New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove RPKI Light #4
Comments
I dispute this request. If you do not trust the route server, please don't use it. If you do not trust the route server RPKI validation please don't use it. |
Route Servers, like any ASN, should drop RPKI invalid announcements, not propagate them. It's that simple! Would be the same as giving someone a vial of poison and defending yourself "but I clearly labeled it". Friends don't give friends poison. |
From my point of view it is not that simple: I agree that invalids should be dropped. How about unknowns? This is the reason we need RPKI Light. |
Nope. You are trying to legitimize a weaker security posture for route
servers. We don't need "RPKI Light" at all.
|
You don't need it. Okay, others might. |
@tking It's better to continue to discuss this in IETF, where the
contributions are archived in the appropriate forum and can help construct
a sense of concensus (or lack thereof) and further the dialogue. If you are
in Chicago in two weeks time I'd be happy to try and persuade you over a
cup of coffee.
@pierky, it's up to you what you want to do with this enhancement request.
|
@job, @tking, thank you for your comments on this topic. Since the beginning I was torn about whether to add RPKI light to the features of this tool. Personally I would not use it in a route server; I believe that if something needs to be validated, it must be done within the boundaries of my trust domain, that only includes components I manage directly, so - as a client - I would not appreciate such a feature. Your comments led me to reconsider all the messages appeared on sidrops and grow and finally I decided to keep this feature somehow but also to "discourage" its use. Currently, RPKI handling is limited to a global flag in the general configuration file,
Now I plan to add more granularity to the use of RPKI
The mix of the two flags and of communities à la RPKI-light allows to have the route server able to receive INVALID routes and to announce them only to clients that have been configured with So:
Fine configuration granularity and an opt-in mechanism to receive INVALIDs seem to be a quite commonly accepted outcome among people who participated in the conversation on grow too. The bottom line is that with ARouteServer I would like to provide a tool in the hands of IXP staff, possibly something that is easy to use and that offers by default feature-rich configurations with low effort. While I am determined to distribute a default configuration that is as secure as possible for the whole Internet, I can't even imagine to know all the deployment scenarios that IXPs have to cover, so I prefer to leave them freedom of choice. I'll do my best to follow this draft on sidrops and grow and to evaluate further actions on the basis of its evolution. Thanks again for your time on this. |
In the end I decided to remove RPKI-Light support from ARouteServer. After some tests and lines of code I noticed that current versions of BIRD (1.6.3) and OpenBGPD (OpenBSD 6.0) do not implement RFC8097 communities. OpenBGPD does not allow to use them at all while BIRD, which allows to configure "custom" extended communities, treats them strictly according to RFC4360:
To keep RPKI-Light support in ARouteServer would mean to possibly have something "broken" and incomplete going in production; moreover, as I already said, I don't like the idea behind RPKI-Light too much. In the meanwhile, I implemented some configuration customization mechanisms that allow operators to use ARouteServer to generate configs and, at the same time, to code their own policy about RPKI validation results handling within .local files (site-specific custom snippets of config). Among other things, this will allows operators to do something similar to RPKI-Light. These new features (BIRD hooks and .local files) can be found in the dev branch and will be included in the next release of ARouteServer. |
I consider https://tools.ietf.org/html/draft-ietf-sidrops-route-server-rpki-light an extremely insecure mode of operation. We should not encourage such "outsourced security", especially not in places where people highly depend on the convenience provided by a route server.
I'd pull out the feature until it actually makes it to RFC status, which at this point is questionable.
The text was updated successfully, but these errors were encountered: