►
From YouTube: IETF108 SIDROPS 20200727 1300
Description
SIDROPS session at IETF108
2020/07/27 1300
A
B
C
A
B
A
A
A
A
A
C
A
C
C
A
A
A
C
B
B
Okay,
so
shall
I
get
started,
please:
okay,
hi
folks,
today,
I'm
going
to
brief
a
draft
rpk
validated
cache
update
insulin
over
https,
which
can
be
called
rush
rush
for
short
during
ietf
singapore
meeting
last
year.
I
shared
this
idea
as
well
as
my
personal
implementation
practice
to
this
working
group,
and
also
my
intention
to
seek
is
civilization
and
the
version
there
there.
The
draft
was
therefore
submitted
in
last
december.
B
B
Yes,
here
is
my
considerations
as
for
the
way
of
formating
data,
we
prefer
to
facilitate
the
data
path
for
both
visualization
and
application
other
than
router
origin
validation,
as
well
as
to
take
advantage
of
slum
to
have
some
local
version
of
rpk
data,
and
then
we
choose
https
as
a
transport
at
the
end
of
the
day,
because
https
is
widely
supported,
it
is
with
security
enhancement
over
integrity,
protection
and
its
political.
Then
unit
independent,
well.
B
B
B
B
B
Rtr
is
designed
exclusively
for
providing
rpk
cache
for
routers,
so
its
video
is
bound
to
its
transport,
which
is
which
is
difficult
to
add
extension
to
support
these
vanity
cache
synchronization
management
well
like
the
dns
pdu,
is
bound
to
the
dns
transport.
So
it's
hard
to
do
some
extension
to
add
to
dns
okay.
Well,
I
see
something
like
similarity
and
second,
the
binary
data
unit
cannot
be
passed
by
application
which,
by
the
way,
don't
support
rtr
generally,
I
mean
maybe
in
the
in
the
coming
future.
We
we.
B
Https
is
widely
deployed
and
the
data
format
independent,
as
I
mentioned,
and
our
rpi
advantage.
Cache
server
just
needs
one
api
to
do
both
synchronization
and
local
control,
since
the
json
is
employed
by
a
slump
file
which,
by
the
way,
is
specified
in
rfc
8416
to
override
the
global
rpk
data.
Okay,
so
I
mean,
if
you,
if
we
use
rush,
we
can
use
one
just
one
api
to
do
both
synchronization
and
local
control.
B
We
make
a
separate
section
of
rush
use
cases
in
this
version
of
version.
1
help
people
to
figure
out
in
which
circumstances
russia
can
be
employed
to
transfer
rpk
value
into
cash,
and
we
also
have
got
three
cassie
so
far
and
we
look
forward
to
seeing
more
as
we
pursue
is
standardization
if
this
working
group
would
adopt
it
is
the
case,
why
would
be
the
cash
distribution?
B
B
Last
one
is
about
the
es0
information
so
not
a
long
ago.
Well,
I
guess,
as
far
as
I
know,
in
the
ripe
community
or
some
discussions
on
how
to
use
salem
file
to
deliver.
Yes,
their
information
has
been
discussed
and
the
the
ir
needs
to
publish
assertions
with
origin
as0
for
all
the
unlocated
and
unsigned
address
space
for
which
is
for
which
it
is
a
current
administrator.
B
B
B
B
B
B
Where
the
push
or
pull
we
used
for
cache
synchronization
or
how
to
do
resin
correlation
and
access
control,
well,
which,
by
the
way,
is
kind
of
kind
of
different.
From
what
I
mentioned
in
last
itf
meeting
held
in
singapore,
when
I
shared
the
detail,
the
with
our
implementation
of
rush,
so
next
slide.
B
B
B
E
C
E
A
A
D
A
I
think
we're
out
of
time
for
for
these
slides.
I
think,
if
there's
real
questions
here,
we
should
provide
them
on
the
list.
We
can
certainly
have
an
interim
if
we
run
out
of
time
here
or
need
in
the
next
bit
in
three
or
four
weeks.
We
can
have
an
intermediate
to
discuss
this
or
other
topics,
so
why
don't
we
try.
A
A
A
H
H
H
We
have,
it
looks
pretty
much
the
same
like
the
origin,
validation,
rfc,
90
1897
attribute,
except
that
here
the
validation
state
as
a
b2b
sec,
validation,
state,
and
so
the
only
thing
there.
