IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

Amir Herzberg <amir.lists@gmail.com> Sun, 19 March 2023 12:48 UTC

Return-Path: <amir.herzberg@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86089C14CE38; Sun, 19 Mar 2023 05:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_EejZ-8SMyr; Sun, 19 Mar 2023 05:48:37 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A32E3C14CE30; Sun, 19 Mar 2023 05:48:37 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id m2so8056831wrh.6; Sun, 19 Mar 2023 05:48:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679230115; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/YCEWZFdomZRLx+kGAuTwC5tD3bAUPBXnCuZ6tvDNkM=; b=Krv84KrC9YOWCSR9s+BHlzDKPxO3345AQi3yAbffN2Ctt9bubbPlR0fjNlYo89TxeO SgVfVqCLdWiv0U4z4/EsH2gFAkqRZUmhGTv4UPeYD+X/jgFlTnPQOHMhoDGtDtCEmp9l rI0AupvjI4yf514ZCuD16ZE8gq+Uus+6VnKHXahoRmzTd9QfVAv7J6L42h56WD9dE4EQ I8NBLSXsAKPYQoF8EUkzhIbePF0SR86IbLJZvIeE0SckrnaOOB//SuEFnS3EijKWTd+O wZ7CUSH9fmb7ICp7Ej3pS3J9L6rSHvaqTmxfgGClCcsXL47BAz47saQuQDsbC3wnw8XR 1Iow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679230115; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/YCEWZFdomZRLx+kGAuTwC5tD3bAUPBXnCuZ6tvDNkM=; b=wt1eRi8ihITyzoqmsUEouvvLzdZBrh/B9+xIxl9uXQlanL+WdAN9s/RW27fVd9NgpQ 1eawWbq7fZyKY/FVvtY1WVDN5A21ydyfqUxZbqQmmLqBQDXalJugcmjIHNoJ/gKWYvbx k/LaJQV4awHhOAjt4MBQ9kE45zyfKOOxvDQhLXU3g1M5Wndz6OwWx2f1jYfORPujcSMH vOPfR/NJ+hNiMkDvcwdjFqbS+T4NvZAKE9LJLSQZ2gG7nCuNBFjwAFs0C+3iM+lzamn/ 7/VJFKvMLhJFySad758CwqAx9qBcRDOg67sVJfWshOpFsnpiHiy689+joBgyvAh7OjBU 85tw==
X-Gm-Message-State: AO0yUKUBjnEgtf4rgbPdQBvj3ETrJc6NPhHMoM4wKGe3jB4xm2Ms7tKB MwcNxVSvTUiKJJ925du2FrzxdamK8xnTaBudPhgT9azB
X-Google-Smtp-Source: AK7set9E/er1pkOEpMuWT69EjVVqj/JTXzZRJ73JlT5Q4LE0xJVUAwomxrD3Eu7A+chUuvQVv5u303WcM2B8wRxxXW0=
X-Received: by 2002:adf:e8ce:0:b0:2d4:4f2b:965a with SMTP id k14-20020adfe8ce000000b002d44f2b965amr841970wrn.14.1679230115514; Sun, 19 Mar 2023 05:48:35 -0700 (PDT)
MIME-Version: 1.0
References: <SA1PR09MB8142730B230AF79921756DD384829@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB8142730B230AF79921756DD384829@SA1PR09MB8142.namprd09.prod.outlook.com>
From: Amir Herzberg <amir.lists@gmail.com>
Date: Sun, 19 Mar 2023 08:48:24 -0400
Message-ID: <CAHBw0M_LrM9Rs3ogku=V3GtiRBpihwivi+mL83ikfUjv4WzZ4w@mail.gmail.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000880f1f05f7403a10"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/unnLMEgcUF-YC0ik78oEyJWozR4>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2023 12:48:38 -0000

Sriram, these responses address all of the issues I was able to identify.
Thanks! Amir
-- 
Amir Herzberg

Comcast professor of Security Innovations, Computer Science and
Engineering, University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home
`Applied Introduction to Cryptography' textbook and lectures:
https://sites.google.com/site/amirherzberg/cybersecurity




