Minutes for SIDR at IETF-93
minutes-93-sidr-1
| Meeting Minutes | Secure Inter-Domain Routing (sidr) WG | |
|---|---|---|
| Date and time | 2015-07-24 07:00 | |
| Title | Minutes for SIDR at IETF-93 | |
| State | Active | |
| Other versions | plain text | |
| Last updated | 2015-08-14 |
minutes-93-sidr-1
Sandy Murphy:
• introductions, note well
• draft status (see slides)
• ltam to die unless someone objects
• agenda
Tim Bruijnzeels:
• RPKI retrieval Delta Protocol - RRDP
• Discussion
◦ Geoff Houston: Distrusting - what does it mean
◦ Rob: I was going to comment on this. This is a point of
friendly dispute among the implementors. Tim is very conservative
regarding his implementation. ▪ all it really means is the
protocol is not a trusted conversation. the objects are what matters;
we don't really care about who we're speaking to to get the objects ▪
so being conservative about believing the web server when it says
to delete something • questions/comments? ◦ Randy Bush:
Channeling Dan McPherson . He's concern about the distribution of the
data because he has a product which depends on this work. ◦ Tim:
no data yet. The place that is getting work is the notification file.
◦ Sandy: I think that you are talking about certificate
validation not bgp route validation. ◦ Rob: this is really about
discovery, not validation ◦ Tim: would like to make
informational document that explains how both discovery and validation
work with RRDP
Sandy:
• Randy Bush to talk about transfers.
• Geoff pointed out careful synchronization requirements to hand
off back in November.
Randy Bush:
• Sandy: Do you think your description of the transfer process
melds with Geoff' description of careful synchronization? •
Randy: probably, what do you think Geoff • Geoff: ◦
validation reconsideration gives more latitude ◦ the two work a
lot better ◦ if you get timing wrong, things are still ok •
Sandy not asking about validation process, was asking about (too fast)
• Geoff: take the 5th, can't answer right now without reading
carefully • Sandy: For those of you who are working at the
registries, does transfer draft match your operational procedures? •
Tim B: no, we support xfers, defined by policies, doc doesn't have
to define policies, but needs room for decision points on whether xfer
can happen or not. Currently don't engage. Can invalidate resource
in a certificate in case of xfer, but since we have hosted solution at
the moment, doesn't really affect us. We can shrink ROAs, etc as
neeeded. • Randy: You don't do inter-rir transfers? • Tim:
not yet, almost • Stephen Kent: One of the difference between
Randy's doc and earlier is earlier distinguished between transfers of
unused and live, thought that former was more common. The discussions
on the list says having two ways of handling transfers isn't good. If
wg decides having only one way is better, the document needs to say why
that choice was made (why not distinguish between the two). We
described in that older draft that ordering constraints aren't that
bad. Ordering should be carefuly revisited in detail. • Sandy:
I do not know of any rir that permits live transfers of live address
space. I do not think that xfers are impossible • Randy: I assure
you that transfers of live address space have been going on for years.
Mergers and acquisitions • Sandy: never considered them an xfer
• Andy Newton: we know that transfers have taken. • rob:
One particular data object is the tao object that we sign and
transfer. I recommend people go back and read the document. •
randy: in original transfer doc, 2007, something like live euro
protocol, fantasy to handle what the tao object is doing in a different
way. essentially need an authenticable /verifiable attestation of
intent. tao is one way of approaching that • sandy: torn euro,
not live • tim: I like the document that randy and all published
recently. • Randy: The transfer document is slowly sneaking up on
describing the transfer. We have so little data on those who are
actually doing the transfer. One is type going up and the other is
going down. BBN doc making registry nervous ◦ both trying to
reach the same place, different directions (one going up, other down) •
rob: if you look at either doc, there's a challenge naming
recipient. seller identifiable (holding resource), buyer hard to
find. tao object, something that names the buyer. where is this
supposed to be going? did the right person get it? • sandy:
would be useful for people to comment. neither doc is a working group
document. do we want both, or one, or neither to be adopted? •
randy: what do we mean when we adopt? some wgs will talk endlessly,
others if it means we want to discuss it. • kent: don't both
need to be adopted. ultimately have a solution that will incorporate
elements from either document that is adopted. Randy's document has
more details regarding on topic. BBN has working. • randy:
illustrates the difference in two procedural approaches. a group that
says wg docs are those for discussion, then both should be adopted,
then drop both, then adopt a new one. etc. in idr these wouldn't be
wg docs until something pristine and ready to publish came out •
Rob: Ask if the WG wants to work on this topic. • Richard
Hansen: adopting makes it easy for people interested in sidr to keep
track of what's going on, what the group thinks is interesting •
: Adopting this work indicate people want to talk about this document •
