Filtering Out RPKI Data by Type based on Enhanced SLURM Filters
draft-fu-sidrops-enhanced-slurm-filter-01
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
Document | Type | Active Internet-Draft (individual) | |
---|---|---|---|
Authors | Yu Fu , Nan Geng | ||
Last updated | 2024-07-01 | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | I-D Exists | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-fu-sidrops-enhanced-slurm-filter-01
sidrops Y. Fu Internet-Draft China Unicom Intended status: Standards Track N. Geng Expires: 2 January 2025 Huawei 1 July 2024 Filtering Out RPKI Data by Type based on Enhanced SLURM Filters draft-fu-sidrops-enhanced-slurm-filter-01 Abstract Simplified Local Internet Number Resource Management with the RPKI (SLURM) helps operators create a local view of the global RPKI by generating sets of filters and assertions. This document proposes to filter out RPKI data by type based on enhanced SLURM filters. Only the RPKI data types that the network or routers are interested in will appear in the Relying Party's output. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 2 January 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. Fu & Geng Expires 2 January 2025 [Page 1] Internet-Draft Enhanced SLURM Filters July 2024 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Enhanced SLURM Filters . . . . . . . . . . . . . . . . . . . 4 3.1. Design 1: RPKI Data Type Filters . . . . . . . . . . . . 4 3.1.1. RPKI Data Type Filters . . . . . . . . . . . . . . . 5 3.2. Design 2: Special ASNs . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 6.1. Normative References . . . . . . . . . . . . . . . . . . 7 6.2. Informative References . . . . . . . . . . . . . . . . . 8 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction Relying Party (RP) collects signed RPKI objects from global RPKI publication points. The RPKI data passing RP's validation will appear in RP's output. Then, the RPKI-to-Router (RTR) protocol [RFC6810][RFC8210][I-D.ietf-sidrops-8210bis] will synchronize the validated RPKI data from RP to routers. Currently, four types of RPKI data including IPv4 Prefix, IPv6 Prefix, Router Key, and ASPA are supported in the RTR protocol. However, in some cases, routers may be interested in a part of RPKI data types, instead of all [I-D.geng-sidrops-rtr-selective-sync]. In such cases, storing unused data on the router is unreasonable, and synchronizing all types of data will induce some unnecessary transmission and storage overhead. Besides, multiple types of data can be transmitted together. The router cannot use any type of these data unless it waits for all data to complete transmission. Furthermore, there may be more types of RPKI data in the RPKI repositories and RPs, which makes the above problem more significant and worse. The followings are example types, and some of them may be possibly supported in the RPKI system in the future: Fu & Geng Expires 2 January 2025 [Page 2] Internet-Draft Enhanced SLURM Filters July 2024 * Secured Routing Policy Specification Language (RPSL) [RFC7909] * Signed Prefix Lists [I-D.ietf-sidrops-rpki-prefixlist] * Autonomous Systems Cones [I-D.ietf-grow-rpki-as-cones] * Mapping Origin Authorizations (MOAs) [I-D.xie-sidrops-moa-profile] * Signed SAVNET-Peering Information (SiSPI) [I-D.chen-sidrops-sispi] * Path validation with RPKI [I-D.van-beijnum-sidrops-pathrpki] * Signed Groupings of Autonomous System Numbers [I-D.spaghetti-sidrops-rpki-asgroup] To deal with the problem, configuring routers directly ignoring the uninterested RPKI data transmitted by RTR protocol may not be a good solution. While storage overhead is avoided, transmission delay is not optimized. Extending RTR protocol for supporting selective synchronization of RPKI data is an alternative solution [I-D.geng-sidrops-rtr-selective-sync]. Both of the two solutions require the upgrade of router software. SLURM provides a simple way to enable an RP to establish a local and customized view of the RPKI ([RFC8416], [I-D.ietf-sidrops-aspa-slurm]). It defines Validation Output Filters to filter out specific RPKI data items and Locally Added Assertions to add RPKI data items. Unfortunately, SLURM cannot efficiently filter out RPKI data by type, i.e., filter out all the RPKI data belonging to a specific type. This document proposes enhanced SLURM filters which can filter out RPKI data by type. With enhanced SLURM filters, operators can efficiently select which type of RPKI data need to be synchronized to routers. The proposed method requires some modifications on the SLURM-related process of RP software. Upgrades of RTR implementations and router software implementations are not involved. