IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Sun, 09 April 2023 16:55 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDA6BC13AE5A; Sun, 9 Apr 2023 09:55:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QcbxzcFG89IW; Sun, 9 Apr 2023 09:55:47 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on2072c.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CC20C151527; Sun, 9 Apr 2023 09:55:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PD6FE+qmedumDq1aYQgLo6wJdv5cnkdIVVZqgteA+4PuZxilUbvNtG6dAnqgvVExeoRG8ITsxFq1E4Zcik0ttW+m/hGoXF2usStnBsHA3tSJFxILR55pYe0wBS3G0nr5fwcvHj9ympwiwGMRyc4zL7fcnsDOsWlD+6vIcaBrSAnasS0lUK/mPpP1dyrfUPpRFXhXd0IQ4WiU1PQFb52Jq7+FBMLm3RT4utNAKh49E/N+7K/UWCVrnOEut7Z2WS0jkaZhHgUPsTuA1wqWD7ux0ebocdBUlWOl6o8sC3G1YMuKmJpdq+6O09z9S2YDqwSdTDtDZ++Zj2yjKBa3aFoZhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=q+ohWuU57iFA5hleIdBobks3zCr/fPSNNM19VsDSDCw=; b=JmioXtJi0m9C0huOPimOGU9Q3Ym4HDsSsa0WZlWrF4yv4Ys6W6Sn5Y/XP+VHbxi2bkrH8pjldtdX7XqmN0rTaukb2zWm37yxPq5RZbppdb3OWPHOx6xyyKUpjMIBB+cCC3ceT8RdXbcef/jphwTagehrW/YJjBabTlU2kDDjfA7km6O1arJyJkioMmnT5SS+fz1lIz6n0xTb7dr7+ztmJ6ujRNR1IScGIhq2qwWEMqpTZq9/TagBTtwktpr4Npr3tHDCCrE/VUI3ZLRxwGpSLtMVAtIURVgYIky49tOX+DfXFYKPUrMPUTGVf7v9J0s2qrkn1TeCB7OxCTifGLh6eg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q+ohWuU57iFA5hleIdBobks3zCr/fPSNNM19VsDSDCw=; b=qkCJ1w3sjbGkOE6gdGqjwXjUonB+zSAZCvyPk0WFwplH62wIF/OdrTqjXi5oUxhwmOLGWlkOzXEGzaBOq2EgNeQTe8HeWQ8BfcCBig1RuqWdbMAMK0eF/HxWXWQMFuDQb51SBjtZeKSp0CwCZBHgSy5ZKWXDTRK60OU4JnFHatvbg2XpKGZKJCV0BWOu1FcXZ9oA6tjKlOMUnhO0F4RZOisOY0QR5ABMPVmF3XaeL/nrC8og4arqkyT8+d6aRadSIZbO5T0AKUw6EiNm0hbhaauADyWKANZvDkoeb5YT1O9x2yWB/G8KaO46wv0ueY99Wz33dyi8qmA6+hLCTEiPZQ==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by SJ0PR09MB9753.namprd09.prod.outlook.com (2603:10b6:a03:447::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.38; Sun, 9 Apr 2023 16:55:42 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::226a:790b:a85c:d03e]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::226a:790b:a85c:d03e%5]) with mapi id 15.20.6277.035; Sun, 9 Apr 2023 16:55:42 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>, "draft-ietf-sidrops-aspa-profile@ietf.org" <draft-ietf-sidrops-aspa-profile@ietf.org>