sandy: we'll go forward in some fashion
Steve Kent, overview of adverse actions draft
• (slide 6) Rob: A question that occurred to me, I agree that
outsourcing CAs. There is a large publication repository ( what if
google decides to publish everything? should we consider that case? •
Steve: good question, should email so we remember to think about
it. • (slide 8) Rob: not exactly mission drift, but originally
manifests had a specific focus. just here to solve one problem. but
they're useful for other things... rsync isn't the best. manifests
are pretty important for discovery. Requirements for manifests may
have changed. may be worthwhile to revisit manifest doc. •
steve: good point. if plans to switch to rrdp, then need to go back
and look at it. but it's tricky, we're still using rsync. will have
tradeoffs • doug montgomery: in detection, worth addressing pub
point might offer different views to different people/regions of the
world. • steve: didn't address that. certainly is possible if
the primary detection is done by the INR themselves, but they keep
getting rosy view. INR might have options for where to get resources.
please send email to list so we remember to talk about this •
Rudiger Volk: As distribution tree gets more differentiated, attacks
it is not sure to determine how to monitor or to detect these attacks.
It is actually interesting to have some people provide a service of
monitoring - so the naive people can ask for the current view This
resource view will show the resource holder. It would be •
steve: One can imagine 3rd party monitors (for money, altruism). We
have this in BGP - so why not here. • mlepinksi: What is the bad
thing that can happen if a repository offers different views of the
world to different people ... provided that both views are otherwise
valid (not stale) • steve: The views could be different due to
compromises. I think Matt was asking question in a slightly different
context. • tim: we use manifests in a more authoritative manner
-- I think they're really useful because they're signed and enumerate
what they believe we should find • steve: complimentary issues:
if i can't find something mentioned, then... #2 if i find something
not on manifest, what then... #3 what if manifest is stale. should
discuss, little squishy • tim: people seemed to be ok with
giving manifest more authority. • steve: agreed, need more
discussion and decisions • matt: One can imagine a resource
holder who wants different people to see different views and therefore
creates parallel objects for this purpose. I am not sure that this is
good, but I don't think it is something we should spend a lot of effort
to stop • steve: i don't think we ever viewed this as a feature
• randy: lta use cases • steve: local matter, we're
talking about global • randy: local can be big, and can have
subsidiaries. not as bad, intransitive • sean turner: question
#1 adopt? yes. #2 expand scope to expand other EE? no, let's not. •
steve: router certs? • sean: sure. for other EE we can
add them later • sandy: was reviewing some of the things that
had happened in registries and rpki, some of availability issues where
repos were offline, manifest problems cause validation to fail
everywhere, do those fit in suppression? • steve: i'd say yes.
if offline, then equivalent to suppressing availability of updates.
could try to clarify • rob: several RIRs had CA offline. pub
point was online, but CA wasn't updating so things went stale. don't
know if all rirs have fixed problem of short manifest EE cert lifetimes
(were using 2-3 day lifetimes). The problem with RIR would go down for
a weekend, and everything under other the RIRs. ◦ rir region
would go away for a while ◦ technically could fit into this
category... more like serious operational error • randy: have
had demonstrations of serious problems. would be nice if it was
obvious to reader of the doc the nature of those problems and how this
doc plans to detect and deal with them • rudiger: would be good
to explicitly state whether the intention of this document is to cover
all of the things that could happen, including all of the operational
screw-ups. straight forward that ... classified in theoretical way as
suppression or similar, but i would guess that addressing seriously all
kinds of operational errors would take a different approach to those.
in the interest of op stability, I would like to see all of it
addressed, but fine if one doc deals with explicit tampering and
another deals with operational errs. one should have a clear
understanding of what is being addressed. • steve: rob, please
send examples. what we can do is give examples to make it clear that
we did intend to include this. • steve: rudiger: Did intend for
this to be comprehensive. detection is going to be the same. better
job of explaining the implications of these things. want to make
reader understand this is a concern because of this points. •
sandy: recall happening two registries had issued same resources to
different people. how does that fit? • steve: send that to the
list, need to think about that • sandy: Possible to do that ..
for traffic engineering • steve: could have daemons looking for
these, could have false positives • declan ma: cover case of ...
yes, we are looking at that • all of the above was on slide 8 •
Stephen: I'm proud of my penguin picture in the slide set. •
Randy: But what is the penguin asking (smile)..