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Fu & Geng Expires 2 January 2025 [Page 3] Internet-Draft Enhanced SLURM Filters July 2024 2. Use Case One of use cases is IPv6-only network. Suppose a IPv6-only network wants to enable ROV on BGP border routers. The routers should be only interested in IPv6-related BGP validation because the routers can only receive IPv6 routes from neighbor ASes. Therefore, IPv4 Prefix data is not useful for the network. An example of IPv6-only network is New China Education and Research Network (named Future Internet Technology Infrastructure, FITI). +------------+ | Rely Party | +------------+ / \ / Sync RPKI \ / data by RTR \ +---------/----------------\---------+ IPv6 | / \ |IPv6 routes| +----------+ +----------+ |routes ------->|BGP router| |BGP router| |------> | +----------+ +----------+ | | IPv6-only | +------------------------------------+ As described in Section 1, there may be more types of RPKI data in the RPKI repositories and RPs. Thus, there will be more use cases where a network does not need all types of RPKI data in the future. 3. Enhanced SLURM Filters This section proposes two optional designs. 3.1. Design 1: RPKI Data Type Filters A SLURM file consists of a single JSON [RFC8259] object containing the following members: * A "slurmVersion" member that MUST be set to 3, encoded as a number * A "validationOutputFilters" member whose value is an object. The object MUST contain exactly four members: - A "prefixFilters" member, see Section 3.3.1 [RFC8416] - A "bgpsecFilters" member, see section 3.3.2 [RFC8416] - A "aspaFilters" member, see Section 3.1 [I-D.ietf-sidrops-aspa-slurm] Fu & Geng Expires 2 January 2025 [Page 4] Internet-Draft Enhanced SLURM Filters July 2024 - A "typeFilters" member * A "locallyAddedAssertions" member whose value is an object. The object MUST contain exactly three members: - A "prefixAssertions" member, see Section 3.4.1 [RFC8416] - A "bgpsecAssertions" member, see Section 3.4.2 [RFC8416] - A "aspaAssertions" member, see Section 3.2 [I-D.ietf-sidrops-aspa-slurm] The following JSON structure with JSON members represents a SLURM file that has no filters or assertions: { "slurmVersion": 2, "validationOutputFilters": { "aspaFilters": [], "bgpsecFilters": [], "prefixFilters": [], "typeFilters": [] }, "locallyAddedAssertions": { "aspaAssertions": [], "bgpsecAssertions": [], "prefixAssertions": [] } } 3.1.1. RPKI Data Type Filters There are currently four types of RPKI data (which follows the RTR PDU definitions). The number of data types may increase with time. * IPv4 Prefix * IPv6 Prefix * Router Key * ASPA The RP can configure zero or at most four RPKI Data Type Filters ("Type Filter" for short). Each Type Filter contains a single 'rpkiDataType' and optionally a single 'comment'. Fu & Geng Expires 2 January 2025 [Page 5] Internet-Draft Enhanced SLURM Filters July 2024 * The 'rpkiDataType' member MUST be one of the values, i.e., "IPv4 Prefix", "IPv6 Prefix", "Router Key", and "ASPA". * It is RECOMMENDED that an explanatory comment is included with each Type Filter so that it can be shown to users of the RP software. Any RPKI data item that matches any configured Type Filter MUST be removed from the RP's output. A RPKI data item is considered to match with a Type Filter if the following condition applies: The item is considered to match if the RPKI data type of the item is equal to the "rpkiDataType" value of Type Filter. The following example JSON structure represents a "typeFilter" member with one object as described above: "typeFilter": [ { "rpkiDataType": "IPv4 Prefix", "comment": "Filter out VRPs with IPv4 Prefixes" } ] When a type of RPKI data is to be filtered out, the corresponding Filters and Assertions MUST be ignored. In the above JSON example, the prefixFilters with IPv4 prefixes and the prefixAssertions with IPv4 prefixes will be ignored by RP. 3.2. Design 2: Special ASNs A SLURM file consists of a single JSON [RFC8259] object which has the same structure as [I-D.ietf-sidrops-aspa-slurm], except that the "slurmVersion" member MUST be set to 3. The structure of ROA filters, BGPsec filters, and ASPA filters are not changed. To filter out a specific type of RPKI data, a special value (e.g., 65535. The value is TBD) can be set to the "asn" member of the above filters. The following example JSON structure represents a "prefixFilters" member with one object as described above: Fu & Geng Expires 2 January 2025 [Page 6] Internet-Draft Enhanced SLURM Filters July 2024 "prefixFilters": [ { "asn": 65535, "comment": "Filter out VRPs with IPv4 and IPv6 Prefixes" } ] When a type of RPKI data is to be filtered out, the corresponding Filters and Assertions MUST be ignored. In the above JSON example, the other prefixFilters and all the prefixAssertions will be ignored by RP. To filter only IPv4 Prefixes, two special values can be used, i.e., one is for IPv4 and the other is for IPv6. The concret design is TBD. 4. Security Considerations The security considerations in Section 6 of [RFC8416] are also applied to this document. 