IETF Logo Mail Archive

Re: [Sidrops] draft-ymbk-sidrops-ov-signal-02

"Borchert, Oliver (Fed)" <oliver.borchert@nist.gov> Wed, 24 July 2019 19:36 UTC

Return-Path: <oliver.borchert@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DD8F1204B2 for <sidrops@ietfa.amsl.com>; Wed, 24 Jul 2019 12:36:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ep5NfCT1Bmyl for <sidrops@ietfa.amsl.com>; Wed, 24 Jul 2019 12:36:47 -0700 (PDT)
Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-eopbgr840118.outbound.protection.outlook.com [40.107.84.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6195C1204EB for <sidrops@ietf.org>; Wed, 24 Jul 2019 12:36:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KpcLvDoR6nIQvwPQjP0dhtHVXBu/88zR83i7RCBRecrbUA1tHRQRswxuZ/+z2l4rX220Wb8lc/8pVUDRPiVvRhD3Oprn3lE7Szc4DTFteMgND25OYx93CulXWzG5OO5DOsjYDYbbxpc+bmGbdIX/Wqfth89Xo5T7Qx0Xc39iP4+bJr7hP/V1gSyPQH/VZcLr4ITmCBl0Jx72jd39mDNrCrp7wFFhsMfyYHGO13DrUuEkZHiMEo0d8Uw1S6CzHsIlSSHsUSAZZETdYSLiWO42XSLgnAsR88/ml8A4V6iUttgZqCEgPOQsRDC10Er+EFKdj1VpqLr60sB82kpMLqnmkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RgRGrrVaArC1euqwvJl2/shur5S5dqXFGCCU9kWbX3Y=; b=kYwaNz22JNnDtAp+C8hJcsKxxLjSvjDR8fpzccuAyCjM+lyMLuMOR3Ije0L7v1+b58qFfXTiGqkdT6BlqxCQcNmzcJUYwajun6Nk91v4oL7q/dvaLD+kCXU2/2z9vV2NsK7xKZYSLn2d3qeSZ1Xu6SXTY5rqL2xoPmdXsAxyHthpzJ0qbdwmO93Uq4b1I+ruc4XHSP2BGq+j4/xShCMFKjCWstN5Xi7yPaxF7pGm176uhl3lScvdIl79+BCTo9pW293fBwA7Op4fk20/c6h4TN6ifrULMSskXXqFLfxpWukOwU86wo//xhybohJu32roYp//C4PCSFRLH7DhIl1uvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=nist.gov;dmarc=pass action=none header.from=nist.gov;dkim=pass header.d=nist.gov;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RgRGrrVaArC1euqwvJl2/shur5S5dqXFGCCU9kWbX3Y=; b=2B0rwkiAzD1h+1j3Na8S6KcCVGrnwWfi/3Vh0kxgX9Gu5ZBPcQsOSur1cwXdHDB+BJ9QN6od4Xu0X8GNGm3kbQBeKvM9cAX208KPuhxjniuJF/nluXvEqzYf+GKig9PHnFEwqvMOSxWYzoxr4kQmGkAH1wkQX4YPNmRzRI4IOYI=
Received: from CH2PR09MB4203.namprd09.prod.outlook.com (10.186.136.71) by CH2PR09MB3959.namprd09.prod.outlook.com (52.132.229.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.10; Wed, 24 Jul 2019 19:36:45 +0000
Received: from CH2PR09MB4203.namprd09.prod.outlook.com ([fe80::9c7c:9748:90f1:5c70]) by CH2PR09MB4203.namprd09.prod.outlook.com ([fe80::9c7c:9748:90f1:5c70%4]) with mapi id 15.20.2094.017; Wed, 24 Jul 2019 19:36:45 +0000
From: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>, Job Snijders <job@instituut.net>, John Scudder <jgs=40juniper.net@dmarc.ietf.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] draft-ymbk-sidrops-ov-signal-02
Thread-Index: AQHVQZfqdZEC8Ka1Vk6EHyhMX0ZkL6bYr+eAgACELECAALPtgA==
Date: Wed, 24 Jul 2019 19:36:45 +0000