Sandy:
• previous q on whether to adopt leads me to think that adoption
is a moot point • clear that people are commenting and interested
in the topic • if authors want adoption, authors should request
it from the list • next: david mandelberg • reminder of
blue sheet
David Mandelberg presentation on SLURM
• note: David believes this is ready for adoption.
• Rob: The basic mechanism has been around for many
implementation. You are suggesting we have a file format. •
david: and a specific behavior for what the file says • rob:You
are specifying a typical usage, but not limiting it. The typical usage
is layer between validation engine fetching and rpki-rtr stuff. in my
implementation, if you choose the right options -- what can you express
in a perl script? -- it's a text filter. talking about set of actions
and file format. main value is having interchange format in case you
want to move them around • david: yes, that's primary concept,
but additonally some corner cases need to be hash out • tim: we
are doing similar things in our validator. can only configure in web
ui at the moment. woudld be good to have a standard format and a
dcoument describing behavior. • doug montgomery: so this is for
addrs not globally advertised? • david: primarily for net 10,
etc. • doug montgomery: but used locally and not ebgp? •
David: I believe that there are people doing strange things. •
doug: monolithic file per validator? • david: per rpki-rtr
output server • doug: router to cache peering? • david:
don’t see why not, if you configure properly • doug: worth
discussing to get correct scope of correct slurm? • david:
asking for ops draft? • doug: how to use if different strange
people do different strange things • rob: is identifier field in
slurm format. draft is open ended about how that's handled, but one
way is to limit applicability to certain rpki-rtr instances •
rudiger: ... people will screw up • david: would be nice to
minimize that • rudiger: It makes the text for writing the RIR
easier. You are not twisting the text for 5 different usage. And this
is important because if the standard was not good, it will helpful. •
doug: picking up on rob, if localized special views, if some way
to bind right router to right view, that would be good • david:
it's in terms of rpki-rtr servers, not routers • steve kent: if
common format is a good thing because of sharing, then we have to have
semantics be uniform or else we have problems. that's why it's good to
have this • Jeff Haas: slurm is just a filter. Without that, you
expect what you generate is expected to be largely uniform. may want
to private addresses have scope in some portion but not somewhere else,
some bit of prefix squatting on, the way to extend this interpretation
-- treating it as output, do something before handing off. could get
same thing if you move the box. • david: are you asking to put in
router software? • jeff: may make sense. yang, etc. that people
know what to do with • david: made these slides before we talked
last night. Being rp implementer, put it where I was comfortable •
rob: leaving slurm out for the moment; from implementation point of
view easiest to put it there • randy: characterization of use of
other's address space -- people doing that are not announcing globally,
and they want to validate its use. that's reasonable. we may or may
not like it, but that's reality. 2nd point -- lta-use document tries
to address similar needs but at higher level; specifically do editing
by producing different repositories. distribute modifications through
repositories. this is two steps down, not sure which set of needs and
how this is implemented is the way i'd go. • david: draft does
reference lta use cases. agree with most of what you said, personally
think it's easier to distribute text file. • randy: want to
reduce description to a distributable syntax. would recommend json. •
rob: if one were to use slurm to replace some things in ltam, one
might want some understanding of way to combine multiple slurm files.
how to merge local with isp. • david: in the draft. •
rob: yay. have comment syntax? • david: yes
declan ma, rpki in china
• Sandy: Any questions?
• Rudiger Volk: I wonder if you mentioned any test plans or any
details on deployment? • declan: yes. zdns has testbed, ran
tests. developing distribution mechanism (rsync with optimized hash).
We have testbed to work with manufacturers to see if it works •
??? (afrinic): modified rsync, did it help you? • declan: paper
will be published, can send slides about thisYou know my email address.