Thread-Topic: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
Thread-Index: AQHZUV6mxB5bPFSj10Ch+S0fYxNY/K77vemAgAuycmCAB0/JAIAA8bzMgAUYigCADoB2AA==
Date: Sun, 09 Apr 2023 16:55:42 +0000
Message-ID: <SA1PR09MB8142B52236A6978E31E2B06684949@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <31FDE1E9-3E87-4011-B65B-C6B3A264303F@vigilsec.com> <SA1PR09MB81427B4A1B126A5D1C1E289C84CF9@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142E41F2D6B537BCAA758F384CC9@SA1PR09MB8142.namprd09.prod.outlook.com> <CAL9jLaYz3OhcwBBcVMqnUseBR9J1ZyktcJo5YLeefQHMoYJu+A@mail.gmail.com> <CAL9jLaZ7eDc+zbhapS8dTYQKnTfgLd=MOPYw97-qcJ4eP6S6Mg@mail.gmail.com> <CAL9jLaYJ4ODfumG9Yk3-yv=_TaTSUeD++U4sGy7S-0xWcGBQPw@mail.gmail.com> <ZBGqSVL9sSqnAiJc@diehard.n-r-g.com> <SA1PR09MB8142E9F71F250B83062C724884869@SA1PR09MB8142.namprd09.prod.outlook.com> <ZCGcYHJ9PyrjgR+V@diehard.n-r-g.com> <SA1PR09MB8142EA7F33880679E9B509D384889@SA1PR09MB8142.namprd09.prod.outlook.com> <ZCatfCuHCwwHgSOq@diehard.n-r-g.com>
In-Reply-To: <ZCatfCuHCwwHgSOq@diehard.n-r-g.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|SJ0PR09MB9753:EE_
x-ms-office365-filtering-correlation-id: f4aa25d7-11cb-436d-222c-08db391b4121
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8rDQ/YjMEXpjxY35cKkL1TltKWBvVBCIcOg6Xjs0K5qlg/Mvs21HySEDgyW6TQCxTa6cVRGtYdL3JiBydNdEbfdy7eSp+2ah8W1VPa0xIjuT3QBYO2rmJTtUxspS+5HavM2ymcKDsEirPDTMOE3dhJyPONC9Z+mZd5i79z/naYdiXYdYa33ls2taAfLC3036tM4+Lz/+nK1hwW4uebOTv5VWedop1u6hfeMC+rgTCbF/yZMrDzUNTX3i4xhBFj7WlW8vtdz8JfJnoj8DjKW7FQiatRwOVDFHNvWUgs8+ZOukq1viSdBxpWbGaioJ7hTStbAa81FzhRY8CKQR+7PfiBuHAhZ2wDeC1u3qzJK84XnAn9/dZsHdN6XJXkW94I86NMFPzmQHnmrafFEZTITizTSifq3v8eTSckQrR8LOiU/mgjpy5/MlOaN9aGZoAdUz05uWRmg8SCsaMpQw8s+U/Bv4y185vTZirI9QxLD6HIpvdo7QmP6xSsET9llRVy5n7xYAsAg1M+PJN+bTw6P2WwlwuCfH5i4GuI5HLZYshlgIzxRzJDpSxTJiY1goagxtf8exjvcAD6ZPcL12Tz3PdCV1NeU296G7SXMleCylQ6NcR3PDM2iwqwzbIoQPflgL
