Tuesday, November 5, 2013< ^ >
Dan York has set the subject to: SIDR at IETF 87
Room Configuration
Room Occupants

[16:31:29] Samuel Weiler joins the room
[16:34:12] Dan York joins the room
[16:34:22] Dan York has set the subject to: SIDR at IETF 88
[16:35:23] Samuel Weiler leaves the room
[16:43:41] joins the room
[16:49:11] Dan York joins the room
[16:49:44] Lorenzo Miniero joins the room
[16:50:37] dseomn joins the room
[16:51:53] Samuel Weiler joins the room
[16:54:59] Jeffrey Haas joins the room
[16:58:16] <> I can't listen the room audio....
[16:58:38] <Lorenzo Miniero> FYI, a Meetecho room is available for this session:
[16:58:55] <Lorenzo Miniero> it's a web interface with integrated slides, jabber room and audio/video feeds
[16:59:12] Pablo Costa joins the room
[16:59:16] <Lorenzo Miniero> you may want to try one of those, Pablo
[17:00:02] <Samuel Weiler> there is silence in the room
[17:00:05] <Samuel Weiler> ish
[17:00:07] <> Thanks !!!
[17:00:22] <> It worked..
[17:00:31] <Lorenzo Miniero> glad I could be of help :)
[17:01:00] Wes George joins the room
[17:01:16] <Lorenzo Miniero> Slide 1: SIDR    
[17:01:19] <Lorenzo Miniero> Current presenter: Chairs
[17:01:20] <Lorenzo Miniero> Slide 1: SIDR    
[17:01:20] <Jeffrey Haas> Sandy is now speaking, so if you're not hearing her, check your connection.
[17:01:26] <Lorenzo Miniero> Slide 2: Classic    
[17:01:49] <Lorenzo Miniero> Slide 3: Note Well (Experimental)
[17:02:08] lepinski joins the room
[17:02:33] <Jeffrey Haas> Quoth the Murphy: nevermore.
[17:03:08] <Lorenzo Miniero> Slide 4: Resources    
[17:03:46] <Lorenzo Miniero> Slide 5: Administrivia    
[17:03:46] mikemlb joins the room
[17:04:21] <Lorenzo Miniero> Slide 6: WG    
[17:04:39] Dan York leaves the room
[17:05:15] <Lorenzo Miniero> Slide 7: WG    
[17:06:09] <Lorenzo Miniero> Slide 8: WG    
[17:06:16] <Lorenzo Miniero> Slide 9: WG    
[17:06:35] <Lorenzo Miniero> Slide 10: Agenda    
[17:07:26] <Wes George> agenda bashing - any comments?
[17:07:40] <Lorenzo Miniero> Presentation stopped
[17:07:54] <Jeffrey Haas> Rob Austein is up.
[17:08:17] <Lorenzo Miniero> Slide 1: RPKI Out-Of-Band Setup Protocol
[17:08:19] joins the room
[17:08:21] <Lorenzo Miniero> Current presenter: Rob Austein
[17:08:22] <Lorenzo Miniero> Slide 1: RPKI Out-Of-Band Setup Protocol
[17:08:52] <Lorenzo Miniero> Slide 2: Purpose
[17:09:02] <Jeffrey Haas> Rob is now speaking.
[17:09:12] <Wes George> protocol developed outside of WG in workshops
[17:09:18] <Wes George> simplify the initial setup
[17:09:42] <Wes George> setting up the session - exchange keys, know contact url
[17:09:48] <Lorenzo Miniero> Slide 3: What This Protocol Deliberately Leaves O
[17:09:50] <Wes George> mechanism for encapsulating that exchange
[17:09:56] <Wes George> no security in this protocol
[17:10:06] <Wes George> but this is for key echange, sec is important
[17:10:11] <Wes George> we don't know how you exchange keys
[17:10:22] <Wes George> point is to encapsulate semantics, must provide sec externally
[17:10:23] <Lorenzo Miniero> Slide 4: History
[17:10:52] <Jeffrey Haas> Getting this into software was very error prone.
[17:11:20] <Jeffrey Haas> Standard was defacto.
[17:11:30] <Lorenzo Miniero> Slide 5: Where We Are Now
[17:11:36] <Wes George> is there anyone remote that isn't listening to audio?
[17:11:47] <Wes George> will help jeff andI know how aggressive we need to be in scribing
[17:12:07] <Pablo Costa> Audio ok
[17:12:40] <Lorenzo Miniero> Slide 6: The Setup Minuet
[17:14:54] <Lorenzo Miniero> Slide 7: Who Must Do What
[17:16:02] <Lorenzo Miniero> Slide 8: BPKI Keys
[17:17:15] <Lorenzo Miniero> Slide 9: Ready For Standardization?
