Minutes IETF104: sidrops
minutes-104-sidrops-00
Meeting Minutes | SIDR Operations (sidrops) WG | |
---|---|---|
Date and time | 2019-03-26 08:00 | |
Title | Minutes IETF104: sidrops | |
State | Active | |
Other versions | plain text | |
Last updated | 2019-05-13 |
minutes-104-sidrops-00
-1) Randy Bush -- ov-signal -In band marking with extended community: Sriram K. (Nist): Evaluator does validation or router does the validation? Randy Bush: Evaluator only Sriram K.: Evaluator lost rpki connection.. how does it signal router Randy Bush: Draft doesnt cover it. Sriram K.: Should we cover the use case in the draft? Randy Bush: Maybe. 2) Daniel Kopp -- Signalling Origin Validation - In domain of IXP network where ROA validation results is forwarded from RS to its peers - Introduce a transitive four-octet AS specific Extended Community Jakob Heiz: Three validation states are defined and there should be the fourth state (Validation not done) Daniel Kopp: It is missing in the draft Ruediger Volk: Why not have your customers do it? Extended community was chosen because large communities not there... asking for routers to implement it and implementation cycles are long before it goes in production.. suggest using large community? Daniel Kopp: Happy to adopt Large community.. Randy Bush: Agree with Ruediger Volk.. suggest using Large community and same community definition.. Doug M: IXP could offer this as service? Daniel Kopp: Yes.. Dough M: makes sense... Job Sniders: What is lacking in the draft is secure by default approach. Suggest abandoning the draft.. should not be propagating validation state on ebgp Daniel Kopp: Do not agree. Job Sniders: Should not propagate invalids.. this makes it insecure Randy Bush: Trade off is whether you act for IXP member or you give IXP member more information.. Question from members pov is are you outsourcing your security. Doug M: Do not agree with oursourcing security. Alexander Azimov: You do have filtering.. why dont u use marking there and why ask for flexibility...whats the difference? Daniel Kopp: Would like to standardize for everyone. Rudigher Volk: Consider signaling for guys who sent you invalid stuff. Keyur Patel: Any flavor or solution deployed today? Daniel Kopp: Dropping for default.. tagging is not done... 3) Ruediger Volk -- Egress-ov Randy Bush: Whatever RFC origin clarifications became is inconvenient? We do have SNMP MIBs for dropped announcements? Ruediger Volk: Wouldnt be interested in SNMP stats Randy Bush: Tagging announcements with different origin-as to different peers. Ruediger Volk: It would fall under weird policy primitives Randy Bush: My point is the hack you want is to put a check at the end of export policy so I dont have to duplicate it. Ruediger Volk: We are in agreement. John Scudder: Since your telling implementors how to implement a standard make it standards based. Andrew Dray: Please ask the implementors to show whats being dropped. Another comment I have to to enable policies per peer. Randy Bush: The "do NOT do ROAs for routes NOT meant for DFZ" is for AS0 peers Ruediger Volk: You seem to think AS0 is special Randy Bush: Lets differentiate AS0 in path versus ROA Ruediger Volk: Agree. John Scudder: The slide is completly unrelated to the presentation Ruediger Volk: Yes John Scudder: Last slide is interesting and thought provoking Job Sniders: There may be explainations as to why your seeing unwanted ASes, Customers make ROAs with private ASes as tags, typos, etc. Ruediger: Only when someone presents then and only then it gets fixed... Jeff Huston: If u really wanted to understand validity of ROA why dont u sign with AS Ruediger Volk: Are u suggesting we mimic where Address and AS must be signed. What I suggest is simple and straightforward. Doug M. Why is this stuff appearing in global RPKI.. is this ignorance? Ruediger Volk: Typos, folks not adhering to guidelines and folks not knowing what they are doing.. Doug M. concerned that one off validators might clean this up but the problems may not be solved? Rudeger Volk: Suggest a BCP 4) Sriram K. -- Route Analysis of invalid routes. Andrey R.: How does it work? What should I input? Sriram: We can give you a global view or a view per AS. Dont think it is ready but can facilitate that. 5) George Michelson -- Reconsider Validation in RPKI Rob Austein: Dont agree with the check at every level. Di Ma: We dont use OID but we use algorithm. We can switch to new validation. Geroge M. Cool 6) George Michelson -- Resource Tag Attestation Job Sniders: Would like to see this move forward. 7) Oliver Borchert -- BGPSec Validation State Signaling