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(451199021)(498600001)(7696005)(71200400001)(54906003)(9686003)(26005)(6506007)(186003)(2906002)(15650500001)(4326008)(76116006)(66946007)(5660300002)(64756008)(8676002)(6916009)(66446008)(8936002)(66476007)(52536014)(66556008)(38070700005)(122000001)(82960400001)(38100700002)(55016003)(86362001)(33656002)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 1JSAQ4/lbcirIvDbSULaL5Qo6t0XchUoDIdDGzL7X/BfKRW2gNwonLYK6hCvD9SlFqNBYX462vKXqYFmgNBbMSbEIXjDPLXN+BPyXJqVltVDJgdjKIaGaIxlZbGMnTA96LYpMTzcVDPzBxM9AERTNJ/ekn6UHI15wHPZWLSFWObL97fEiYlB9LXXCqAW4y5TbifJUsU094sWwF7gKb1Zb+CF7sjt3MwdPy22sSDWjoPFdkEr4XfU71RD29sLVTk3dk6IoSqeh95UbLTDHRYfxpUqmgFg19z8NQshoLZh2SQvvnv3NSscvE3uauNCCRr8xkbmjE+GBu6v0IYkGYNSn51rCfrwKmBqeieW5pMS3Et3eJqZi/v9Oa4GVfA2oz0vtQV55COCCNB6XNcyIJ2zgZo5tuM0tidax1L9Ck6WoqIHHrUSag6qcHBEFSlIhbeTjxbj2prrZ6CqJjcPCxqTqDRgR6x+QVSMsN7XOdej+wgqgt/ZU7+PcdZ1MvKs6Tt6uZWrVBckzD0OxVMCNU/pGxyWJHhq7CzLe6/Z8DM3tH9N5y8DSnJp93cU6AhV7vAgq2hXArrVoz50P/tcG3wcOCv32v102CsxPPYCnsw3qF5R5clPVFefoffytmgSNV5atK4CvZ9Ix2WD1GbG9uH2b7G5mff6GGMdfS9UlspsmdDlGRggKsiM1rqJp9MQOQAReA5BeYyEGvcHfyw1+b0m50via9XqvbJLPCSPRQe3xD0UZv0JAWuTEzoJvOInpRkqcGZHmH6moAIiF6aWbF6sh7IMKSZET7ZYHNhOp54XfmAmUf8q0ncIQCTX3BtSRCI91FES4l1aqDEjVsc/tHbpMDQcrwSmA9ykEnLNS/ibblvFt8mGZ75MwoRh5WKhPOAbNKgT7bPW2Uw358ENiDUZkTFUCfSCLxWUmK8MXCakUTk63lExKYBAiGuV9kogvii2lX1ejUIEsVwSBnpOeenSddoVQ+5+HKWg/HeNW+Y50VPlH6Uownh/8Q0TJiZh1EVi7UZijnOHLQm/+R/kyYbyh03fg7eC9Ss8j/NMeoch9iZ47uxBMFhR1Sx0iyEbEUVWOeludanytN+D5o4G8gSKFreigokB4TYfljnePMehm9E3NUmmM2XgjziNrUwBH1wRzIdPUe4KU9/JbkofdqFMYyGQBOgd1vW27Bavgzp/dcYYMnn0e+vPVhfAV8nles8KkBW3y0xJct/jNl2RAEbJrCksvi3Ygir15Bw+QGmpcCrRCs3ulNINAPSnkE+JKAXsTtMDIgZxcc/kTV+8Z+yvttLRUIjMDFUhmczp23LdnSuQQcZZ+3a3lweb75Y9o7N8SDlirHf+HxxIVbRDoMqfrCjks54D6Gj73M+yxvzns0dINjmnC0LApB3RvKlXoC5N57ULoftl+SVt+rrWFVLHxybHdroaumRc36MzSztJv6OCdaAoeTZvxO6YjDArgeGhq0mVz9aXV2WE+mFOYbpqAqFMu5rNB/uPYUxDnuHxPkHaULduNeOd9bY+JRyfjyycmcPKdfgGvZbCHN43w5YXvGHpKSxDBHPOh7ZPD+neSio=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f4aa25d7-11cb-436d-222c-08db391b4121
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2023 16:55:42.2141 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR09MB9753
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/xjl0B6BOsq6dRwwfg9hrxFvM2BQ>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Apr 2023 16:55:52 -0000

