Minutes IETF120: sidrops: Tue 22:30
minutes-120-sidrops-202407232230-00
Meeting Minutes | SIDR Operations (sidrops) WG | |
---|---|---|
Date and time | 2024-07-23 22:30 | |
Title | Minutes IETF120: sidrops: Tue 22:30 | |
State | Active | |
Other versions | markdown | |
Last updated | 2024-07-31 |
SIDROPS at IETF-120
Tuesday, July 23, 2024 15:30-17:00 Local Time in Canada (GMT-7)
Room: Plaza B
1) Agenda bashing and Chair's slides
Job: Need to be bit more orgnized while setting up the agenda
Russ: Ack, we'll put some process in place to better manage cfp
2) Tim Bruijnzeels - draft-timbru-sidrops-publication-server-bcp-02
Tim: pub server BCP
Tim: RFC 8181, different impact of outage compared to repos
RRDP:
- ensure deltas and snapshots are available before notification file
- Beware of bad feedback loop in case of all reverting to snapshots
- Usage of CDN recommended
RSYNC: - symlink to latest content
- deterministic timestamps
RIR / NIR pub server RECOMMENDED
- Use them if available
Expected for -01
- discuss some nasty corner cases
- document pub server restore scenarios
Some topics out of scope
Mic Line:
Ben Maddison: quotas out of scope in your previous slide, seems fairly
obvious to be in scope. Why ?
Tim: Not only that, other topics left also out of scope, you dont have
good ways to communicate some of these parameters in-band
Ben: ...missed that(carlos)...
Niklas Vogel: publication at the RIRs, is it the point of rpki to be
more centralized or good it bee good for others to operate pub servers
Tim: even you have centralized pub servers the keys are in held by
users, currently only pub in one place. Maybe in future other things can
be though of
Job: what we want is that pub servers are monitored and operated
appropiately, the less pub servers the better.
3) Alexander Azimov - ASPA documents update
... hard to understand for me...
ASPA Profile:
Experiment about processing many routers , does not affect profile doc
ASPA Verification:
- Sum of lengths up up and down ramp, less than N , then INVALID
- Measuring ramps
RTR Protocol
- all aspa documents are now afi agnostic
- modeling behaviour
Open Questions:
-
security section
- removed comment on ipv4 and ipv6 topologies
-
rtr aspa pdu
- do we need provider as count ? are there any disadvantages to
moving it up
- do we need provider as count ? are there any disadvantages to
Are we ready to move on ? the spec is solid, are we ready to move on
MIC LINE
Nan Geng: rtr aspa pdu, ... feel do not need to change the position of
the Flags field in the ASPA pdu ...
AA: glad conversation kickstarted
Rudiger Volk: rewrites improved documents, after major re write , it is
expected that some work needed to fix small things, actually i think we
need to go through a little bit of details. Security considerations
needs more work. I'm likely to provide some feedback
Job: I feel we are almost ready. Our focus should be the RTR document,
five topics need attention, in particular ordering data within the PDU.
Randy, Rob, if you need help, i'm happy to chip in. Do not rush , fix
open issues
Tim Bruijnzeels: thank you AA, similar to job my feeling we are close.
Please resolve issues that need to be resolved.
4) Sofía Silva Berenguer - NRO RPKI Program
slide 2, What is your role in the routing system ?
s3, provide input please
s4, a short intro about me
s5, about the nro, number resource organization
s6, intro to the nro rpki programme
s7, why is important, there is diversity / divergence among the rirs
s8, differences in services provides, in how services are provided,
differences in ui , api signatures
s10, are those differences hindering rpki adoption in some way
s11, purpose and expeced specific outcomes, including improving
resilience and security and keeping the communities informed
s12, how would a single global rpki system look like ? problem statement
around single TA,
s13, who is we ?
s14, pointers to further information
s15, please reach of to rpki_program@nro.net
MIC LINE:
Randy Bush: how do you measure rpki adoption ? is not just about how
much is published?
