Minutes IETF102: sidrops
minutes-102-sidrops-00

Morrow/keyur Chairs

Note Well showed

Agenda 

- Sharon Goldberg

  presented her slides

Questions:
- Alexander Azimov/Qrator Labs
  Q: How do we want to handle blackholing (/32s)

- Job Snjiders/NTT
  A: We want to accept more specifics that are invalid if they
     match community but are only invalid due to MaxLength

- RV/DT
  Some people may take this as misleading, the first and major message
  is to tell people you should not publish ROAs that are meant for global
  distribution.  Everything that you publish that does not appear is an
  invitation to announce that prefix.

  I doubt that blackholing have reach to go very far.

- Warren Kumari (without any hats)
  If i announce a /20 and I never mean to announce a /24, and i'm
  hijacked, i may not have a way to counteract this.

Sharon: Some people are validating at present.

- Randy Bush
  There are ways to resolve this with RPKI-RTR, and it uses memory and CPU
  but the costs aren't that high.

Sharon: We want to limit misconfiugrations, that's the thought process.
  Comments on-list please, we are doing editorial passes then going to ask
  for WGLC.


- Randy Bush 

  Origin Validation Signaling

  Premise: It may not be necessary for everyone within the trust boundary
  to do validation in each device.

  Route-reflectors are a good use-case where they can learn the trust 
  information.


Q: Job Snjiders/NTT

  Instead of using communities, use another AFI to communicate invalids
  instead of replaying a message back with community, this AFI can be
  restricted for iBGP

Q: Mahtin/Cloudfare

  Have you considered an out of band method?  Similar to certificiate
  transparency.

Randy: It's a simple way with no new protocol.

  Q: Only focus on BGP method?  A: Yes

Q: John Scudder/Juniper

  Does the draft address instability problem?    A: No

Q: Keyur Patel/Arrcus

  The route reflector just does the clarification.

Q: Doug Montgomery/NIST

  Just to be clear, when i get back invalid i treat all prefixes from the
  reflector as invalid?  

  A: No, just the prefix+as_path

Q: Jeff Haas/Juniper

  We want this at rib-in vs rib-out

  Randy: This adds delay to rib-in path

  origin validation today, use same method for bgpsec?

Q: Job/NTT

  In the case no-advertise is used there may be problems

Q: Jared Mauch/Akamai
  You can match on no-advertise and deal with it

Alexander / Qrator


Q: John Scudder/Juniper
  1) ..?

  2) How soBGP got it wrong, suggest you drop that part.

Q: Sriram/NIST

  Have you thought about an AS that has lateral relationship where in US
  it's peering, but in europe it's customer relationship?

  A: Just create symmetrical ASPA's

Q: Randy Bush/IIJ

  This has the two major problems of soBGP of over-revelaing relationships,
  but also per-prefix basis.

Q: Warren Kumari/Google

  We have a document to deprecate AS-SETs, should end up in IDR.

Presenter: George Michaleson

Q: Chris Morrow/Google

  It seems you are proposing contacting 500 people that are fetching.

  A: There is some subset that are web bots.

  There are likely some folks in-region that know what's going on
  and can be communicated to them.

  A: If software authors don't move, we're still stuck in triangle.

Rob Austein/(DRL?):

  There are more than 3 choices, and one is to do nothing.

  Please come with a draft next time.

  This is a cost-transfer as well.  This is just one of many ways an RIR
  may cause operational issues.

Tim/NLNET Labs

  Version 2 of validator implemented reconsidered draft but as a global
  setting vs a per-region.

  It can likely be done with version 3.

  If there is a new OID, there would have to be an update to support it.

  This isn't an excuse to cause overclaims

  Good idea to reach to operator community.

Q: Randy Bush/IIJ/...

  Operators should think about what?  If we are going to do something
  we need to start soon.  A document would be useful so we can start.

Q: RV/DT

  How well is the required communication occuring.  This is the right
  group to discuss things that are being deployed.  Having a document
  to be scrutinized here would be useful.

Q: Randy Bush/IIJ

  There is a list where people discuss operations

Q: Tim/

  I do think it's good to talk to operators that aren't in the room, but
  having a good understanding of what it is should be had amongst relying
  party builders.

Presenter: Randy Bush/IIJ

  We are responsible for our own actions, god is not.

  There is no TAL roll procedure

Q: Job Snjiders/NTT

  Please go back to 3rd slide

  This is not how it looks when it installed.
  The ARIN TAL will not be there

  A: This is obviously true.  There is another TAL that I apparently manaully
  installed.

  K-Root may be validating soon.  I asked ARIN to do origin validation as well.

  Randy: We need to do what we can do to make things more resillient.

Q: ??/RIPE

  We will be doing origin validation.


Presenter: Tim

  Second the issue that we need to be able to roll the TAL.

  
Q: Rob Austein/?
  The TTL part, we should learn from
  We should also come up with process to do emergency key rolls.


Q: Warren Kumari/Google

  A lot of people think DNSSEC should have a trust thing

Q: Rob Austein/

  To protect against what?

  We already have to ignore AIA's for key rolls.

  I support this.

end 1514 local