[17:17:33] <Jeffrey Haas> Does the wg really want this?
[17:17:39] <Lorenzo Miniero> Slide 10: Thanks To. . .
[17:17:51] <Jeffrey Haas> Questions?
[17:17:54] <Lorenzo Miniero> Slide 11: Questions?
[17:17:57] Arturo Servin joins the room
[17:18:07] <Jeffrey Haas> Sandy: BPKI certs said a couple of times. Is there a defined format for sucha thing?
[17:18:10] <Jeffrey Haas> RA: There sort of is.
[17:18:30] <Jeffrey Haas> We're talking about certs that are used to verify the signature on cms messages.  Those are not bpki certs.
[17:18:55] <Wes George> randy: arent the certs used to sign cms well known?
[17:18:56] <Jeffrey Haas> Randy bush: Aren't the certs used to sign the cms well known?
[17:19:09] <Jeffrey Haas> RA: WG hasn't really defined these things.
[17:19:09] <Wes George> jeff : wg hasn't defined
[17:19:11] <Wes George> steve: no
[17:19:12] <Jeffrey Haas> Steve Kent: No.
[17:19:44] <Jeffrey Haas> SM: I ask because you haven't defined your terms, it appears there are certain expectations.
[17:19:46] <Jeffrey Haas> RA: Yes.
[17:19:56] <Wes George> geoff huston - like the work
[17:20:02] <Wes George> working reasonably well
[17:20:12] <Wes George> qualities around "trust" in that exchange
[17:20:32] <Wes George> defining all of the ways you swap keys is out of scope
[17:20:36] <Wes George> thank for writing
[17:20:42] <Jeffrey Haas> This is documenting what we're doing.
[17:20:43] <Wes George> documenting what we're all doing
[17:22:59] <Lorenzo Miniero> Presentation stopped
[17:23:06] JPC joins the room
[17:23:12] <Lorenzo Miniero> Slide 1: Whither draft-ietf-sidr-publication?
[17:23:19] <Jeffrey Haas> Next pres: whither draft-ietf-sidr-publication.
[17:23:19] <Lorenzo Miniero> Current presenter: Rob Austein
[17:23:19] <Lorenzo Miniero> Slide 1: Whither draft-ietf-sidr-publication?
[17:23:21] Brian Haberman joins the room
[17:23:22] <Lorenzo Miniero> Slide 2: History
[17:23:29] russ joins the room
[17:23:53] Jay Borkenhagen joins the room
[17:23:54] <Wes George> thought we'd have a common protocol, that didn't happen
[17:24:06] <Wes George> the wg doc ended up being RA's implementation
[17:24:33] <Wes George> sandy : it's been so long since this draft has been discussed, pls mention purpose
[17:24:34] <Jeffrey Haas> SM: What is the purpose of the protocol?
[17:24:48] <Wes George> RA: separate two functions
[17:25:11] <Wes George> rsync server -  pub repo, ca engine. may be same, may be not
[17:25:24] <Wes George> rsync server has to be highly available, maybe not ca engine
[17:25:31] <Wes George> everything modular in arch
[17:25:36] <Wes George> need formal prot between the two
[17:25:47] <Lorenzo Miniero> Slide 3: Lack of Focus
[17:26:24] <Lorenzo Miniero> Slide 4: A Recent Suggestion
[17:27:00] <Lorenzo Miniero> Slide 5: Possible Reason For Delaying
[17:27:31] <Lorenzo Miniero> Slide 6: Authors’ Recommendations
[17:28:12] <Lorenzo Miniero> Slide 7: Questions? Suggestions? Issues?
[17:28:20] <Lorenzo Miniero> Slide 6: Authors’ Recommendations
[17:28:24] <Wes George> randy - only one impl
[17:28:37] <Wes George> if you want to encourage others, trimmingg back would seem to make it easier
[17:28:40] <Jeffrey Haas> RB: It seems to me that there's one implementation. If you want to encourage more, then trimming back would seem to make it easier for others to play
[17:28:57] <Wes George> andy newton - how many people deployed this impl?
[17:29:08] <Wes George> RA: ..... mumble
[17:29:23] <Jeffrey Haas> RA: Everyone deploying my code.
[17:29:25] <Wes George> RA: everyone using my codebase is using, but I don't know how many that is
[17:29:40] <Wes George> andy : maybe we should wait on the nature of the rpki before we do this
[17:29:41] JPC leaves the room
[17:29:43] <Jeffrey Haas> AN: Maybe we should wait until the nature of the rpki is clear
[17:29:59] <Wes George> randy: realize that North America denies RPKI exists, but this is actually in use in asia and europe
[17:30:00] <Jeffrey Haas> RB: You'll find that there's use in other regions for the rpki, especially asian
[17:30:17] <Wes George> ruediger volk - we are not deploying production ca
[17:30:20] <Jeffrey Haas> Rudiger Volk: We are not deploying a production CA. In our setup, we're planning on it.
