Morrow/keyur Chairs Note Well showed Agenda - Sharon Goldberg presented her slides Questions: - Alexander Azimov/Qrator Labs Q: How do we want to handle blackholing (/32s) - Job Snjiders/NTT A: We want to accept more specifics that are invalid if they match community but are only invalid due to MaxLength - RV/DT Some people may take this as misleading, the first and major message is to tell people you should not publish ROAs that are meant for global distribution. Everything that you publish that does not appear is an invitation to announce that prefix. I doubt that blackholing have reach to go very far. - Warren Kumari (without any hats) If i announce a /20 and I never mean to announce a /24, and i'm hijacked, i may not have a way to counteract this. Sharon: Some people are validating at present. - Randy Bush There are ways to resolve this with RPKI-RTR, and it uses memory and CPU but the costs aren't that high. Sharon: We want to limit misconfiugrations, that's the thought process. Comments on-list please, we are doing editorial passes then going to ask for WGLC. - Randy Bush Origin Validation Signaling Premise: It may not be necessary for everyone within the trust boundary to do validation in each device. Route-reflectors are a good use-case where they can learn the trust information. Q: Job Snjiders/NTT Instead of using communities, use another AFI to communicate invalids instead of replaying a message back with community, this AFI can be restricted for iBGP Q: Mahtin/Cloudfare Have you considered an out of band method? Similar to certificiate transparency. Randy: It's a simple way with no new protocol. Q: Only focus on BGP method? A: Yes Q: John Scudder/Juniper Does the draft address instability problem? A: No Q: Keyur Patel/Arrcus The route reflector just does the clarification. Q: Doug Montgomery/NIST Just to be clear, when i get back invalid i treat all prefixes from the reflector as invalid? A: No, just the prefix+as_path Q: Jeff Haas/Juniper We want this at rib-in vs rib-out Randy: This adds delay to rib-in path origin validation today, use same method for bgpsec? Q: Job/NTT In the case no-advertise is used there may be problems Q: Jared Mauch/Akamai You can match on no-advertise and deal with it Alexander / Qrator Q: John Scudder/Juniper 1) ..? 2) How soBGP got it wrong, suggest you drop that part. Q: Sriram/NIST Have you thought about an AS that has lateral relationship where in US it's peering, but in europe it's customer relationship? A: Just create symmetrical ASPA's Q: Randy Bush/IIJ This has the two major problems of soBGP of over-revelaing relationships, but also per-prefix basis. Q: Warren Kumari/Google We have a document to deprecate AS-SETs, should end up in IDR. Presenter: George Michaleson Q: Chris Morrow/Google It seems you are proposing contacting 500 people that are fetching. A: There is some subset that are web bots. There are likely some folks in-region that know what's going on and can be communicated to them. A: If software authors don't move, we're still stuck in triangle. Rob Austein/(DRL?): There are more than 3 choices, and one is to do nothing. Please come with a draft next time. This is a cost-transfer as well. This is just one of many ways an RIR may cause operational issues. Tim/NLNET Labs Version 2 of validator implemented reconsidered draft but as a global setting vs a per-region. It can likely be done with version 3. If there is a new OID, there would have to be an update to support it. This isn't an excuse to cause overclaims Good idea to reach to operator community. Q: Randy Bush/IIJ/... Operators should think about what? If we are going to do something we need to start soon. A document would be useful so we can start. Q: RV/DT How well is the required communication occuring. This is the right group to discuss things that are being deployed. Having a document to be scrutinized here would be useful. Q: Randy Bush/IIJ There is a list where people discuss operations Q: Tim/ I do think it's good to talk to operators that aren't in the room, but having a good understanding of what it is should be had amongst relying party builders. Presenter: Randy Bush/IIJ We are responsible for our own actions, god is not. There is no TAL roll procedure Q: Job Snjiders/NTT Please go back to 3rd slide This is not how it looks when it installed. The ARIN TAL will not be there A: This is obviously true. There is another TAL that I apparently manaully installed. K-Root may be validating soon. I asked ARIN to do origin validation as well. Randy: We need to do what we can do to make things more resillient. Q: ??/RIPE We will be doing origin validation. Presenter: Tim Second the issue that we need to be able to roll the TAL. Q: Rob Austein/? The TTL part, we should learn from We should also come up with process to do emergency key rolls. Q: Warren Kumari/Google A lot of people think DNSSEC should have a trust thing Q: Rob Austein/ To protect against what? We already have to ignore AIA's for key rolls. I support this. end 1514 local