Skip to main content

Filtering Out RPKI Data by Type based on Enhanced SLURM Filters
draft-fu-sidrops-enhanced-slurm-filter-01

Document Type Active Internet-Draft (individual)
Authors Yu Fu , Nan Geng
Last updated 2024-07-01
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-fu-sidrops-enhanced-slurm-filter-01
sidrops                                                            Y. Fu
Internet-Draft                                              China Unicom
Intended status: Standards Track                                 N. Geng
Expires: 2 January 2025                                           Huawei
                                                             1 July 2024

    Filtering Out RPKI Data by Type based on Enhanced SLURM Filters
               draft-fu-sidrops-enhanced-slurm-filter-01

Abstract

   Simplified Local Internet Number Resource Management with the RPKI
   (SLURM) helps operators create a local view of the global RPKI by
   generating sets of filters and assertions.  This document proposes to
   filter out RPKI data by type based on enhanced SLURM filters.  Only
   the RPKI data types that the network or routers are interested in
   will appear in the Relying Party's output.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 2 January 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Fu & Geng                Expires 2 January 2025                 [Page 1]
Internet-Draft           Enhanced SLURM Filters                July 2024

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  Use Case  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Enhanced SLURM Filters  . . . . . . . . . . . . . . . . . . .   4
     3.1.  Design 1: RPKI Data Type Filters  . . . . . . . . . . . .   4
       3.1.1.  RPKI Data Type Filters  . . . . . . . . . . . . . . .   5
     3.2.  Design 2: Special ASNs  . . . . . . . . . . . . . . . . .   6
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   Relying Party (RP) collects signed RPKI objects from global RPKI
   publication points.  The RPKI data passing RP's validation will
   appear in RP's output.  Then, the RPKI-to-Router (RTR) protocol
   [RFC6810][RFC8210][I-D.ietf-sidrops-8210bis] will synchronize the
   validated RPKI data from RP to routers.  Currently, four types of
   RPKI data including IPv4 Prefix, IPv6 Prefix, Router Key, and ASPA
   are supported in the RTR protocol.

   However, in some cases, routers may be interested in a part of RPKI
   data types, instead of all [I-D.geng-sidrops-rtr-selective-sync].  In
   such cases, storing unused data on the router is unreasonable, and
   synchronizing all types of data will induce some unnecessary
   transmission and storage overhead.  Besides, multiple types of data
   can be transmitted together.  The router cannot use any type of these
   data unless it waits for all data to complete transmission.

   Furthermore, there may be more types of RPKI data in the RPKI
   repositories and RPs, which makes the above problem more significant
   and worse.  The followings are example types, and some of them may be
   possibly supported in the RPKI system in the future:

Fu & Geng                Expires 2 January 2025                 [Page 2]
Internet-Draft           Enhanced SLURM Filters                July 2024

   *  Secured Routing Policy Specification Language (RPSL) [RFC7909]

   *  Signed Prefix Lists [I-D.ietf-sidrops-rpki-prefixlist]

   *  Autonomous Systems Cones [I-D.ietf-grow-rpki-as-cones]

   *  Mapping Origin Authorizations (MOAs) [I-D.xie-sidrops-moa-profile]

   *  Signed SAVNET-Peering Information (SiSPI) [I-D.chen-sidrops-sispi]

   *  Path validation with RPKI [I-D.van-beijnum-sidrops-pathrpki]

   *  Signed Groupings of Autonomous System Numbers
      [I-D.spaghetti-sidrops-rpki-asgroup]

   To deal with the problem, configuring routers directly ignoring the
   uninterested RPKI data transmitted by RTR protocol may not be a good
   solution.  While storage overhead is avoided, transmission delay is
   not optimized.  Extending RTR protocol for supporting selective
   synchronization of RPKI data is an alternative solution
   [I-D.geng-sidrops-rtr-selective-sync].  Both of the two solutions
   require the upgrade of router software.

   SLURM provides a simple way to enable an RP to establish a local and
   customized view of the RPKI ([RFC8416],
   [I-D.ietf-sidrops-aspa-slurm]).  It defines Validation Output Filters
   to filter out specific RPKI data items and Locally Added Assertions
   to add RPKI data items.  Unfortunately, SLURM cannot efficiently
   filter out RPKI data by type, i.e., filter out all the RPKI data
   belonging to a specific type.

   This document proposes enhanced SLURM filters which can filter out
   RPKI data by type.  With enhanced SLURM filters, operators can
   efficiently select which type of RPKI data need to be synchronized to
   routers.

   The proposed method requires some modifications on the SLURM-related
   process of RP software.  Upgrades of RTR implementations and router
   software implementations are not involved.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

Fu & Geng                Expires 2 January 2025                 [Page 3]
Internet-Draft           Enhanced SLURM Filters                July 2024

2.  Use Case

   One of use cases is IPv6-only network.  Suppose a IPv6-only network
   wants to enable ROV on BGP border routers.  The routers should be
   only interested in IPv6-related BGP validation because the routers
   can only receive IPv6 routes from neighbor ASes.  Therefore, IPv4
   Prefix data is not useful for the network.  An example of IPv6-only
   network is New China Education and Research Network (named Future
   Internet Technology Infrastructure, FITI).

                     +------------+
                     | Rely Party |
                     +------------+
                      /          \
                     / Sync RPKI  \
                    /  data by RTR \
         +---------/----------------\---------+
   IPv6  |        /                  \        |IPv6
   routes| +----------+          +----------+ |routes
   ------->|BGP router|          |BGP router| |------>
         | +----------+          +----------+ |
         |             IPv6-only              |
         +------------------------------------+

   As described in Section 1, there may be more types of RPKI data in
   the RPKI repositories and RPs.  Thus, there will be more use cases
   where a network does not need all types of RPKI data in the future.

3.  Enhanced SLURM Filters

   This section proposes two optional designs.

3.1.  Design 1: RPKI Data Type Filters

   A SLURM file consists of a single JSON [RFC8259] object containing
   the following members:

   *  A "slurmVersion" member that MUST be set to 3, encoded as a number

   *  A "validationOutputFilters" member whose value is an object.  The
      object MUST contain exactly four members:

      -  A "prefixFilters" member, see Section 3.3.1 [RFC8416]

      -  A "bgpsecFilters" member, see section 3.3.2 [RFC8416]

      -  A "aspaFilters" member, see Section 3.1
         [I-D.ietf-sidrops-aspa-slurm]

Fu & Geng                Expires 2 January 2025                 [Page 4]
Internet-Draft           Enhanced SLURM Filters                July 2024

      -  A "typeFilters" member

   *  A "locallyAddedAssertions" member whose value is an object.  The
      object MUST contain exactly three members:

      -  A "prefixAssertions" member, see Section 3.4.1 [RFC8416]

      -  A "bgpsecAssertions" member, see Section 3.4.2 [RFC8416]

      -  A "aspaAssertions" member, see Section 3.2
         [I-D.ietf-sidrops-aspa-slurm]

   The following JSON structure with JSON members represents a SLURM
   file that has no filters or assertions:

     {
       "slurmVersion": 2,
       "validationOutputFilters": {
         "aspaFilters": [],
         "bgpsecFilters": [],
         "prefixFilters": [],
         "typeFilters": []
       },
       "locallyAddedAssertions": {
         "aspaAssertions": [],
         "bgpsecAssertions": [],
         "prefixAssertions": []
       }
     }

3.1.1.  RPKI Data Type Filters

   There are currently four types of RPKI data (which follows the RTR
   PDU definitions).  The number of data types may increase with time.

   *  IPv4 Prefix

   *  IPv6 Prefix

   *  Router Key

   *  ASPA

   The RP can configure zero or at most four RPKI Data Type Filters
   ("Type Filter" for short).  Each Type Filter contains a single
   'rpkiDataType' and optionally a single 'comment'.

Fu & Geng                Expires 2 January 2025                 [Page 5]
Internet-Draft           Enhanced SLURM Filters                July 2024

   *  The 'rpkiDataType' member MUST be one of the values, i.e., "IPv4
      Prefix", "IPv6 Prefix", "Router Key", and "ASPA".

