Session Date/Time: 19 Mar 2024 05:30

sidrops

Summary

This SIDROPS session covered a wide range of topics, including ASPA updates, signed prefix lists, RPKI validation reconsideration, FC-BGP, manifest number handling, aggregated RPKI, subnet peering information, RPKI validation signaling, horizontal/vertical correlation, source address validation, ROA deployment metrics, and YANG data models for RPKI router protocol. The discussion was lively, especially regarding RPKI validation and signaling. An interim virtual meeting will be scheduled.

Key Discussion Points

ASPA Verification Draft Update: Version 18 is coming, including text clarity improvements and a more substantial security considerations section. The draft will normatively update RFC 9234 regarding BGP roles.
Signed Prefix Lists (SPL): SPL allows AS holders to publish prefixes they originate. It's complementary to existing ROA-based prefix origin validation. An implementation is available. Review and implementation of SPL are encouraged.
RPKI Validation Reconsidered: The current RPKI validation algorithm is considered problematic due to the potential for unrelated resources to impact validation outcomes, leading to a large blast radius. A new algorithm (the "GG algorithm") focusing on certification paths specific to the resource being validated was proposed. The existing RC8360 approach is not deployable. Concerns about flag days and the impact on RPs were raised.
FC-BGP Updates: FCPGP aims to secure both the control and data plane. It uses a per-pathlet validation scheme and is compatible with native BGP. Path selection prioritizes local preference. Deployment involves strategically placing FCPGP-capable devices.
Manifest Number Handling: The document discusses issues when manifest numbers reach their maximum value. A proposal involves skipping manifest number checks if the manifest filename changes. The meaning of "filename" in this context requires clarification.
Aggregated RPKI: Addresses a situation where aggregated parent prefixes are not ROA-authorized while sub-prefixes are, leading to false invalidations. The solution involves generating aggregated VRPs. Concerns were raised regarding misconfiguration and potential complications in BGP routers.
Subnet Peering Information: A new signed object (SSP) is proposed to automate subnet peering by providing a public registry of ASes willing to establish softnet peering relationships. RPKI is considered a suitable registry.
RPKI Validation Signaling in BGP Path Attributes: Recommends against signaling RPKI validation states in transitive BGP path attributes, particularly through BGP communities, to avoid routing instability. However, older BGP implementations might necessitate such signaling.
Horizontal/Vertical Correlation: Discussed method to ascertain changes that are RP sees during transaction of incremental update. By comprehending calculation risk fix, of different RPK assigned objects.
Source Address Validation: A new defense using a new block list and existing existing allow lists to provide immediate incremental benefits even if the generated block list doesn't include all prefixes in the protocol.
ROA deployment and marrying manners: A study to motivate network operators deploy our way in the future and an experiment using different deployment strategies.
Selective synchronization: A Proposal for selecting synchronization of certain BGP Data types.
YANG data models for router protocol: Certification of models for RBK louder protocol.

Decisions and Action Items

Action Item: Chairs will start a doodle poll to schedule a virtual interim meeting.
Action Item: Job Snijders will resend slides (and correct the slide mismatch).
Action Item: The proposed RPKI validation update draft will be considered for working group adoption.
Action Item: Further clarity needed on defining what filename mean in context of RPKI manifests.

Next Steps

Participants should review the various drafts presented and provide feedback on the mailing list.
The virtual interim meeting will be scheduled to continue discussions.
Efforts will be focused on improving the proposed subnet peering mechanism.
Consider clarifying the context of filename in relation to RP's and manifest numbering.