Message-ID: <4F31DC47-D4B9-4201-8C84-47A471EED065@nist.gov>
References: <77600356-557E-43F6-82AB-5AFFB830B984@juniper.net> <CACWOCC-qhjA1L6Xoi2J4cvW=Ksor3wENXc8wgmwQqHCYKZ6wVw@mail.gmail.com> <BYAPR11MB375178BDAA447C3C6A052460C0C60@BYAPR11MB3751.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB375178BDAA447C3C6A052460C0C60@BYAPR11MB3751.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.1.190220
authentication-results: spf=none (sender IP is ) smtp.mailfrom=oliver.borchert@nist.gov;
x-originating-ip: [2001:67c:1232:144:c9fd:484d:bfee:c1f0]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3378fa71-b260-4ac1-ac2e-08d7106e4353
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:CH2PR09MB3959;
x-ms-traffictypediagnostic: CH2PR09MB3959:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <CH2PR09MB3959AD8642AA78B9604E602798C60@CH2PR09MB3959.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0108A997B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(376002)(39850400004)(136003)(396003)(13464003)(199004)(189003)(6506007)(76176011)(53546011)(6512007)(66946007)(66574012)(36756003)(58126008)(76116006)(316002)(14454004)(102836004)(305945005)(7736002)(6116002)(46003)(6486002)(86362001)(81156014)(25786009)(99286004)(53936002)(66446008)(486006)(8676002)(6436002)(66556008)(66476007)(6246003)(5660300002)(81166006)(91956017)(8936002)(68736007)(966005)(2906002)(6306002)(229853002)(446003)(64756008)(4326008)(33656002)(11346002)(561944003)(110136005)(476003)(478600001)(71190400001)(71200400001)(45080400002)(186003)(14444005)(256004)(2616005); DIR:OUT; SFP:1102; SCL:1; SRVR:CH2PR09MB3959; H:CH2PR09MB4203.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PvqGMzFZfQddqHVEiKOP9YvuX7/TNX/pzDe8K/LX+AYz0QNsr51Ib79liEoBR2QIAAjrbnt8omheMLaUxYQaWuBmEMF84UU+SftLbOnzUVWc8HiM7hfyZUM+lLxbKLwW2d6YCJ9FfaiP4Ro87eFq7/J7/37sEOfIssrlez0uUNemV/AfiJTK9gnqORDvzFmD2q3mTw2PiADcw1X2SzjjrpOleuA3r7yQ3WdtIetACxGk0AeE4lgfoF0S8J8mfdVKBcxeNb6GXjuBIvDqiHGdFbsnbPeNDy19muDzUSpbMJUbl29T2bB/hf+PAFT4D9+7ZZWdvilggyV97DqO6GP2Qw02RD5tUfyL0wjuBiLzlrs9dEmqO16olNiPOAC6DdRAH7aJ3hhj58uoQZwA2VZTlKi9kxzJlpcHKT0RCWHfo3E=
Content-Type: text/plain; charset="utf-8"
Content-ID: <1B136681EBE97644AC41E16225AD21C4@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 3378fa71-b260-4ac1-ac2e-08d7106e4353
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2019 19:36:45.6857 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: borchert@nist.gov
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR09MB3959
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/xN1XGFqa5KGeW3SjbhsKWJAvdPA>
Subject: Re: [Sidrops] draft-ymbk-sidrops-ov-signal-02
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 19:36:51 -0000