   *  It is RECOMMENDED that an explanatory comment is included with
      each Type Filter so that it can be shown to users of the RP
      software.

   Any RPKI data item that matches any configured Type Filter MUST be
   removed from the RP's output.

   A RPKI data item is considered to match with a Type Filter if the
   following condition applies: The item is considered to match if the
   RPKI data type of the item is equal to the "rpkiDataType" value of
   Type Filter.

   The following example JSON structure represents a "typeFilter" member
   with one object as described above:

     "typeFilter": [
       {
         "rpkiDataType": "IPv4 Prefix",
         "comment": "Filter out VRPs with IPv4 Prefixes"
       }
     ]

   When a type of RPKI data is to be filtered out, the corresponding
   Filters and Assertions MUST be ignored.  In the above JSON example,
   the prefixFilters with IPv4 prefixes and the prefixAssertions with
   IPv4 prefixes will be ignored by RP.

3.2.  Design 2: Special ASNs

   A SLURM file consists of a single JSON [RFC8259] object which has the
   same structure as [I-D.ietf-sidrops-aspa-slurm], except that the
   "slurmVersion" member MUST be set to 3.

   The structure of ROA filters, BGPsec filters, and ASPA filters are
   not changed.

   To filter out a specific type of RPKI data, a special value (e.g.,
   65535.  The value is TBD) can be set to the "asn" member of the above
   filters.

   The following example JSON structure represents a "prefixFilters"
   member with one object as described above:

Fu & Geng                Expires 2 January 2025                 [Page 6]
Internet-Draft           Enhanced SLURM Filters                July 2024

     "prefixFilters": [
       {
         "asn": 65535,
         "comment": "Filter out VRPs with IPv4 and IPv6 Prefixes"
       }
     ]

   When a type of RPKI data is to be filtered out, the corresponding
   Filters and Assertions MUST be ignored.  In the above JSON example,
   the other prefixFilters and all the prefixAssertions will be ignored
   by RP.

   To filter only IPv4 Prefixes, two special values can be used, i.e.,
   one is for IPv4 and the other is for IPv6.  The concret design is
   TBD.

4.  Security Considerations

   The security considerations in Section 6 of [RFC8416] are also
   applied to this document.

5.  IANA Considerations

   This document has no IANA actions.

6.  References

6.1.  Normative References

   [RFC8416]  Ma, D., Mandelberg, D., and T. Bruijnzeels, "Simplified
              Local Internet Number Resource Management with the RPKI
              (SLURM)", RFC 8416, DOI 10.17487/RFC8416, August 2018,
              <https://www.rfc-editor.org/info/rfc8416>.

   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", STD 90, RFC 8259,
              DOI 10.17487/RFC8259, December 2017,
              <https://www.rfc-editor.org/info/rfc8259>.

   [RFC6810]  Bush, R. and R. Austein, "The Resource Public Key
              Infrastructure (RPKI) to Router Protocol", RFC 6810,
              DOI 10.17487/RFC6810, January 2013,
              <https://www.rfc-editor.org/info/rfc6810>.

   [RFC8210]  Bush, R. and R. Austein, "The Resource Public Key
              Infrastructure (RPKI) to Router Protocol, Version 1",
              RFC 8210, DOI 10.17487/RFC8210, September 2017,
              <https://www.rfc-editor.org/info/rfc8210>.

Fu & Geng                Expires 2 January 2025                 [Page 7]
Internet-Draft           Enhanced SLURM Filters                July 2024

   [I-D.ietf-sidrops-8210bis]
              Bush, R. and R. Austein, "The Resource Public Key
              Infrastructure (RPKI) to Router Protocol, Version 2", Work
              in Progress, Internet-Draft, draft-ietf-sidrops-8210bis-
              12, 4 March 2024, <https://datatracker.ietf.org/doc/html/
              draft-ietf-sidrops-8210bis-12>.

   [I-D.geng-sidrops-rtr-selective-sync]
              Geng, N., Zhuang, S., and M. Huang, "Selective
              Synchronization for RPKI to Router Protocol", Work in
              Progress, Internet-Draft, draft-geng-sidrops-rtr-
              selective-sync-03, 29 June 2024,
              <https://datatracker.ietf.org/doc/html/draft-geng-sidrops-
              rtr-selective-sync-03>.

