Minutes IETF102: sidrops
minutes-102-sidrops-00
| Meeting Minutes | SIDR Operations (sidrops) WG | |
|---|---|---|
| Title | Minutes IETF102: sidrops | |
| State | Active | |
| Other versions | plain text | |
| Last updated | 2018-07-17 |
minutes-102-sidrops-00
Morrow/keyur Chairs
Note Well showed
Agenda
- Sharon Goldberg
presented her slides
Questions:
- Alexander Azimov/Qrator Labs
Q: How do we want to handle blackholing (/32s)
- Job Snjiders/NTT
A: We want to accept more specifics that are invalid if they
match community but are only invalid due to MaxLength
- RV/DT
Some people may take this as misleading, the first and major message
is to tell people you should not publish ROAs that are meant for global
distribution. Everything that you publish that does not appear is an
invitation to announce that prefix.
I doubt that blackholing have reach to go very far.
- Warren Kumari (without any hats)
If i announce a /20 and I never mean to announce a /24, and i'm
hijacked, i may not have a way to counteract this.
Sharon: Some people are validating at present.
- Randy Bush
There are ways to resolve this with RPKI-RTR, and it uses memory and CPU
but the costs aren't that high.
Sharon: We want to limit misconfiugrations, that's the thought process.
Comments on-list please, we are doing editorial passes then going to ask
for WGLC.
- Randy Bush
Origin Validation Signaling
Premise: It may not be necessary for everyone within the trust boundary
to do validation in each device.
Route-reflectors are a good use-case where they can learn the trust
information.
Q: Job Snjiders/NTT
Instead of using communities, use another AFI to communicate invalids
instead of replaying a message back with community, this AFI can be
restricted for iBGP
Q: Mahtin/Cloudfare
Have you considered an out of band method? Similar to certificiate
transparency.
Randy: It's a simple way with no new protocol.
Q: Only focus on BGP method? A: Yes
Q: John Scudder/Juniper
Does the draft address instability problem? A: No
Q: Keyur Patel/Arrcus
The route reflector just does the clarification.
Q: Doug Montgomery/NIST
Just to be clear, when i get back invalid i treat all prefixes from the
reflector as invalid?
A: No, just the prefix+as_path
Q: Jeff Haas/Juniper
We want this at rib-in vs rib-out
Randy: This adds delay to rib-in path
origin validation today, use same method for bgpsec?
Q: Job/NTT
In the case no-advertise is used there may be problems
Q: Jared Mauch/Akamai
You can match on no-advertise and deal with it
Alexander / Qrator
Q: John Scudder/Juniper
1) ..?
2) How soBGP got it wrong, suggest you drop that part.
Q: Sriram/NIST
Have you thought about an AS that has lateral relationship where in US
it's peering, but in europe it's customer relationship?
A: Just create symmetrical ASPA's
Q: Randy Bush/IIJ
This has the two major problems of soBGP of over-revelaing relationships,
but also per-prefix basis.
Q: Warren Kumari/Google
We have a document to deprecate AS-SETs, should end up in IDR.
Presenter: George Michaleson
Q: Chris Morrow/Google
It seems you are proposing contacting 500 people that are fetching.
A: There is some subset that are web bots.
There are likely some folks in-region that know what's going on
and can be communicated to them.
A: If software authors don't move, we're still stuck in triangle.
Rob Austein/(DRL?):
There are more than 3 choices, and one is to do nothing.
Please come with a draft next time.
This is a cost-transfer as well. This is just one of many ways an RIR
may cause operational issues.
Tim/NLNET Labs
Version 2 of validator implemented reconsidered draft but as a global
setting vs a per-region.
It can likely be done with version 3.
If there is a new OID, there would have to be an update to support it.
This isn't an excuse to cause overclaims
Good idea to reach to operator community.
Q: Randy Bush/IIJ/...
Operators should think about what? If we are going to do something
we need to start soon. A document would be useful so we can start.
Q: RV/DT
How well is the required communication occuring. This is the right
group to discuss things that are being deployed. Having a document
to be scrutinized here would be useful.
Q: Randy Bush/IIJ
There is a list where people discuss operations
Q: Tim/
I do think it's good to talk to operators that aren't in the room, but
having a good understanding of what it is should be had amongst relying
party builders.
Presenter: Randy Bush/IIJ
We are responsible for our own actions, god is not.
There is no TAL roll procedure
Q: Job Snjiders/NTT
Please go back to 3rd slide
This is not how it looks when it installed.
The ARIN TAL will not be there
A: This is obviously true. There is another TAL that I apparently manaully
installed.
K-Root may be validating soon. I asked ARIN to do origin validation as well.
Randy: We need to do what we can do to make things more resillient.
Q: ??/RIPE
We will be doing origin validation.
Presenter: Tim
Second the issue that we need to be able to roll the TAL.
Q: Rob Austein/?
The TTL part, we should learn from
We should also come up with process to do emergency key rolls.
Q: Warren Kumari/Google
A lot of people think DNSSEC should have a trust thing
Q: Rob Austein/
To protect against what?
We already have to ignore AIA's for key rolls.
I support this.
end 1514 local