Sofia: i'm not measuring myself, using what's out there
Ben Maddison: i think this is really useful, informal coord has happened
but having some more formal coord is good. One comment, it is to ack
that there is disconnect between experts. More important, look at the
current TA structure , current is fragile
Sofia: thanks for that, please provide feedback for the program
5) Job Snijders - draft-spaghetti-sidrops-rpki-crl-numbers and draft-spaghetti-sidrops-rpki-ta-tiebreaker
CRL-Numbers:
- athene pointed to to crl numbers compliance issues
- tom harrison from apnic, concern reg crl numbers field maxing out
-
what a crl rpki looks like
- crl number is non critical ex
- monotically increasing seq number for a given scope
-
manifest
- manifestNumber is the same as the crl number
- crl numbers are purposeless for the rpki, because a well formed
manifest contains a one single entry for a CRL. The named entry
contains a hash. RPs can decide which crl to use just by using
this information in the manifest
-
Solves case 1: maxing out crl number
- both numbers can max out , for manifestNumber theres is already
a draft to solve
- both numbers can max out , for manifestNumber theres is already
-
Solves case 2: using the crl number is complicated
- the crl number has no constructive purpose
- ignoring the crl number actually fixes how the failed fetch
mechanism should work
-
Next steps
- rp developers please check what you are doing with crl numbers
- wg adoption?
MIC LINE:
Q Misell: why are you checking the crl at all ?
Job: historical reasons, use x.509 profiles as-is. Removing the
extension makes the RPKI no longer compliant with existing x509
profiles.
Q Misell: it may be nicer to say now rp ignores, in the future CA stop
including them
Job: reasonable converstaion to have
Bob Beck: are we certain there are no implementations doing other types
of fetches
Job: to my knowledge, all implementations use the manifest as a starting
point and not the AIA
Ben Maddison: there is disagreement among authors,
... cross talk among line and participants ...
Job: let's take it to the hallway
TIE BREAKING TAs
- RPs periodically fetch TA certs from well known remote locations
- Verify using tal
- on failure, there is an option to use local cached copy
-
What if older TA issuances are accidentally re-introduced ?
- TAs still valid that are out there and have stale information
- analisis of older tas visible
-
move towards shorted lived TA certificates
- already some agility in place
-
on the rp side, how to distinguish among TA replay
- tricky , no current extensions acutally help much
- use not before and not after
- the source of the object can also be used
-
Proposed tiebreaking scheme
- for manifests, easy , take largest number
- for certificates, more steps are needed (see slide)
-
Justification:
- notBefore , rps should prefer shorter validity periods
- prefer fresh
-
next steps
- please take a look
Chairs: please provide discussion on the mailing list
6) Yu Fu/Nan Geng - draft-fu-sidrops-enhanced-slurm-filter
Only fetch what is needed from the network , for example only ipv6 data
Improves storage in routers , introduce some unnecesary steps
Discussion:
- does a network require all types of rpky data ?
- whether sync data not required ?
- which solution is best ?
MIC LINE
Jeffrey Haas: filtering data could be potentially useful, when rpki is
being fed slowly you can get some thrash in the routers. Secod thing is
to pvovide via protocol priorization.
7) Weiqiang Cheng - draft-cheng-sidrops-consistency-forwarding-00
Consistency routing and forwarding.
Causes of inconsistency.
Risks of inconsistencies.
Consistency in inter domain routing and forwarding.
How to keep consistency:
- obtain deviation as paths
- advertise deviation path
Use cases.
Next steps
MIC LINE:
8) Chongfeng Xie/Xing Li - draft-xie-sidrops-moa-profile
Overview, new digitally signed object for rpki used for mapping
announcements in underlay ipv6 networks
Scenario
- ipv4 over ipv6 underlay (see v6ops draft)
Problem statement:
MOA: - signed binding between an ipv4 address block and its right ipv6
prefix that is allowed to be declared in bgp announcements
... missing ...
Chairs: lets continue discussion on list
9) Qi LI - draft-li-sidrops-rpki-moasgroup-00
Masurement, limits in routing origin leave moas vulnerable
problem analysis
proposal : signed moas groups
smg ASSERT a group of ASes intended to collaboratively announce an IP
prefix
issue an SMG based on aggregate signature
smg validation
interaction between roa-rov and smg-rov
- no changes to roa rov, smg designed to augment
performance evaluation
Conclusions
10) Zhuotao Liu - draft-wang-sidrops-fcbgp-protocol
FC BGP Basics
- adopts per pathlet validation scheme for path validation in BGP
Feedback since ietf 119
Changes from v0 to v1
fc-bgp treats partial deployability as a first class citizen
rpki / bgpsec cert / key
processing bgp updates
route selection policies
as confedereation
route servers
11) Lancheng Qin - draft-li-sidrops-bicone-sav
Chairs: no time for all slides , please provide highlights as we are way
over time
Background, goal, create ingress SAV blocklist filters based on roas,
aspas
comments received since ietf 119
prefixes in allowlists / blocklists
recommendations
request for adoption