The NIST srx-server (external evaluator) actually does provide such outsourced RPKI origin validation - as well as BGPsec validation. 
For that we developed a protocol (srx-server-protocol - https://bgpsrx.antd.nist.gov/bgpsrx/documents/srx-server-protocol-1-0.txt.pdf) where the router requests RPKI origin validation (and/or BGPsec path validation) from the srx-server, which not only returns the validation state but in return starts monitoring the particular route and possible changes in validation due to changes in the RPKI. This "external validator" can be shared within an organization and allows centralized RPKI origin validation which assures the same validation state within all connected routers. 

Oliver

On 7/24/19, 1:01 AM, "Sidrops on behalf of Jakob Heitz (jheitz)" <sidrops-bounces@ietf.org on behalf of jheitz@cisco.com> wrote:

    If ROV results in an objectionable validity, then the route is never installed.
    If a "Sender" is to outsource the ROV procedure to an "Evaluator", then the
    Sender MUST NOT install the route until the Evaluator returns an acceptable
    validity.
    
    Regards,
    Jakob.
    
    -----Original Message-----
    From: Sidrops <sidrops-bounces@ietf.org> On Behalf Of Job Snijders
    Sent: Tuesday, July 23, 2019 2:00 PM
    To: John Scudder <jgs=40juniper.net@dmarc.ietf.org>
    Cc: sidrops@ietf.org
    Subject: Re: [Sidrops] draft-ymbk-sidrops-ov-signal-02
    
    I have questions about this draft as well:
    
    Why not tunnel VRPs inside BGP in a new AFI to populate the origin
    validation cache on the edges? I think the BGP protocol has sufficient
    hooks to model the RTR protocol fairly closely.
    
    Or perhaps I don't understand the appeal of this mechanism. Why not
    use RTR? Or if there is no room on the edge router for the memory a
    VRP cache? If there is no room, can it even do Internet BGP?
    
    Kind regards,
    
    Job
    
    On Tue, Jul 23, 2019 at 8:48 PM John Scudder
    <jgs=40juniper.net@dmarc.ietf.org> wrote:
    >
    > Things I would have said at the mic had time allowed:
    >
    > 1. For what it’s worth, RFC 4271 section 9.1 says you aren’t allowed to have this feature:
    >
    >    The function that calculates the degree of preference for a given
    >    route SHALL NOT use any of the following as its inputs: the existence
    >    of other routes, the non-existence of other routes, or the path
    >    attributes of other routes.  Route selection then consists of the
    >    individual application of the degree of preference function to each
    >    feasible route, followed by the choice of the one with the highest
    >    degree of preference.
    >
    > As I understand section 5 of the draft (as informed by Randy’s description), it is exactly mandating that we use the path attributes of other routes for the computation of the degree of preference.
    >
    > 2. Assuming we overcome that problem, there appears to be a stability and/or freshness issue:
    >
    > - RR client C advertises route A to RR
    > - RR checks A, decides it is invalid
    > - RR advertises A, marked invalid, back to C. Call this A’.
    > - C obeys section 5 and withdraws A from everyone (including RR)
    > - Following the normal operation of BGP, RR withdraws A' from everyone (including C)
    > - Now A’ is not in C’s Adj-RIB-In, but A is. I believe what Keyur said on the mic was that C is supposed to have persistently marked A as invalid in the earlier step, patching the obvious stability problem.
    > - Now suppose the content of the RPKI changes such that A is now valid.
    > … how does A ever find this out and un-suppress A? As far as I can tell, the answer is, “it doesn’t”. RR never sees a re-announcement of A, so it can’t re-validate and announce it to be valid. So it’s just wedged.
    >
    > 3. Finally, someone commented at the mic that the work to turn validation on at C is less than the work to debug, implement, and deploy this proposal. I agree.
    >
    > Given the above, I’m not in favor of adoption (though I’m always willing to be convinced).
    >
    > Thanks,
    >
    > —John
    > _______________________________________________
    > Sidrops mailing list
    > Sidrops@ietf.org
    > https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&amp;data=02%7C01%7Coliver.borchert%40nist.gov%7C83d37cd06a20460e5cf008d70ff3fd5d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C636995412908927880&amp;sdata=2xEHuE%2Fi6cQVF3xtdQ1diYkB%2B%2BJtMzi1RKC8UJjRLj0%3D&amp;reserved=0
    
    _______________________________________________
    Sidrops mailing list
    Sidrops@ietf.org
    https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&amp;data=02%7C01%7Coliver.borchert%40nist.gov%7C83d37cd06a20460e5cf008d70ff3fd5d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C636995412908927880&amp;sdata=2xEHuE%2Fi6cQVF3xtdQ1diYkB%2B%2BJtMzi1RKC8UJjRLj0%3D&amp;reserved=0
    _______________________________________________
    Sidrops mailing list
    Sidrops@ietf.org
    https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&amp;data=02%7C01%7Coliver.borchert%40nist.gov%7C83d37cd06a20460e5cf008d70ff3fd5d%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C636995412908927880&amp;sdata=2xEHuE%2Fi6cQVF3xtdQ1diYkB%2B%2BJtMzi1RKC8UJjRLj0%3D&amp;reserved=0

v2.23.0 | Report a Bug | By Email