   [I-D.ietf-sidrops-aspa-slurm]
              Snijders, J. and B. Cartwright-Cox, "Simplified Local
              Internet Number Resource Management (SLURM) with RPKI
              Autonomous System Provider Authorizations (ASPA)", Work in
              Progress, Internet-Draft, draft-ietf-sidrops-aspa-slurm-
              01, 21 May 2024, <https://datatracker.ietf.org/doc/html/
              draft-ietf-sidrops-aspa-slurm-01>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

6.2.  Informative References

   [RFC7909]  Kisteleki, R. and B. Haberman, "Securing Routing Policy
              Specification Language (RPSL) Objects with Resource Public
              Key Infrastructure (RPKI) Signatures", RFC 7909,
              DOI 10.17487/RFC7909, June 2016,
              <https://www.rfc-editor.org/info/rfc7909>.

   [I-D.van-beijnum-sidrops-pathrpki]
              van Beijnum, I., "Path validation with RPKI", Work in
              Progress, Internet-Draft, draft-van-beijnum-sidrops-
              pathrpki-00, 20 June 2019,
              <https://datatracker.ietf.org/doc/html/draft-van-beijnum-
              sidrops-pathrpki-00>.

Fu & Geng                Expires 2 January 2025                 [Page 8]
Internet-Draft           Enhanced SLURM Filters                July 2024

   [I-D.ietf-grow-rpki-as-cones]
              Snijders, J., stucchi-lists@glevia.com, and M. Aelmans,
              "RPKI Autonomous Systems Cones: A Profile To Define Sets
              of Autonomous Systems Numbers To Facilitate BGP
              Filtering", Work in Progress, Internet-Draft, draft-ietf-
              grow-rpki-as-cones-02, 24 April 2020,
              <https://datatracker.ietf.org/doc/html/draft-ietf-grow-
              rpki-as-cones-02>.

   [I-D.spaghetti-sidrops-rpki-asgroup]
              Snijders, J. and F. Korsbäck, "A profile for RPKI Signed
              Groupings of Autonomous System Numbers (ASGroup)", Work in
              Progress, Internet-Draft, draft-spaghetti-sidrops-rpki-
              asgroup-00, 16 November 2022,
              <https://datatracker.ietf.org/doc/html/draft-spaghetti-
              sidrops-rpki-asgroup-00>.

   [I-D.ietf-sidrops-rpki-prefixlist]
              Snijders, J. and G. Huston, "A profile for Signed Prefix
              Lists for Use in the Resource Public Key Infrastructure
              (RPKI)", Work in Progress, Internet-Draft, draft-ietf-
              sidrops-rpki-prefixlist-03, 21 March 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-
              rpki-prefixlist-03>.

   [I-D.xie-sidrops-moa-profile]
              Xie, C., Dong, G., Li, X., Huston, G., and D. Ma, "A
              Profile for Mapping Origin Authorizations (MOAs)", Work in
              Progress, Internet-Draft, draft-xie-sidrops-moa-profile-
              05, 15 June 2024, <https://datatracker.ietf.org/doc/html/
              draft-xie-sidrops-moa-profile-05>.

   [I-D.chen-sidrops-sispi]
              Chen, L., Liu, L., Li, D., and L. Qin, "A Profile of
              Signed SAVNET-Peering Information (SiSPI) Object for
              Deploying Inter-domain SAVNET", Work in Progress,
              Internet-Draft, draft-chen-sidrops-sispi-00, 22 February
              2024, <https://datatracker.ietf.org/doc/html/draft-chen-
              sidrops-sispi-00>.

Acknowledgements

   TBD

Authors' Addresses

Fu & Geng                Expires 2 January 2025                 [Page 9]
Internet-Draft           Enhanced SLURM Filters                July 2024

   Yu Fu
   China Unicom
   Beijing
   China
   Email: fuy186@chinaunicom.cn

   Nan Geng
   Huawei
   Beijing
   China
   Email: gengnan@huawei.com

Fu & Geng                Expires 2 January 2025                [Page 10]