Tuesday, March 12, 2013< ^ >
sandy has set the subject to:
Room Configuration
Room Occupants

[00:59:36] hardaker joins the room
[02:10:55] hardaker leaves the room
[11:03:25] hardaker joins the room
[11:28:15] hardaker leaves the room: Replaced by new connection
[11:29:04] hardaker joins the room
[11:47:17] hardaker leaves the room: Replaced by new connection
[11:47:17] hardaker joins the room
[11:55:17] hardaker leaves the room
[11:57:48] hardaker joins the room
[12:14:10] hardaker leaves the room
[13:00:31] hardaker joins the room
[13:05:49] Arturo Servin  Ü joins the room
[13:17:31] hardaker leaves the room
[13:17:32] hardaker joins the room
[13:20:19] hardaker leaves the room
[14:13:35] Jay Borkenhagen joins the room
[14:26:16] mikeb joins the room
[14:28:53] Wes George joins the room
[14:29:59] dseomn joins the room
[14:31:58] Juan-Pedro Cerezo Martin joins the room
[14:32:14] joins the room
[14:33:03] <Wes George> meeting is starting... anyone remote?
[14:33:17] <Jay Borkenhagen> i am remote.  
[14:33:22] <> yes - audio is good
[14:33:53] <Wes George> ok. if you need jabber proxy, please precede comments with mic:
[14:34:03] <Wes George> agenda bashing
[14:34:07] bradd joins the room
[14:34:25] danyork joins the room
[14:34:35] <Wes George> currently discussing
[14:34:42] <Wes George> Ruediger volk presenting
[14:34:45] Kazuki Shimizu joins the room
[14:34:55] hardaker joins the room
[14:35:43] <Wes George> slide 2
[14:36:10] joins the room
[14:38:51] <Wes George> slide 3
[14:41:40] <Arturo Servin  Ü> I think the slides link is for item 6, is it?
[14:42:19] <Wes George> oops you're right
[14:42:20] <Wes George>
[14:42:26] <Arturo Servin  Ü> thanks!
[14:42:28] <Wes George> we're on slide 4 now
[14:45:19] <Wes George> questions?
[14:45:41] <Wes George> sriram - wasn't clear how is it different unverified vs unknown
[14:46:06] <Wes George> ruediger: rfc as it says today - what is called not found used to be called unknown
[14:46:22] <Wes George> back to slide 2
[14:47:07] <Wes George> when you have something unknown/unverified it may be always invalid, may be maybe invalid you don't want to take exactly the same policy in both cases
[14:47:34] <Wes George> sriram - what do you actually mean by maybe valid
[14:48:07] <Wes George> ruediger - the decision on what to do with a route where you know for sure that there is no info in the RPKI system vs a route where it may actually go into valid or invalid
[14:48:08] joins the room
[14:48:19] <Wes George> ^ I really didn't parse Ruediger's answer correctly
[14:48:41] <Wes George> sri - if the orgin matches, how could it be maybe valid? that is valid
[14:49:04] <Wes George> ruediger - this is defining origin prefix space without knowing hte origin asn
[14:49:13] <Wes George> unknown/unverified is something gdiffferent
[14:49:13] <Jay Borkenhagen> i think "unverified" is junos for "this route has not had its origin validation state examined"
[14:49:32] <Wes George> sri - from an operational point of view, instead of initializing to not found, you initialize to not verified?
[14:49:59] <Wes George> ruediger  - may be vendor-specific
[14:50:07] <Wes George> afk for a moment, going to ask a ques
[14:50:21] <Wes George> terry manderson - thihs is vague and confusing
[14:50:28] <Wes George> please reframe in terms of local policy and provide use cases
[14:51:02] <danyork> Wes George at mic
[14:51:20] <danyork> Wes asking about how this list gets updated
[14:52:25] <Arturo Servin  Ü> when people ask questions the mic volume is very low, the speaker mic sounds very well
[14:53:32] <danyork> Wes: different kinds of "invalid" ASs.
