Re: BCP38 For BGP Customers

2022-11-10 Thread Jared Mauch 
On Thu, Nov 10, 2022 at 10:27:02AM -0800, William Herrin wrote:
> On Thu, Nov 10, 2022 at 10:08 AM Grant Taylor via NANOG  
> wrote:
> > I wonder if Feasible Path uRPF or Enhanced Feasible Path uRPF might help
> > the situation.  However I suspect they both suffer from the FIB != RIB
> > problem and associated signaling.
> 
> Hi Grant,
> 
> That's a fairly good way to think about it. BGP knows -a- path and
> sometimes it knows more than one but it simply doesn't have signal on
> the totality of feasible paths for a particular IP address. No
> distance-vector protocol can.

There's more than this going on as well, because there's a
number of other things going on, the IETF has created a SAVNET working
group to see if it's possible to do something here, and there's also
work in the SIDROPS WG that isn't yet adopted but may be.

The intent would be to include things like the ASPA work with
the SIDR/RPKI work to permit a proof to exist for SAV purposes.  This
may not include all the p2p IP space that would exist between the
networks, and if one doesn't publish ASPA data for things like all those
cloud on-ramp type services, you may end up with traffic blackholed or
other side-effects.

Simply put, SAV/BCP-38 et al is hard, and nearly impossible when
you get much further away from the subnet that traffic originates from.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: BCP38 For BGP Customers

2022-11-10 Thread William Herrin 
On Thu, Nov 10, 2022 at 10:08 AM Grant Taylor via NANOG  wrote:
> I wonder if Feasible Path uRPF or Enhanced Feasible Path uRPF might help
> the situation.  However I suspect they both suffer from the FIB != RIB
> problem and associated signaling.

Hi Grant,

That's a fairly good way to think about it. BGP knows -a- path and
sometimes it knows more than one but it simply doesn't have signal on
the totality of feasible paths for a particular IP address. No
distance-vector protocol can.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/

Re: BCP38 For BGP Customers

2022-11-10 Thread Grant Taylor via NANOG 

On 11/8/22 10:53 PM, William Herrin wrote:

Hi Grant,


Hi Bill, and everyone else who replied.


Two problems here:


Thank you for taking the time to reply and help me understand the 
shortcomings of uRPF better.


I wonder if Feasible Path uRPF or Enhanced Feasible Path uRPF might help 
the situation.  However I suspect they both suffer from the FIB != RIB 
problem and associated signaling.


More things to think about.

Thank you again.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

[NANOG-announce] NANOG 87: Call for Presentations | N86 PC Picks + More

2022-11-10 Thread Nanog News 
*NANOG 87: Call for Presentations *

*NANOG PC is Now Accepting Proposals for NANOG 87*
*NANOG 87 will take place in Atlanta, GA, on 13 -15 Feb 2023.* The PC is
looking to schedule over 1,800 minutes of content for NANOG 87 and has
confirmed 165 minutes already - so don't wait!
*Requested Topics:*

   - Network Automation - practical uses, how to get started
   - Network Future - forecast for changes in technology, design,
   applications
   - Research & Education - what research is happening now in network
   operations
   - Security - developments in, problems/solutions, various protocols of
   - Tutorials - all levels, IPv6, BGP, Segment Routing, DNS

*MORE INFO* 

*NANOG 86 "PC Picks"*
*PC Member Cat Gurinsky Shares her Favorite Talks at our Most Recent
Meeting*

*Don't know where to start watching?* The NANOG Program Committee (PC) has
you covered!

Check out the top picks below from our featured PC member, Cat Gurinsky or
curate a list of your own! We will publish your selections as a guest star
of NANOG. Email your favorites at n...@nanog.org.
*READ MORE *

*NANOG 86 Photo Albums are Now Available *

All NANOG 86 photos are now uploaded to Flickr. Relive all your favorite
moments at our most recent meeting in Hollywood!
* SAY CHEESE! *
___
NANOG-announce mailing list
NANOG-announce@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog-announce

NANOG 87: Call for Presentations | N86 PC Picks + More

2022-11-10 Thread Nanog News 
*NANOG 87: Call for Presentations *

*NANOG PC is Now Accepting Proposals for NANOG 87*
*NANOG 87 will take place in Atlanta, GA, on 13 -15 Feb 2023.* The PC is
looking to schedule over 1,800 minutes of content for NANOG 87 and has
confirmed 165 minutes already - so don't wait!
*Requested Topics:*

   - Network Automation - practical uses, how to get started
   - Network Future - forecast for changes in technology, design,
   applications
   - Research & Education - what research is happening now in network
   operations
   - Security - developments in, problems/solutions, various protocols of
   - Tutorials - all levels, IPv6, BGP, Segment Routing, DNS

*MORE INFO* 

*NANOG 86 "PC Picks"*
*PC Member Cat Gurinsky Shares her Favorite Talks at our Most Recent
Meeting*

*Don't know where to start watching?* The NANOG Program Committee (PC) has
you covered!

Check out the top picks below from our featured PC member, Cat Gurinsky or
curate a list of your own! We will publish your selections as a guest star
of NANOG. Email your favorites at n...@nanog.org.
*READ MORE *

*NANOG 86 Photo Albums are Now Available *

All NANOG 86 photos are now uploaded to Flickr. Relive all your favorite
moments at our most recent meeting in Hollywood!
* SAY CHEESE! *

Re: Re: Why do ROV-ASes announce some invalid route?

2022-11-10 Thread 孙乐童 
Hello Job,
  Thank you very much for your reply! I got that no AS can actually filter all 
the invalids. Yet I was trying to figure out why we couldn't see reasonable 
amount of withdrawals from AS6939 about invalid prefixes, as they explained how 
they implement ROV 
(https://mailman.nanog.org/pipermail/nanog/2020-June/108309.html). Perhaps we 
need to learn their detailed implementations.
  Thank you very much!

Best wishes,
Sun Letong

在2022-11-08 00:11:24,Job Snijders写道:
> Dear 孙乐童,
> 
> On Mon, Nov 07, 2022 at 08:40:57PM +0800, 孙乐童 wrote:
> > We learned from Cloudflare's https://isbgpsafeyet.com/ that some ASes
> > have deployed RPKI Origin Validation (ROV). However, we downloaded BGP
> > collection data from RouteViews and RipeRis platforms and found that
> > some ROV-ASes can announce some invalid routes. For example, from RIB
> > data at 2022-10-31 00:00:00, 13 out of 17 ASes which declared to
> > deploy ROV announced invalid routes, and we list the number of related
> > prefixes for each AS below.
> >
> > [snip]
> > 
> > As a comparison, we count the invalid routes the non-ROV ASes (also
> > declared in https://isbgpsafeyet.com/) announces, as below:
> > 
> > We can see that ROV ASes announced apparently fewer invalid routes
> > compared to the non-ROV ASes, though they did not filter all the
> > invalids. 
> >
> > [snip]
> > 
> > Can anyone help us to correctly interpret this case? Thank you very much.
> 
> You ask great questions! I hope an answer to your questions can be found
> in a message I sent a year ago:
> 
>   https://mailman.nanog.org/pipermail/nanog/2021-April/213346.html
> 
> The summary: in any sufficiently large network, chances are not 100% of
> all equipment supports RPKI-based BGP Route Origin Validation; in such
> cases a handful of invalid routes may still percolate through the
> system. Another contributing factor might be certain types of software
> upgrades; where ROV temporarily is disabled on one or more devices. Or
> perhaps an ISP made a handful of exceptions for test/beacon invalid
> routes to propagate.
> 
> Kind regards,
> 
> Job