What
we
need
to
have
done
is
we
would
need
the
the
ti
added.
The
b2b,
exec
path,
validation,
state
community
by
ayana
into
the
registry.
Next
slide,
please,
so
the
validation
states
are
unverified
for
zero.
H
H
H
So
what
this
means
is
basically,
then,
if,
for
example,
a
particular
router
receives
a
validation
state
via
this
attribute,
let's
say
it's
valid
and
it
does
not
perform
its
own
validation
state.
Then
it
must,
if
it
forwards
this
update,
then
it
must
add
the
validation
state
unverified
rather
than
the
receive
validation
state
valid,
and
with
this
we
basically
make
sure
that
the
attribute
stays
non-transitive
next
slide.
H
Please,
regarding
the
peer
signaling,
we
have
wording
in
there.
That
says
basically
that
each
implementation
must
provide
configuration
switches
for
that
to
enable
or
disable
the
receiving
of
these
attribute
on
a
per
peer
basis
that
should
be
by
default,
enabled
on
ibgp
sessions
and
disabled
on
ebgp
sessions.
Next
slide,
please
error
handling.
We
decided
to
one
actually.
That
was,
I
think,
since
all
the
time
in
there
that,
if
I
receive
more
than
one
of
these
attributes,
then
the
complete
attribute
has
to
be
discarded.
D
Of
two
minds
whether
things
should
be
enabled
by
default
on
ibgp
sessions,
because
we
noticed
with
the
hp
origin
validation,
extended
communities
that
exist
today,
that
some
implementations
made
assumptions
about
whether
that
community
would
be
present
or
not.
Ben
madison
may
be
able
to
highlight
the
exact
details
of
what
the
problematic
situation
was,
but
yeah.
I
would
be
worried
about
enabling
things
by
default
across
all
http
implementations,.
H
That's
fine,
we
can
we
can.
We
can
certainly
think
of
having
this
by
default,
all
disabled
and
then
having
the
operator.
The
the
more
the
more
important
part
for
us
is
that
the
operator
should
should
have
the
capability
of
configuring,
the
enabling
or
disabling
of
the
attribute
on
the
purple
basis
that
that
is
the
most
important
part.
For
me,
we
just
were
thinking
because
it
makes
extremely
good
sense
to
have
it
on
ibgp
sessions
on.
D
I
I
F
F
Ben
here,
can
you
hear
me?
Okay,
yes,
yep,
so
just
to
follow
up
on
the
point.
Job
was
making
the
particular
issue
that
we
came
across
when
we
were
rolling
out.
Origin
validation
was
that
the
receiving
side
in
one
implementation
makes
assumptions
about
what
the
absence
of
an
extended
community
means,
and
in
that
case
it
was
treating
anything
that
it
received
from
an
ibgp
peer
without
an
8097
community
as
valid,
which
is
obviously
which.
H
H
F
H
I
don't
I
don't
know
yet,
and
I
wanna
maybe
have
this
discussion
a
little
bit
further
offline
with
my
co-authors
and
everyone
who
wants
to
join.
If,
if
that
should
be
unverified,
I
mean
normally,
I
mean
we
don't
need
to
make
a
big
deal
out
of
it.
You
know
but
yeah.
So
at
least
there
has
to
be
a
must,
not
assume
any
validation,
state
whatsoever.
H
G
G
So
recently,
like
in
june
and
july,
there
was
an
anop
thread
discussing
as
hijacking
real
incidents
happening
in
the
internet,
and
there
were
questions
about
what
operators
can
potentially
do
to
prevent
hijacking
if
they
have
a
responsibility
to
do
so.
That
motivated
us
to
think
about
possible
prevention
mechanisms
for
as
hijacking
as
hijacking
the
definition
is
as
hijacking
occurs
when
one
as
uses
another
ass
number
as
the
origin
asn
in
a
bgp
announcement,
it
could
be
accidental
or
it
could
be
malicious.
G
The
prefix
in
the
announcement
may
sometimes
belong
to
the
hijacker.
The
hijacker
in
that
in
this
case,
is
an
as
and
it
the
prefix
could
be
one
that
normally
originates
from
the
hijackers
as
but
more
often
or
most
most
likely.
The
hijack
hijacker
is
actually
hijacking
this
as
and
also
hijacking
a
third
party
prefix
next
slide.
Please.
G
So
rpki
route,
origin
validation,
is
not
sufficient
to
mitigate
as
hijacking.
