You're viewing an archived page. It is no longer being updated.
Thursday, 17 May 09:00 - 10:30
WG Co- Chairs: Ignas Bagdonas, Paolo Moroni
Scribe: Anand Buddhev
Status: Final
WG Co-Chair Paolo Moroni introduced the session.
The presentation is online at:
https://ripe76.ripe.net/archives/video/98
Alex Azimov (Qrator Labs) commented that AS path spoofing is much easier to
detect by using a direct multi-hop peering session with one's customer, and
doesn't need this ARTEMIS project. However, it was a complex comment, that
needed more discussion offline.
Andrei Robachevsky (ISOC) asked whether this is for all ASNs or participating
ASNs. Xenofontas said that it only protects networks that use this software.
The presentation is online at:
https://ripe76.ripe.net/archives/video/100
Gert Doering said that bgpq3 can already build prefix list filters and ACLs,
and most of the work can be automated, and that there was no need to change how
BGP works. Alex asked whether Gert was worried about false data in AS-SETS,
which are used to build these filters and ACLs. He said that a customer who
wants to spoof addresses could do so easily by adding false data to AS-SETS.
Gert said that he would deal severely with such customers. He admitted that his
network is small, so it's possible to catch such deliberate attempts at
spoofing. He added that one has to start somewhere, and prefix filtering is a
good option for smaller networks.
Randy (IIJ) replied to Gert and said that ACLs can be done in small networks,
but not feasible in large networks. Gert said that doing it for small networks
is at least a gain. Randy acknowledged that there is still a problem to solve.
The presentation is online at:
https://ripe76.ripe.net/archives/video/102
Blake Willis (Zayo) thanked Emile for building this, because they use it regularly.
The presentation is online at:
https://ripe76.ripe.net/archives/video/103
Iljitsch van Beijnum said that with RPKI, there is only one set of filters, and
asked why they are proposing different sets of filters. He further asked about
the relationship between the customer and the upstream. Max said the customer
says what they are going to announce, so the relationship is upwards, from customer to ISP. Iljitsch disagreed and said it should be a two-way
relationship. Max asked Iljitsch to email his suggestions.
Rudiger didn't like the idea at all. He said it was an example of hackery before conceptual clarity. He said that RPSL allows networks to document policy, but lacks authorisation. He said that the maintainers of AS-SETS, for example, have no authority over the data they put into them. There is no way to check that the data is trustworthy. Rudiger said he couldn't see an authorisation model in this proposal.
Max replied that they're just leveraging the existing parts of RPKI.
Rudiger argued that this proposal would result in yet another database with questionable content.
Max replied that if one owns the ASN, one can create policies, and that's what this proposal is about.
Rudiger than said that authorisation should come from the resource holder,
whereas this proposal is suggesting doing it the wrong way. He felt that this
proposal is a hack, and lacks a clear conceptual model.
Max invited Rudiger to have a chat later to make this proposal better.
An unidentified audience speaker said that CAIDA has done similar work, and
wondered about the result of comparing the results from this model with CAIDA's.
Martin Levy said work on this proposal should continue, and let it be a challenge to the RPKI model. He then asked whether there was a way to get authentication both up and down the chain. Max said that he had thought about it, but wanted to keep the idea simple at first. He said he was open to suggestions to improve the draft.
Gert Doering wanted to know if route sets were built automatically, or whether
this proposal only provided candidate ASes to be evaluated against documented
policy. Max replied that it was the latter. Gert then said he liked this idea a
lot.
Randy Bush thinks this work is worthwhile. But he said that the problem in the
GROW WG is that there is a clash of authority models. He said that RPKI is an
attempt to provide authorisation that the IRR models are lacking, but that it
doesn't map well to the authorisation model of IRR data. He said that this
proposal is similarly a hack, and that more thought is required to solving the
main problem, which is a clash of authorisation models.
Ignas Bagdonas observed that this is a controversial topic and urged everyone
at the meeting to get together and talk more about it.
The presentation is online at:
https://ripe76.ripe.net/archives/video/105
Patrick Gilmore (ARIN) said that not every CDN serves the same content. Giving
preference doesn't always shift traffic around.
Warren Kumari (Google) pointed out that in this context, "optimal" can mean
different things to different CDN operators. Ingmar replied that this solution
isn't about telling a CDN operator what's best for them, but rather what's best
for the customer.
Randy Bush asked about the math and functions used to calculate the results.
Ingmar said that they depended on the CDN, and so there were several, and
that's why he didn't put them on the slides. He said that he'd be happy to
share them.
The presentation is online at:
https://ripe76.ripe.net/archives/video/107
No comments or questions
Z. AOB