On Sat, Mar 18, 2023 at 6:51 PM Sriram, Kotikalapudi (Fed) <
kotikalapudi.sriram@nist.gov> wrote:

> Hi Amir,
>
> Thank you. Thanks also for the off-list discussion earlier to clarify
> several points between us.
> My comments are inline below.
>
>  >I've reviewed this draft and recommend advancing it, I think its adoption
>  >is relatively-easy and can have significant benefits - Kudos!
>  >
>
> Great to hear that. Thanks.
>
>  >I have few comments, nothing critical though.
>  >
>  >1. section 2, change the language and say that an AS  _MAY_ export any
>  >announcement, including from non-customers, to sibling AS. The current
>  >language may be interpreted as if siblings necessarily export everything.
>  >
>
> OK, good. Will make that change in v-13.
>
>  >2. section 4:  clarify that ASes A, B which are siblings MUST either both
>  >register the other (in SPAS), or neither register the other in SPAS. I'm
>  >concerned that if you don't clarify this condition, then we may have
>  >deployments where A registers B in its SPAS but B doesn't register A in
> its
>  >SPAS. Let C be  a provider of  A, and consider an announcement which A
>  >receives from C and exports to B, which exports it to a customer D (who
>  >adopts ASPA). Then D may (incorrectly)  filter this announcement (since
> it
>  >appears to have been sent `up' from A to B).
>  >
>
> Yes, good point. Will clarify that in v-13.
>
>  >3. 2. section 4: you refer to  an ASPA object `showing only AS 0 as a
>  >provider AS' as an AS0 ASPA. It leaves the possibility of an ASPA object
>  >showing as provider AS both AS 0 and another AS. I think you better
> forbid
>  >this explicitly, i.e., AS 0 should only appear as the only provider AS
> (if
>  >it appears at all).
>
> OK, good catch. Will add appropriate wording for that.
>
>  >
>  >4.  section 4: you say that all ASes MUST have an ASPA. I think this
> should
>  >be only SHOULD as we can't really require/force ASes to adopt a standard.
>  >Or just say that this requirement MUST be met by ASes compliant with the
>  >current specifications.
>  >
>
> Yes, will make this substitution:
> s/ Any AS, including an RS AS, MUST have an ASPA. /
> A compliant AS, including a compliant RS AS, MUST have an ASPA. /
>
>  >5. section 5: in the hop-check function, the value `Provider' should
> better
>  >be renamed to allow for the case the AS(j) is a RS or sibling of AS(i).
>  >Probably best to change the terms in ASPA_Profile too. I realize this
>  >change is a bit problematic since what we mean is really something like
>  >`effective/extended provider', and people are already used to it too, but
>  >maybe something like eProvider or extProvider will work? or UPok? In any
>  >case, using exactly the same term for two different concepts - even with
>  >explanation - is bound to cause confusion and may result in
> implementation
>  >errors.
>
> As discussed off-list, your other suggestion 'Provider+' seems be the best
> term to use.
>
> So in the equation for the hop-check function in Section 5:
> s/Provider/ Provider+/
>
> Will also add a paragraph before the equation in Section 5 as follows:
>
> The term "Provider+" in the definition of the hop-check function
> is meant to encompass the possibilities of Provider, RS, or Sibling.
> An RS is effectively a Provider to its RS-client. Siblings regard
> each other as Provider and include each other in their
> respective SPAS (see Section 4).
>
> Also, in Section 6, all the instances of "Provider" in association with
> the hop-check function, hop(..), will be replaced with "Provider+".
>
>  >
>  >and here are some even more minor comments (nitpicks):
>  >
>  >- in section 2, clarify that the relationships, except siblings, are
>  >defined in RFC9234
>  >- in section 4 add reference to definition of non-transparent RS AS (or
>  >define)
>  >- In 6.1, s/ AS(i)in/ AS(i) in/
>  >- also  in 6.1: s/ For 2 <= i <= N, if there is an i/If there is an i
> s.t.
>  >2 <= i <= N and/
>  >- in 6.2, step 4, s/find the lowest value of v/find the lowest value of
> u/
>
> All good catches. Will fix these.
>
> Hopefully, my responses adequately address your concerns.
>
> Sriram
>

v2.23.0 | Report a Bug | By Email