This
slide
demonstrates
that
as1,
who
is
concerned
about
hijacking
of
his
as
number,
has
created
all
the
rovers
that
that
are
necessary
for
the
prefixes
that
that
it
originates
and
three
is
doing
validation.
Two
is
it
passes?
G
The
update
passes
through
two
to
go
to
three
three
is
doing
rpki
origin
validation
of
four
is
a
hijacker
is
hijacker
in
this
case
and
he's
hijacking
as1
and
announcing
a
queue,
prefix
queue,
which
is
a
third
craft
party
prefix,
and
it
doesn't
have
a
rover.
So
three
basically
determines
that
q
hat
q
is
not
found
according
to
rpki
ov,
and
therefore
q
could
accept
a
three
could
accept
the
prefix
queue
and
propagate
it.
G
So,
as
hijacking
is
successful
in
spite
of
rpki
origin
validation
next
slide,
so
we
propose
a
a
method
in
which
we
propose
to
create
a
new
rpki
object,
called
reap
and
reap
is
used
for
as
hijack
detection
and
mitigation
reap
stands
for,
rovas
exists
for
all
prefixes
rpki
object.
It's
an
rpki
object
that
is
digitally
signed
by
nas,
the,
as
is
asserting
that
the
rows
exist
for
all
prefixes
that
are
originated
by
it.
G
G
G
So
so
the
fourth
for
the
in
this
picture.
Let
let's
talk
yeah,
let's
talk
through
this
example.
As1
basically
has
created
robots
for
all
prefixes
that
originate
either.
The
prefix
owners
have
created
it
or
as1
owns
some
of
those
prefixes
all
rovers
exist.
It
creates
a
deep
object
in
rpki.
As3
is
validating,
two
is
not
participating
in
reap,
so
we
are
considering
a
partial
deployment
scenario.
G
Four
is
hijacking
as1
and
announces
a
third
party.
Prefix
q
are
two
three
and
three
basically
looks
at
the
first.
Does
the
rpk
iov
determines
that
q
is
not
found,
but
when
it
looks
at
the
origin
s
with
in
the
route
for
q,
it
sees
a
s1
and
it
says
oh
as1
has
reap.
Therefore,
it
changes
the
not
found
to
invalid
validation
and
that's
how
it
detects
the
as
hijack
next
slide.
Please.
G
Here,
we
are
talking
about
other
mechanisms
that
do
as
hijack
detection
prevention,
bgp
set.
Does
it
because
it
requires
path,
signatures
and
that
prevents
as
hijacks.
But
adoption
is
a
question
mark
when
aspa
was.
It
was
designed
for
route
detection
and
mitigation,
but
it
has.
It
also:
has
the
side
benefit
that
that
it
can
also
prevent
as
hijacks?
However,
in
partial
deployment,
it
is
not
robust
like
repeats.
So,
as
we
show
in
this,
two
in
the
middle
is
not
doing
aspa,
one
is
doing
it.
G
G
So
again,
the
point
is
that
aspa
is
capable
of
airs
hijacked
detection,
but
in
a
scenario
when
there
is
partial
deployment
in
this
picture,
there
can
be
other
parts
from
one
two
three,
but
those
other
parts
can
make
may
be
feeding
less
specific
rather
than
the
more
specific.
So
so
partial
deployment
is
something
that
is
an
issue
with
aspa,
at
least
for
as
hijack
detection.
But
reit
is
robust
in
partial
deployment
scenarios
next
slide.
A
G
G
G
G
J
G
G
The
thinking
we
had
on
our
mind
was
that
if
one
type
of
rpgi
object
like
rova
is
not
available,
then
potentially
reap
is
not
also
available
and
and
things
and
it
will
remain
in
not
found
state
rather
than
go
to
invalid,
but
certainly
your
point
is
well
taken
and
we
can
include
that
in
the
security
considerations
section.
Thank
you.
A
J
E
E
E
G
D
D
D
G
A
Okay,
I
think
we
are
over
time
by
a
little
bit.
If
I
think,
if
there's
more
discussion
for
this
or
the
other
topics,
we
should
definitely
have
that
on
the
list
sooner
rather
than
later.
So
we
don't
forget,
and
if
there's
interest
or
or
need
for
an
interim
meeting
to
talk
about
this
or
other
topics
that
would
be
terrific
to
hear
on
the
list
as.