* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Sidrops Status Pages

SIDR Operations (Active WG)
Ops Area: Benoit Claise, Warren Kumari | 2016-Nov-07 —  

IETF-99 sidrops minutes

Session 2017-07-17 1550-1720: Congress Hall III - Audio stream - sidrops chatroom


minutes-99-sidrops-00 minutes

          Chris Morrow & Keyur Patel Chairs
          Called to order at 3:55
          Sriram - Discussion of WG LC of documents
          RPKI Deployment Agenda
          1) Amir Herzberg
          Analysis of easy deployment validator
          Research work we have been doing
          - RPKI Deployment: Stauts, Challenges and the Learning-Validator
          Questions [at the mic]:=20
              Sometimes situations are complex as a customer leaves an existing =
          transit provider taking IP space with them
          Tim - Ripe NCC:
              People can subscribe to alerts for when unauthorized announcemeants =
          appear, this has improved data quality
          Rueddiger Volk/DT:=20
              For successful deployment, we need additional tools and monitoring =
              We don't have the full tooling and monitoring available we desire
              Do we have the tools in the implementation to cover the customer =
              It does not appear that the large networks have the CA roles =
          necessary to make this happen.
              If the customer doesn't create the ROA, traffic will still forward =
          to the customers
              Are you taking into account the more specific routes when you say =
          traffic would be lost?
          2) Jordi Vilanova - [15 minutes]
          Job Snjiders/NTT:
              I fail to understand what problem we are solving
          George Michaelson/APNIC:
              If you lose the private key, you lose the addresses
              You are unable to functionally assert information about your IP =
          space without the key
              Public verification/public ledger is not inherently tied to =
              This would be interesting to do route validation, could we use this =
          for path validation.
              It would be interesting to see how much time/effort proof of work =
              Registries are about to assert 0/0
          3) Tim Bruijnzeels - [10 minutes]
          HTTPS in TAL/TrustAnchorLocators URIs
              Given the RDP touches, don't I get the address of the certificate at =
          the root I can compare to the hash in the TAL?
              What better verification is there?
              A: RDP URI is given at bootstrap, includes notification XML.  In a =
          nutshell RDP doesn't get you there, you could point to notification of =
              The trust model of HTTP is another whole world..
              It's good to try to do HTTPS validation, not sure if it should halt =
          if we can't do cert validation
          Job Snjiders/NTT:
              It's good to standardize the transport in toolchain.  If we're going =
          to modify this, perhaps we add version number with=20
              I'm wondering if the relying party software validates the design
              A: Even if it's optional choice, I can use a CDN or other things to =
          scale.  If the CA decides to use the delta protocol, for that particular =
          situation we don't need to call RSYNC.
              You are suggesting ... optional? =20
              A: If we can use either, that gets me a long way there.
              Can you e-mail the list and ask for adoption?
              A: Yes
          4) Tim Bruijnzeels - [15 minutes]
          Signed TAL to communicate URI changes or planned key rools
              we can look at 5011 for possible solutions
          5) Tim Bruijnzeels - [5 minutes]
          Update on Tree-validation
          Randy Bush/IIJ:
              We have long tradition of publishing RFCs=20
          Rob Austein/DRL:
              This does not need to be WG document, ship it
              We should push WGLC and publish the document
          6) Randy Bush - [10 minutes]
          [ no slides ]
          * there are variants in how routers implement RPKI validation
          * two significant problems
          ** 1) when i make annoumcenet, if the other party needs to say invalid, =
          we failed
          ** 2) the rfc says the operator is in control through configuration of =
          what is done once the route is marked NotFound,Invalid, etc.
          **    we have implemetnations that do different types of things to be =
          helpful, but they are harming the ability of operator to set operational =
              I certainly agree we have to expect not everyone is using this =
          (RPKI), so I have to deal with situation that some of my customers may =
          not do RPKI classification, I still need to tell them they are sending =
          me invalid routes.
              I would wonder if adding to the draft a hint that the =
          implementations should make it easy to produce the message for neighbor =
          that is sending invalids.  Some vendors it's easy, others it's painful.
              A(Randy): can I do it with policy?
              Vendors have optimized by not storing rib-in information
              A: if by policy i decide to drop your route, that should be ok
          Keyur Patel/?:
              RFC6011 doesn't mention rules for redistributed routes, should we =
          publish rfc6011-bis?
              A: If I'm originating the route, what is the ASN?  Confederations, =
          local-as, etc..=20
          Jeff Haas/Juniper:
              Do we want to go an extra step and not mark routes by default?  I =
          suggest this?
              A: I don't want this
              Should we update 4271 to say where this should happen in the =
          7) Declan Ma - [15 minutes]
              For the last paragraph you had up, I would repeat the earlier =
          Morrow/Chair: please send request to list for adoption
          8) Oliver Borchert - [5 min]
          Update on BGPsec reference implementation and BGPSEC-IO, a BGPsec =
          No questions
          End 5:32pm

Generated from PyHt script /wg/sidrops/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -