cn@dmarc.ietf.org>, "Hollyman, Michael" <mhollyman=40verisign.com@dmarc.ietf.org>, SIDR Operations WG <sidrops@ietf.org>, draft-ietf-sidrops-aspa-verification@ietf.org
Message-ID: <ZICJjsmMcuQr55Sn@diehard.n-r-g.com>
References: <F338C878-E41A-4DB7-A4C6-1CEE0A6F6502@verisign.com> <003401d9993d$6b03db90$410b92b0$@cernet.edu.cn> <C1A9142F-F938-42F2-970E-3C2B85044019@nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <C1A9142F-F938-42F2-970E-3C2B85044019@nlnetlabs.nl>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/ukmttZs-DOU5XCQIxdnvdRJbZho>
Subject: Re: [Sidrops] Which 8210-bis error code should be used?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2023 13:50:29 -0000

On Wed, Jun 07, 2023 at 03:02:25PM +0200, Tim Bruijnzeels wrote:
> Hi,
> 
> I have been trying to think through how dropping the AFI limit could
> negatively impact ASPA security. I.e. do I need the ability to express
> different authorisations here?

Please remember ASPA is not a security feature. It is there to prevent
route leaks via hairpins and leaky peerings. If you want security you need
bgpsec.
 
> The one scenario I can think of where this could have a slight impact is
> in case of partial ASPA deployment, where one of my providers that I
> only use for one AFI (say I only do v6 with them) did not deploy ASPA,
> and all my other providers where I do IPv4 do deploy ASPA. In that
> particular corner case I would be slightly better protected against
> (long) path spoofing for my v4 space if I could set the AFI limit to v6
> for that one provider. But.. I think this really is a corner case - it
> assumes that all my other (v4) providers do ASPA - if one of them does
> not, then having the limit makes no difference.

There are a fair amount of ifs packed into this. If you have a provider
that only does one AFI that does not do ASPA...
So this is really an edge case. Also the problem is not the v6 only
peering, the problem is the missing ASPA record for that provider.

> I would probably be better off to urge my (in this case v6 only)
> provider to deploy ASPA as well. Or look for another provider that
> would.
> 
> Because in the bigger picture the cost in complexity is significant. And
> I actually expect many more issues due misconfigurations and bugs
> because of that complexity compared to what would be improved in
> security by keeping the limit.

I very much agree with this.
 
> Tim
> 
> 
> 
> 
> > On 7 Jun 2023, at 14:41, Yangyang Wang <wangyy=40cernet.edu.cn@dmarc.ietf.org> wrote:
> > 
> > Hi all,
> > 
> > A little opposite opinion :)
> > 
> > I support " It is here but don't use it".
> > It can make the information more accurate for edge cases or some fake link hijacks.
> > All provider ASNs are listed (just like no afiLimit), and each provider AS is listed only once and is labeled with afiLimit  (just additional attribute information, if like).  Its values MUST be 0000 for ignored (not omitted), 0001 IPv4, 0002 IPv6.  If a customer-provider appears in IPv4 and IPv6 topology, no duplicated PDUs for IPv4 and IPv6, and no need to maintain two tables.
> > It is here. How to use (or not to use) it depends on uses (implementors, operators, etc). For example,  do not process afiLimit. But if users need this information, they can use them without protocol change.
> > 
> > Yangyang
> > 
> > 
> >> -----Original Message----
> >> From: sidrops-bounces@ietf.org [mailto:sidrops-bounces@ietf.org] On
> >> Behalf Of Hollyman, Michael
> >> Sent: 2023年6月2日 1:54
> >> To: sidrops@ietf.org
> >> Cc: draft-ietf-sidrops-aspa-verification@ietf.org
> >> Subject: Re: [Sidrops] Which 8210-bis error code should be used?
> >> 
> >> I tend to agree with Claudio and Martin here. I think the afiLimit should be
> >> removed from ASPA, if possible, or it will become just like max-length: "It is
> >> here but don't use it."  There shouldn't be any inference of intent in ASPA
> >> when one is published with an AFI and another without.
> >> 
> >> It appears to me that the spirit of ASPA is to simply list the provider ASes
> >> for a CAS. Keeping that simple and by AS, not by AFI, seems to be a logical
> >> choice.
> >> 
> >> Full path control is BGPSec. ASPA is an incremental step forward in
> >> preventing leaks and some hijacks.  Simplicity of ASPA should be the key in
> >> order to gain the most acceptance and usage.
> >> 
> >> Mike
> >> 
> >> On 5/24/23, 03:39, "Sidrops on behalf of Claudio Jeker" <sidrops-
> >> bounces@ietf.org <mailto:sidrops-bounces@ietf.org> on behalf of
> >> cjeker@diehard.n-r-g.com > <mailto:cjeker@diehard.n-r-g.com>> wrote:
> >> 
> >> 
> >>> I would love to remove the optional afiLimit from ASPA.
> >>> I brought this up a few times (well before there was any
> >>> implementation of any ASPA draft) and every time the answer of some of
> >>> the authors was no (without any particular reason).
> >> 
> >> 
> >>> As one of the developers of the first RP and only BGP implementation
> >>> handling ASPA I would enjoy to remove all the code required to handle
> >>> the afiLimit. We probably control most test deployments (RP and BGP
> >>> side) and are willing to make this change.
> >> 
> >> 
> >>> --
> >>> :wq Claudio
> >> 
> >> 
> >> _______________________________________________
> >> Sidrops mailing list
> >> Sidrops@ietf.org
> >> https://www.ietf.org/mailman/listinfo/sidrops
> > 
> > _______________________________________________
> > Sidrops mailing list
> > Sidrops@ietf.org
> > https://www.ietf.org/mailman/listinfo/sidrops
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

-- 
:wq Claudio

v2.23.0 | Report a Bug | By Email