Please send me a request.
matthias waehlisch on rpki beacons
• randy: would like to change "interval" to "specific published
times", then can measure propagation. don't care what the object is.
like that each CA does it. think it's a good idea. I like bgp beacons
• kent: opposite take: adding churn to the system is something
i worry about. secondly, already have by convention, crls that are
changing daily and thus manifests. if rate that cas should do this is
more frequent, then we shouldn't do this. looking at propagation time
using existing stuff is pretty good. if suggesting doing it more
frequently, have to add new objects. must pay close attention to make
sure we don't mess anything up. • matthias: first idea, still
open for discussion. • kent: 1st question: how frequently? if
not more frequent than existing updates, then we might already be able
to do what you want to do. having every ca do this, since we have a
few entities that operate repositories, propagation will probably be
the same so it may not add to the precision if each of the hundreds of
CAs do this for each CA. seems excessive. Perhaps you needed to think
you about this? • matthias: expect more frequent than once a day
• kent: crls get issued daily, thus manifest changes daily, and
they have timestamps • randy: start time on cert is not
necessarily publish time. I agree with kent on managed repositories.
.I am interested in the publishing time... per repository not pub point
timing is of interest to me. if it creates too much churn, then i think
we have more serious problems • ??? (ripe): like idea, but where
do you want to go with this? • matthias: • (ripe): idea
good, don't support a mandate that all CAs must do this, but think it's
good practice. idea is good • sandy: cross product of bgp
beacons and rpki beacons. I was trying to see if there's interest in
trying to measure the publication time vs. announcement time, and when
changes impacted each other. I don't agree that crl being published
daily is sufficient; needs for measurement may not be satisfied by that
publishing • matthias: should we write a draft? • sandy:
I think that a draft is best to progress this work is important. There
have been complaints in the past that progression without a draft is
not good.
Andreas Reuter: RPKI MIRO
• Rob: This is awesome - keep it up. I was trying to feed the
results into DOTS is difficult. We tried to remove any identifying
information. Is this a independent implementation. If it becomes an
independent implementation, please join the rp implementor interop
testing • andreas: no, using RIPE's validator library •
Randy: I do not care about the file names. We went down a similar path
for bgpmon.
sriram- draft-idr-route-lead-detection-mitigation-00
• Lots of discussion on IDR list and GROW list (presentation
comes from these comments) • sandy: wg chairs list, meetecho
ends precisely on time... • questions • randy: route leaks
are a serious problem. i think this is the only game on the table.
not clear that it wins. concerns are the idiot leaking also marks, so
they're going to do the downgrade attack. if they have a misconfigured
router, why wouldn't their router be misconfigured to downgrade •
Siriram: The security is important. • Randy: We need to take time
to think through what happens, and get it right. • Jeff Haas:
where do we put these things? community makes sense. operators use
peer groups to associate things together with common policy. people
might do what appears to be a downgrade attack. One might degrate the
peer grouping. If you want it to be automatic. with end communities
can put it in today, if done correctly, will work. having policy that
is automatically maintained ... • Siriam: You think automating
this is feasible? • Jeff: what is required mark peering session
(peer is customer, peer is provider), would be broadly useful., for
this and other stuff. Taking this taxonomy and seeing if it is usefu. •
randy: #1: hesitant to use communities because they get
manipulated, validly so. therefore can't sign them, so doesn't work
with bgpsec. #2 based on Gal-Rexford model, been ranting against this
for years. people who have been pushing it have a paper that says that
they measured, and it's not the case in a significant portion of the
internet. • sandy: found it listed as a tech report, can be
described as publicly available document. • sriram: not
characterizing peering session as gal-rexford ... • randy:
Tjotrnasported between two peers intentionally, this discussion is
silly • sandy: in discussions, always discussed neighbor of
leaking party being the discoverer. neighbors aren't correctly doing
their jobs detecting. advantage of this is permitting later people to
detect. • randy: not necessarily -- if 2 hops away, don't know
if the leaker was a bend. don't know that topology • rob:
assuming they'll get this right but others wrong doesn't work •
sriram: • doug: that assumption, that you blow everything, is
what this addresss. theory is that google knows what it does when it
passes to hathaway. multiple hops fail, but eventually hits someone
who's doing things right, and now that has a chance to detect
sandy:
• we're done