[14:53:44] <Wes George> arturo, it was very loud in the room, sorry
[14:54:14] hardaker leaves the room
[14:54:34] <Wes George> my comments - differentiate between the two types of "always invaldi" - those codified in the RFCs because they are systematically/protocol invald vs local policy
[14:55:03] <danyork> Doug Montgomery (NIST) at the mic
[14:55:11] <Wes George> doug montgomery - your idea of unvalidated or undefined - suggests that we realizze that validaion engines might not return an answer, or ... [buffer exceeded]
[14:55:29] <Wes George> ruediger - seems that the rfc leaves wiggle room
[14:56:11] <Wes George> doug - clear definition of what happens - other than noting a 4th value, acknowledging valid response may be validator saying "i'm broken, couldn'tvalidate"
[14:56:28] <Wes George> ruediger - acknowledge dubious state,s address them in your policy explicityl
[14:56:43] <danyork> Wes George: Thank you for your detailed scribing.
[14:57:15] <Wes George> eric osterweil: good point validators runningg out of memory
[14:57:20] <Wes George> when we have a multi-ta system with conflicts in attestation
[14:57:30] <Wes George> might not be able to make a global pollicy but should discuss what we can do
[14:57:45] <Wes George> ruediger - discuss what info to use when there is conflict sis out side the scope of what I'm discussing
[14:58:00] <Wes George> assumin I'm running my validator with local policy, including dealingg with inconsistencies
[14:58:13] <Wes George> one of the means to make it easier to figure out what conflicts ar ethere and prevent themn
[14:58:27] <Wes George> doug - are we talking about conflicting attestations inside rpki our between RPKI and some other thing?
[14:58:34] <Wes George> eric  - the former
[14:58:45] <Wes George> example - two TAs assert 0/0
[14:58:57] <Wes George> one TA asserts reachablility to space assigned to naother RIR
[14:59:08] <Wes George> morrow - transfer from ARIN, arin forgot to remove ROA data
[14:59:15] <Wes George> so now it's in both, two TAs
[14:59:22] <Wes George> both are valid, how is that possible?
[14:59:35] <Wes George> doug - questions whether validators flag this kind of info
[14:59:44] <Wes George> answer: the known ones don't
[15:00:43] <Wes George> eric - add'l state while complicating may be necessary to resolve these sorts of issues
[15:00:56] <Wes George> morrow - remember these are local policies, you may see something different from DT
[15:01:10] <Wes George> eric - understanding there are knobs and being able to turn them yourslef is useful
[15:01:11] <Jay Borkenhagen> is someone watching the time?  2 more talks...
[15:01:25] <Wes George> oliver - nist
[15:02:08] <Wes George> moment I have one ROA, everything else becomes clear - I can check my prefix origins and either it's valid or invalid
[15:02:25] <Wes George> I agree in the case of conflicting TAs, but that's purely local policy, I would give one TA preference over the other
[15:03:36] <Wes George> ruediger - a /8 might invalidate a more specific, but only when you have all data can you really make the decision
[15:03:44] <Wes George> oliver - what is what you'd consider complete?
[15:03:46] <Wes George> how do I know?
[15:03:52] <Wes George> there's always updates
[15:04:18] <Wes George> ruediger - the validator is using one snapshot of the global repos, one snapshot of the validation
[15:04:21] <Wes George> that's what you're working from
[15:04:38] <Wes George> you can work with a new snapshot, but that's a change of state
[15:04:54] <Wes George> when the cache server signals an update, you are entering the state where undefined may be applicable
[15:05:01] <Wes George> if processingg the new roa update takes too long
[15:05:05] <Wes George> don't think this is a real problem
[15:05:19] <Wes George> oliver -then this si a timingg issue
[15:05:34] <Wes George> router should wait until the cache has all the info, then the router has a full picture
[15:05:46] <Wes George> same as if I would say "don't have any info form the cache"
[15:05:56] <Wes George> there's this init timeframe before I hav emy first snapshot
[15:06:05] <Wes George> it could be that my first snapshot only has one roa, I don't know that
[15:06:13] <Wes George> in general I agree with you about the 4th state, it's important
[15:06:26] <Wes George> rob austein: distinguish two ways you might ahve incomplete info
[15:06:34] <Wes George> gloable RPKI to the validator
[15:06:38] <Wes George> validation cache to the router
[15:06:55] <Wes George> first one is loosely consistent database a la dns, youll have best you can get
[15:07:12] <Wes George> might be useful to have a list of "this corner of the system is persistently broken"
[15:07:23] <Wes George> oeprators might create in any case, question is how it is created and mainained
[15:07:34] <Wes George> if you need a separate state in the router policy engine, ok
[15:07:45] <Wes George> I don't know if you need that, vendors need to figure tha tout
[15:08:14] <Wes George> on the other side, we've done what we can do with the best approximation, we hope we've done something intelligen with where it is on the tree
[15:08:36] <Wes George> failure between parent/child - still loosely consistent, not really a solution other than a master data flow, which doesn't fly
[15:08:39] <Wes George> sandy: one question on slide 4
[15:08:59] <Wes George> first bullet last sentence is truncated
[15:09:35] Arturo Servin  Ü leaves the room
[15:09:48] <Wes George> ruediger - my reply to oliver - short prefix roa that invalidates the space beneath - can turn into valid when you load more specific roas
[15:10:44] <Wes George> ok.. now andrew is presenting
[15:11:14] <SwedeMike> sound is ok now.
