Minutes IETF117: sidrops: Tue 00:30
minutes-117-sidrops-202307250030-00
Meeting Minutes | SIDR Operations (sidrops) WG | |
---|---|---|
Date and time | 2023-07-25 00:30 | |
Title | Minutes IETF117: sidrops: Tue 00:30 | |
State | Active | |
Other versions | markdown | |
Last updated | 2023-07-26 |
[1] Chairs discussion
Chairs discuss requiring an implementation report.
[Geoff Houston]: This is a difficult task and
should not be a requirement.
[Keyur Patel]: This has worked well
2) Geoff Huston - [10 minutes]
A profile for RPKI Signed Lists of Prefixes
https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-prefixlist-00.txt
Discussion:
[Rudiger]: Routed objects do not have sign
[Warren]: If AS42 can announce via the ROA. When AS42
[Rudiger]: The proposal delivers in absence of BGPsec
the ROA protects a different AS announcment.
[Warren]: I do not want AS42 to announce, I do not list in the ROA.
[Ben Madison]: This is a not a good mechanism for solving this
problem.
We need to make sure that the peer announcing
is allowed to announce.
[Geoff]: If we wait for full ROA deployment, you and I will be dead
(smile). This is a port of the route object into this world that is a
one-to-one issue.
[Ben Madison]: This is useful because we have a bunch of static (worst
case) scenarios and "dynamic filters". If we are going to use this a
replacement for IRR static, then we need to have validation on it.
[Geoff]: All information is in the IRR, and this is a small addition.
[Ben Madison]: if the RPKI information goes away, then a stable
backstop is provided by the IRR. We need this backstop. Route-sets may
replacethe stable backstop. We need to have a "fail-closed".
[Job Snider]: It is my goal to move this community away from unsecured
ASCII text. To answer Rudeiger, this is so simple to implement it seems
worthwhile. We can now cover prefixes that are not covered by ROA.
[Teis De Kock]: What are we mitigating with this effort.
[Geoff]: It takes the place of
unsigned and unvalidated data in the IRR.
[Sriram]: Compare this to Route-Object in IRR.
It is signed.
[Geoff]: It is the same thing. Read the simple draft. If it is
adopted, please offer improvememts.
3) Sriram Kotikalapudi - [5 minutes]
BGP AS_PATH Verification Based on ASPA Objects
https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification-15.txt
4) Oliver Borchert - [10 minutes]
Human Readable Validate ROA Payload Notation
https://datatracker.ietf.org/doc/draft-timbru-sidrops-vrp-notation-00.txt
Human Readable ASPA Notation
https://datatracker.ietf.org/doc/draft-timbru-sidrops-aspa-notation-01.txt
Discussion:
[Oliver]: requesting WG adoption.
[Jeff Haas]: Are you going to transfer this to Yang? If so, how are
you translating to YANG.
[Jeff Haas]: I'll send comments on this to the list. You will also
want to talk about sorting for this issue.
[Rudiger]: The syntax does not look very complete. The sorting syntax
needs to be added.
[Oliver]: We can add sorting to be added.
5) Ties de Kock - [5 minutes]
RPKI Publication Server Best Current Practices
https://www.ietf.org/id/draft-timbru-sidrops-publication-server-bcp-01.txt
6) Job Snijders - [10 minutes]
On the use of the CMS signing-time attribute in RPKI Signed Objects
https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-cms-signing-time-01.txt
Discussion:
[Job]: Offers a mechanism for making failing over from RRDP to RSYNC
more simple.
[Ties de Kock]: Where can we get better recording of the signing time?
The timestamp is in all certificates. The CA can use the notBefore time
from the single-use certificate that will be used to validate the
signature on signed objects.
[Job]: Both would work. I would like to see an improvement in the
signed layers. It is a tiny optimization if you can get better signing
time from the CMS SignerInfo. There is a good benefit if you use the CMS
signing time as the single signing time. It does not matter if you use
CMS or the notBefore from the certificate. It is only important that
everyone use the same one.
[Ties de Kock]: It seems to me that CMS signing time will work.
[Warren]: You would sign it, and it goes to a file, so the mtime will
be roughly the same.
[Job]: Some implementation use a file and other implementations write
it in a database.
[Ties de Kock]: Need to pull a value from inside the signed object.
[Ben Madison]: You just need a signing time. If we are going to keep
the CMS signing time around, it is useful to have it as a purpose. It is
the right choice to use CMS signing time.
[Oliver]: We have an implementation at NIST that needs updated to do
align with this.
[Job]: my apology. There are multiple software implementations that
are deployed.
7) Job Snijders - [5 minutes]
A Profile for ASPA
https://www.ietf.org/archive/id/draft-ietf-sidrops-aspa-profile-16.txt
8) Yangfei Guo - [5 minutes]
An RPKI and IPsec-based AS-to-AS Approach for Source Address Validation
https://datatracker.ietf.org/doc/html/draft-xu-ipsecme-risav-02.txt
Discussion:
[Job]: This should be progressed in IPSECME, but reviewed in SIDROPS