5. IANA Considerations This document has no IANA actions. 6. References 6.1. Normative References [RFC8416] Ma, D., Mandelberg, D., and T. Bruijnzeels, "Simplified Local Internet Number Resource Management with the RPKI (SLURM)", RFC 8416, DOI 10.17487/RFC8416, August 2018, <https://www.rfc-editor.org/info/rfc8416>. [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, <https://www.rfc-editor.org/info/rfc8259>. [RFC6810] Bush, R. and R. Austein, "The Resource Public Key Infrastructure (RPKI) to Router Protocol", RFC 6810, DOI 10.17487/RFC6810, January 2013, <https://www.rfc-editor.org/info/rfc6810>. [RFC8210] Bush, R. and R. Austein, "The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1", RFC 8210, DOI 10.17487/RFC8210, September 2017, <https://www.rfc-editor.org/info/rfc8210>. Fu & Geng Expires 2 January 2025 [Page 7] Internet-Draft Enhanced SLURM Filters July 2024 [I-D.ietf-sidrops-8210bis] Bush, R. and R. Austein, "The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 2", Work in Progress, Internet-Draft, draft-ietf-sidrops-8210bis- 12, 4 March 2024, <https://datatracker.ietf.org/doc/html/ draft-ietf-sidrops-8210bis-12>. [I-D.geng-sidrops-rtr-selective-sync] Geng, N., Zhuang, S., and M. Huang, "Selective Synchronization for RPKI to Router Protocol", Work in Progress, Internet-Draft, draft-geng-sidrops-rtr- selective-sync-03, 29 June 2024, <https://datatracker.ietf.org/doc/html/draft-geng-sidrops- rtr-selective-sync-03>. [I-D.ietf-sidrops-aspa-slurm] Snijders, J. and B. Cartwright-Cox, "Simplified Local Internet Number Resource Management (SLURM) with RPKI Autonomous System Provider Authorizations (ASPA)", Work in Progress, Internet-Draft, draft-ietf-sidrops-aspa-slurm- 01, 21 May 2024, <https://datatracker.ietf.org/doc/html/ draft-ietf-sidrops-aspa-slurm-01>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. 6.2. Informative References [RFC7909] Kisteleki, R. and B. Haberman, "Securing Routing Policy Specification Language (RPSL) Objects with Resource Public Key Infrastructure (RPKI) Signatures", RFC 7909, DOI 10.17487/RFC7909, June 2016, <https://www.rfc-editor.org/info/rfc7909>. [I-D.van-beijnum-sidrops-pathrpki] van Beijnum, I., "Path validation with RPKI", Work in Progress, Internet-Draft, draft-van-beijnum-sidrops- pathrpki-00, 20 June 2019, <https://datatracker.ietf.org/doc/html/draft-van-beijnum- sidrops-pathrpki-00>. Fu & Geng Expires 2 January 2025 [Page 8] Internet-Draft Enhanced SLURM Filters July 2024 [I-D.ietf-grow-rpki-as-cones] Snijders, J., stucchi-lists@glevia.com, and M. Aelmans, "RPKI Autonomous Systems Cones: A Profile To Define Sets of Autonomous Systems Numbers To Facilitate BGP Filtering", Work in Progress, Internet-Draft, draft-ietf- grow-rpki-as-cones-02, 24 April 2020, <https://datatracker.ietf.org/doc/html/draft-ietf-grow- rpki-as-cones-02>. [I-D.spaghetti-sidrops-rpki-asgroup] Snijders, J. and F. Korsbäck, "A profile for RPKI Signed Groupings of Autonomous System Numbers (ASGroup)", Work in Progress, Internet-Draft, draft-spaghetti-sidrops-rpki- asgroup-00, 16 November 2022, <https://datatracker.ietf.org/doc/html/draft-spaghetti- sidrops-rpki-asgroup-00>. [I-D.ietf-sidrops-rpki-prefixlist] Snijders, J. and G. Huston, "A profile for Signed Prefix Lists for Use in the Resource Public Key Infrastructure (RPKI)", Work in Progress, Internet-Draft, draft-ietf- sidrops-rpki-prefixlist-03, 21 March 2024, <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops- rpki-prefixlist-03>. [I-D.xie-sidrops-moa-profile] Xie, C., Dong, G., Li, X., Huston, G., and D. Ma, "A Profile for Mapping Origin Authorizations (MOAs)", Work in Progress, Internet-Draft, draft-xie-sidrops-moa-profile- 05, 15 June 2024, <https://datatracker.ietf.org/doc/html/ draft-xie-sidrops-moa-profile-05>. [I-D.chen-sidrops-sispi] Chen, L., Liu, L., Li, D., and L. Qin, "A Profile of Signed SAVNET-Peering Information (SiSPI) Object for Deploying Inter-domain SAVNET", Work in Progress, Internet-Draft, draft-chen-sidrops-sispi-00, 22 February 2024, <https://datatracker.ietf.org/doc/html/draft-chen- sidrops-sispi-00>. Acknowledgements TBD Authors' Addresses Fu & Geng Expires 2 January 2025 [Page 9] Internet-Draft Enhanced SLURM Filters July 2024 Yu Fu China Unicom Beijing China Email: fuy186@chinaunicom.cn Nan Geng Huawei Beijing China Email: gengnan@huawei.com Fu & Geng Expires 2 January 2025 [Page 10]