[15:12:01] <Wes George> slide "nota bene"
[15:12:45] <Wes George> slide nota bene "time sync for testing"
[15:13:24] <Wes George> slide - some validator differences
[15:13:57] bradd leaves the room
[15:15:00] <Wes George> rob austein - to add - my implementation is mostly user-configurable, we hav ediffernet defaults
[15:15:03] <Wes George> don't know about the ripe info
[15:15:17] <Wes George> in these grey areas where we have swiches, we'd like some advice from WG about what the defaults should be
[15:15:36] <Wes George> slide - bugs identified
[15:16:45] <> he's coming thru fine on audio
[15:17:24] Benno Overeinder joins the room
[15:17:25] <Wes George> comments/questions?
[15:17:43] <Wes George> danny mac - key rollover stuff - is there thoughts from the implementers on how to do this without breaking connectivity?
[15:17:59] <Wes George> andrew-  complicated on the RP side, should just work
[15:18:17] <Wes George> rob - are you talking about TA changover? this stuff lowerw in the tree is automatic
[15:18:38] <Wes George> if you wanted to operate continuously through a TA change, you'd have to preintall bfore pulling the old one
[15:19:17] <Wes George> mised that comment....
[15:19:43] <Wes George> carlos - apparently we were the first to do a TA rollover - would appreciate feedback
[15:19:50] <Wes George> we notified on ever ylist we could think of
[15:20:07] <Wes George> we are missing some sort off signalling for when a TA is going to change
[15:20:26] <Wes George> bill fenner - question on interop testing framework
[15:20:39] <Wes George> do you ever inject any byzantine data into what everyone's trying to validate?
[15:20:45] <Wes George> pretend a malicious actor
[15:20:53] <Wes George> andrew - didn't do it yesteray, but we have created a torture test
[15:21:02] <Wes George> several hundred objects that are bad in some way
[15:21:13] <Wes George> also working on a testbed for multiple interactions of this type
[15:21:30] Benno Overeinder leaves the room
[15:21:32] <Wes George> rob austein - several different things in this category - torturer test = demented unit tests
[15:21:52] <Wes George> what I heard bill ask about was malice - deliberate malicious behavior trying to produce a surprising result
[15:22:37] danyork leaves the room
[15:22:44] Benno Overeinder joins the room
[15:23:55] <Wes George> wes requesting reviews of george-sidr-as-migration
[15:24:03] <Wes George> meeting ends
[15:24:09] <Wes George> on time!!!
[15:24:32] <> thanks again to Wes & others for the good jabber notes
[15:24:45] dseomn leaves the room
[15:24:56] leaves the room
[15:24:58] Wes George leaves the room
[15:25:27] Jay Borkenhagen leaves the room
[15:25:29] Kazuki Shimizu leaves the room
[15:26:52] leaves the room
[15:31:49] Juan-Pedro Cerezo Martin leaves the room
[15:32:53] Benno Overeinder leaves the room
[15:47:28] danyork joins the room
[15:47:32] leaves the room
[15:47:44] danyork leaves the room
[15:48:42] danyork joins the room
[16:04:14] mikeb leaves the room
[16:33:25] danyork leaves the room
[16:56:36] Arturo Servin  Ü joins the room
[16:56:58] Arturo Servin  Ü leaves the room
[17:02:45] joins the room
[17:03:17] Arturo Servin  Ü joins the room
[17:11:51] leaves the room
[19:10:27] Arturo Servin  Ü leaves the room
[20:08:46] Benno Overeinder joins the room
[20:11:23] Benno Overeinder leaves the room: Replaced by new connection
[20:57:59] kazubu joins the room
[21:00:07] Arturo Servin  Ü joins the room
[21:05:32] kazubu leaves the room
[21:29:53] Arturo Servin  Ü leaves the room
[21:38:59] Arturo Servin  Ü joins the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!