* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Sidrops Status Pages

SIDR Operations (Active WG)
Ops Area: Robert Wilton, Warren Kumari | 2016-Nov-07 —  
Chairs
 
 


IETF-108 sidrops minutes

Session 2020-07-27 1300-1350: Room 5 - Audio stream - sidrops chatroom

Minutes

minutes-108-sidrops-00 minutes



          SIDROPS
          ** SIDROPS Agenda For IETF-108 (version 1)
          
          Session: July 27th 2020, 13:00 - 13:50 UTC
          Bluesheets are automatically generated from the Meetecho datatracker
          login thingy
          
          Agenda bashing and Chair’s slides - [5 minutes]
          If you want to find Chris’s slides, they are at:
          https://datatracker.ietf.org/meeting/108/materials/slides-108-sidrops-chair-slides
          Di Ma - [10 minutes] RPKI validated cache Update in SLURM over HTTPs
          (RUSH)
          DI Ma is talking about
          https://tools.ietf.org/html/draft-madi-sidrops-rush-00/
          (slides not available at this time on the IETF web)
          Q: Randy Bush. Find the security considerations “disturbing” we have
          a trust model, its object trust, dont trust getting stuff from random
          servers. Liked this proposal more when it was ‘more data dangling off
          the existing trust anchor’
          
          Q: Job Snijders. I would like to echo Randy’s comments to
          security considerations. It seems to dance around the needs of the
          issue. specifically, RIR, to RIR member trust boundaries, should not be
          done without object security. AS0 is a red herring, not a great use-case.
          
          Chris: Out of time. take to list, or interim in 3-4 weeks if need be.
          
          John Kristoff - [10 minutes] Relying Party Measurements
          https://datatracker.ietf.org/meeting/108/materials/slides-108-sidrops-measuring-relying-parties
          (skipped pending issues with AV/Slides by John)
          Chris: presentation ‘tabled’ pending discussion, due to AV failure
          
          Oliver Borchert - [10 minutes] BGPsec validation signaling
          https://tools.ietf.org/html/draft-borchert-sidrops-bgpsec-validation-signaling-00
          https://datatracker.ietf.org/meeting/108/materials/slides-108-sidrops-draft-sidrops-bgpsec-validation-signaling
          Q: Job Snijders. Of two minds if “things should be enabled by default”
          on sessions. Some implementations made assumptions about communities
          being present or not. (Ben Maddison can confirm).
          
          A: Oliver: can discuss, enable by operator. important thing is operator
          having capability to enable/disable per-peer.
          
          (missed Sriram’s comment. came back during Ben Maddison’s
          clarification on default enable/disable)
          
          A: Oliver: do not make assumptions about absence of community string. Ben:
          issue should be obvious. Normative MUST would be useful (avoid mistakes
          of origin-validation spec) Oliver: thinking about it, point out issue,
          discuss offline with co-authors if goes to unverified.
          
          Sriram Kotikalapudi - [10 minutes] AS Hijack Detection and Mitigation
          https://datatracker.ietf.org/meeting/108/materials/slides-108-sidrops-draft-sriram-sidrops-as-hijack-detection-00
          Q: Rudiger Volk: a remark to ‘resilience’ =some people are making a
          major argument about if a CA fails, everything will be fine because ROV
          goes into unknown state. Not convinced, but people are concerned/making
          a fuss about it. we have to be concerned about the CA for the AS and
          addresses being different, failure of the address CA and not the AS CA,
          then REAP will essentially invalidate all the AS announcements. Has to
          at least go into security considerations.
          
          A: Sriram. understood. thank you will put words into security
          considerations. Thinking was REAP would also not be available, but
          modelled as one CA< not multiple CA. Rudiger: not a lot of discussions
          about CA of AS and IP address should be related. Expect CAs for both
          spaces, will be different, separate. Randy with the biggest ISPs only
          
          Q: Randy: points out serious problem, but can happen from RP failure
          too, RP does not fetch from ROA publisher but fetches from REAP
          object. Disaster happens. Significantly common (John Kristoff’s
          presentation) sufficiently real cannot support Chris: clarifying
          consideration RP problems and CA problems. if the RP sec can be
          cleaned up, deal with failure mode, doesn’t seem ‘horrible’ as an
          option. Randy: John’s presentation. RP universe is ‘scary’
          
          Chris: if John can make a pre-recorded thing to present, will be better
          Randy: RPs are not overly reliable. Don’t think going down this path
          is a success path. Goes to years of work.
          
          Q: Job: is AS hijacking a concern for AS operators. Never articulated
          what are the exact issues between the ASN. Maybe this is reputational
          damage, monitoring (false positives) AS spoofing does exist, not clear
          how big a proble it is.
          A: Sriram Designed to prevent hijacks
          
          Chris need to hear on list this, and other topics. Meeting closed.
          
          



Generated from PyHt script /wg/sidrops/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -