Minutes IETF104: sidrops
minutes-104-sidrops-00

-1) Randy Bush -- ov-signal
-In band marking with extended community:
Sriram K. (Nist): Evaluator does validation or router does the validation?
Randy Bush: Evaluator only
Sriram K.: Evaluator lost rpki connection.. how does it signal router
Randy Bush: Draft doesnt cover it.
Sriram K.: Should we cover the use case in the draft?
Randy Bush: Maybe.

2) Daniel Kopp -- Signalling Origin Validation
- In domain of IXP network where ROA validation results is forwarded from RS to
its peers - Introduce a transitive four-octet AS specific Extended Community
Jakob Heiz: Three validation states are defined and there should be the fourth
state (Validation not done) Daniel Kopp: It is missing in the draft Ruediger
Volk: Why not have your customers do it? Extended community was chosen because
large communities not there... asking for routers to implement it and
implementation cycles are long before it goes in production.. suggest using
large community? Daniel Kopp: Happy to adopt Large community.. Randy Bush:
Agree with Ruediger Volk.. suggest using Large community and same community
definition.. Doug M: IXP could offer this as service? Daniel Kopp: Yes.. Dough
M: makes sense... Job Sniders: What is lacking in the draft is secure by
default approach. Suggest abandoning the draft.. should not be propagating
validation state on ebgp Daniel Kopp: Do not agree. Job Sniders: Should not
propagate invalids.. this makes it insecure Randy Bush: Trade off is whether
you act for IXP member or you give IXP member more information.. Question from
members pov is are you outsourcing your security. Doug M: Do not agree with
oursourcing security. Alexander Azimov: You do have filtering.. why dont u use
marking there and why ask for flexibility...whats the difference? Daniel Kopp:
Would like to standardize for everyone. Rudigher Volk: Consider signaling for
guys who sent you invalid stuff. Keyur Patel: Any flavor or solution deployed
today? Daniel Kopp: Dropping for default.. tagging is not done...

3) Ruediger Volk -- Egress-ov
Randy Bush: Whatever RFC origin clarifications became is inconvenient? We do
have SNMP MIBs for dropped announcements? Ruediger Volk: Wouldnt be interested
in SNMP stats Randy Bush: Tagging announcements with different origin-as to
different peers. Ruediger Volk: It would fall under weird policy primitives
Randy Bush: My point is the hack you want is to put a check at the end of
export policy so I dont have to duplicate it. Ruediger Volk: We are in
agreement. John Scudder: Since your telling implementors how to implement a
standard make it standards based. Andrew Dray: Please ask the implementors to
show whats being dropped. Another comment I have to to enable policies per
peer. Randy Bush: The "do NOT do ROAs for routes NOT meant for DFZ" is for AS0
peers Ruediger Volk: You seem to think AS0 is special Randy Bush: Lets
differentiate AS0 in path versus ROA Ruediger Volk: Agree. John Scudder: The
slide is completly unrelated to the presentation Ruediger Volk: Yes John
Scudder: Last slide is interesting and thought provoking Job Sniders: There may
be explainations as to why your seeing unwanted ASes, Customers make ROAs with
private ASes as tags, typos, etc. Ruediger: Only when someone presents then and
only then it gets fixed... Jeff Huston: If u really wanted to understand
validity of ROA why dont u sign with AS Ruediger Volk: Are u suggesting we
mimic where Address and AS must be signed. What I suggest is simple and
straightforward. Doug M. Why is this stuff appearing in global RPKI.. is this
ignorance? Ruediger Volk: Typos, folks not adhering to guidelines and folks not
knowing what they are doing.. Doug M. concerned that one off validators might
clean this up but the problems may not be solved? Rudeger Volk: Suggest a BCP

4) Sriram K. -- Route Analysis of invalid routes.
Andrey R.: How does it work? What should I input?
Sriram: We can give you a global view or a view per AS. Dont think it is ready
but can facilitate that.

5) George Michelson -- Reconsider Validation in RPKI
Rob Austein: Dont agree with the check at every level.
Di Ma: We dont use OID but we use algorithm. We can switch to new validation.
Geroge M. Cool

6) George Michelson -- Resource Tag Attestation
Job Sniders: Would like to see this move forward.

7) Oliver Borchert -- BGPSec Validation State Signaling