Re: [Sidrops] WGLC for draft-ietf-sidrops-ov-egress-00.txt - ENDS 11/25/2019 (November 25 2019)

Randy Bush <randy@psg.com> Tue, 03 December 2019 14:33 UTC

Return-Path: <randy@psg.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40A9E120043; Tue, 3 Dec 2019 06:33:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBMgAom8cnP3; Tue, 3 Dec 2019 06:33:29 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CA2C12006E; Tue, 3 Dec 2019 06:33:29 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1ic9Ey-0006uW-Ai; Tue, 03 Dec 2019 14:33:24 +0000
Date: Tue, 03 Dec 2019 06:33:23 -0800
Message-ID: <m2pnh5zdfw.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Chris Morrow <morrowc@ops-netman.net>
Cc: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>, "keyur@arrcus.com" <keyur@arrcus.com>, "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-ov-egress@ietf.org" <draft-ietf-sidrops-ov-egress@ietf.org>, Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <877e3ekp6w.wl-morrowc@ops-netman.net>
References: <87tv6jbyjd.wl-morrowc@ops-netman.net> <25CB2E64-D0B5-4D5F-A59F-4864D1C340E7@psg.com> <m2blsr1qzl.wl-randy@psg.com> <9AEB8712-8C36-4831-B119-87334D74CA59@nist.gov> <m2v9qyz6a0.wl-randy@psg.com> <877e3ekp6w.wl-morrowc@ops-netman.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.2 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/zpFN17FIhQxw9Z0DZunm2rwMdXM>
Subject: Re: [Sidrops] WGLC for draft-ietf-sidrops-ov-egress-00.txt - ENDS 11/25/2019 (November 25 2019)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 14:33:31 -0000

> The general case here is likely that in a complex network (more than a
> few routers), it's possible to have wonky things going on. Randy's one
> example certainly is true, from a real network though I know of a case
> where SOMETIMES prefixes get their origin-as set via initial creation
> of the route (static route), and SOMETIMES the operator decided:
> 
>   "Oh, I should match on community-foo + attribute-bar and reset
>    origin-as to BLOOP"
> 
> This leads to some hilarity when attempting to sort out RPKI/ROA data :(
> 
>   "Oh, that's clearly AS-BAR because we set that on the creation of
>   the route!"
> 
> followed shortly by:
> 
>   "wait what? why is it AS-BLOOP??? WTF?"

yep

> In any case: "make the ROA you intend, all of them" is sound advice.
> Verifying prior to shipping across your peering edge sure seems like
> "being polite to the world" as well.

someone could give 500kg of complex advice to the operator who does this
stuff.  that ain't me.

the purpose of this draft is to request that the *vendors* allow origin
validation *after* all such kink.  hence the name.

randy