Hi Claudio,

Thanks again for your comments. I have a draft v-14 (verification) which I will upload to the IETF in a few days. I have incorporated your latest comments there. I have also provided edits for draft v-13 (profile) in Github where I have included new text to incorporate your comments that pertain to that draft (see text copied below).

>First of all I think large parts of Section 3 and 4 should also be added to the aspa-profile specification. An RP / RTR implementer may only glance at draft-ietf-sidrops-aspa-verification-13 and miss these bits.

The material in Sections 2 and 4 (verification draft) firmly belongs in the verification draft as it relates closely to verification. I thought there should be no repetition (of whole sections) but instead, a strong coupling was needed between the two drafts. I have done that with additional text in updated Sections 1 and 3 in the profile draft. I've added texts as follows:

In the Intro Section 1 (profile draft):

   The BGP Roles that an Autonomous System (AS) may have in its peering
   relationships with eBGP neighbors are discussed in
   [I-D.ietf-sidrops-aspa-verification].  The details of ASPA
   registration requirements for ASes in different scenarios are also
   specified in that document.  In addition, the procedures for
   verifying AS_PATHs in BGP UPDATE messages using Validated ASPA
   Payloads (VAPs) are described in that document.

In the Section 3 (profile draft):

   A user registering ASPA(s) must be cognizant of Sections 2, 3, and 4
   of [I-D.ietf-sidrops-aspa-verification] and the user (or their
   software tool) must comply with the ASPA registration recommendations
   in Section 4 of that document.

>I wonder if instead of talking about fixing ASPA(s) the text could be altered to work on the VAP-SPAS.

The text in Section 5 already talks about using VAP-SPAS in the hop-check function. It carries over naturally into Section 6 algorithms. 

>So it is clear that this fixup should happen in the BGP instance when compiling the VAP-SPAS tables.

I have added this new text at the top of Section 5 (verification draft):

   An implementation may make its own choice regarding maintaining a
   single VAP-SPAS table or two separate tables (i.e., one per AFI).
   The former choice may have the advantage of memory savings and higher
   cache-hit ratio, while the latter may be faster for memory lookups.

About the Provider+ terminology, I think that actually works well (Amir Herzberg also liked it). To think about hop-check outcome as Provider or Not Provider seem more intuitive (in the route leaks context) rather than some other terminology (like match and mismatch).

For further clarity, I have added this wording immediately following the hop-check function definition (in Section 5) where Provider+ is used:

   To be clear, this function checks if AS(j) is included in the VAP-
   SPAS of AS(i), and in doing so it does not need to distinguish
   between Provider, non-transparent RS, and Sibling.

>At least extend the RS to non-transparent RS in:
>       A provider AS ID included in the SPAS can correspond to a Provider, RS, or
>         Sibling.  An RS is effectively a Provider to its RS-client.
>
>Since the AS IDs of transparent RSs are not supposed to be in SPAS.

Done.  s/RS/non-transparent RS/. Good catch.

Thank you.

Sriram
==========================


-----Original Message-----
From: Claudio Jeker <cjeker@diehard.n-r-g.com> 
Sent: Friday, March 31, 2023 5:53 AM
 
Hi Sriram,

I had a look at draft-ietf-sidrops-aspa-verification-13 changes.

First of all I think large parts of Section 3 and 4 should also be added to the aspa-profile specification. An RP / RTR implementer may only glance at draft-ietf-sidrops-aspa-verification-13 and miss these bits.

I think Section 4 is quite good. It ensures that a CAS always includes something for both AFI. I wonder if instead of talking about fixing
ASPA(s) the text could be altered to work on the VAP-SPAS. So it is clear that this fixup should happen in the BGP instance when compiling the VAP-SPAS tables. I suggest that since the ASPA SHALL NOT not be rejected and since VAP-SPAS need to build the union of all all ASPA objects it is the right place to ensure this.

In my opionion the introduction of "Provider+" in Section 5 is not helpful. Also the whole additoin about possible roles is just confusing and not helpful. The Hop-Check Function is role independent it only looks at the SPAS set. So talking about roles is unnecessary there. If people put wrong things in their ASPA object they do get what they want.
If people think that "Provider" is an overloaded term then maybe some other alternative could be used:
   "Provider+" -> InSPAS or match
   "Not Provider+" -> notInSPAS or missmatch
   "No Attestation" -> keep term, noCAS or notFound

At least extend the RS to non-transparent RS in:
   A provider AS ID included in the SPAS can correspond to a Provider, RS, or
   Sibling.  An RS is effectively a Provider to its RS-client.

Since the AS IDs of transparent RSs are not supposed to be in SPAS.

I have no big opionion about Section 8 and 12 changes. My big conclusion from those sections is mainly that CAS should minimize the SPAS they announce (and a reason why I insist that non-transparent RS are not put into SPAS).

--
:wq Claudio

v2.23.0 | Report a Bug | By Email