[17:30:29] <Wes George> eventually a security reuqiremnt
[17:30:51] <Wes George> would be useful for other implementations to provide interoperable
[17:31:09] <Wes George> steve kent - is it reasonable to make this A standard instead of THE standard?
[17:31:13] <Jeffrey Haas> Steve Kent: the relationship between the CA and the repository is behind the scene - is there a reason to make it *a* standard instead of *the* standard?
[17:31:58] <Wes George> ra: there's not a 1:1 mapping between ca and repos entities
[17:32:07] <Wes George> you might have large num of CAs and small num of rep
[17:32:44] <Wes George> randy: key point - my ca is in a bunker, not accessible
[17:32:52] <Wes George> my publication must be highly accessible
[17:33:05] <Wes George> google could run a pub svc of [last] resort
[17:33:17] <Wes George> those who wish to pubelsewhere could do so
[17:33:45] <Wes George> if you have connectivity issues, rest of the net doesn't want to know about your CA and have fetches hang
[17:34:28] <Wes George> sandy: no one has brought up outsourcing to an entity providing repository svcs
[17:34:42] <Wes George> RA - how to proceed?
[17:35:05] <Wes George> randy - first ever instance of my comments being called "faint hint"
[17:35:21] Doug Montgomery joins the room
[17:35:30] <Wes George> sandy: this proto and last one you mentioned - standards track, exp, ?
[17:35:43] <Wes George> ra - I think this one is stds track, also same with setup, but that's up to wg
[17:36:01] <Wes George> tim - stds
[17:36:28] <Lorenzo Miniero> Presentation stopped
[17:36:31] <Wes George> jeff - you have the token for a few, gotta run away for a bit
[17:36:35] <Jeffrey Haas> k
[17:36:48] <Lorenzo Miniero> Slide 1: RPKI Validator Testing, IETF88
[17:36:49] <Lorenzo Miniero> Current presenter: David Mandelberg
[17:36:50] <Jeffrey Haas> RPKI validator testing, David Mandelberg presenting.
[17:36:50] <Lorenzo Miniero> Slide 1: RPKI Validator Testing, IETF88
[17:37:01] <Lorenzo Miniero> Slide 2: Conformance Cases
[17:37:23] <Lorenzo Miniero> Slide 3: What We Found
[17:37:32] <Jeffrey Haas> Bugs found in all 3 validators.
[17:37:35] <Jeffrey Haas> spec ambiguities.
[17:39:02] Ademar Almeida joins the room
[17:39:03] <Wes George> back
[17:39:06] <Jeffrey Haas> RA: No one should ever issue such a cert with such an invalid serial number
[17:39:11] Ângelo Fukase joins the room
[17:39:17] <Wes George> but if they did, how do you revoke?
[17:39:33] <Wes George> steve- if no one should accept, abioilty to revoke maybe less importanat
[17:39:48] <Jeffrey Haas> Steve Kent: 3 parts. 2. No one should accept it. Revocation becomes less important. 3. providing strong feedback useful. discourages bad behavior.
[17:40:23] <Wes George> wes hardaker - many WGs are trying to accept things that never should exist
[17:40:27] <Jeffrey Haas> Wes: My recent belief in many ietf wgs is that we are trying accept things that should never happen in the first place.  we're effectively slowly accepting things we shouldn't.
[17:40:45] <Jeffrey Haas> - not allowed in the standard, but we're going to allow it anyway.  creeping standard.
[17:41:11] <Wes George> david - not things we've seen in wild
[17:41:16] <Wes George> things that are ambiguous
[17:41:30] <Jeffrey Haas> SK: x.509 specs aren't ambiguous.
[17:41:49] <Wes George> rob (off mic) - citation pls, this wasn't obvious
[17:41:52] <Jeffrey Haas> - 509 puts onus on CAs to not generate crud.
[17:42:04] <Jeffrey Haas> - CAs are expected to be the 'good guys'
[17:42:17] <Lorenzo Miniero> Slide 4: Next Steps
[17:42:27] <Lorenzo Miniero> Slide 5: Questions?
[17:42:30] <Jeffrey Haas> DM: Join us if you have a validator.
[17:42:53] <Jeffrey Haas> Sandy Murphy: iirc, the announcements of ? software the conformance tests are in sourceforge?
[17:43:00] <Wes George> ripster?
[17:43:08] <Jeffrey Haas> DM: Yes. also maybe cited in slides?
[17:43:13] <Jeffrey Haas> (yes, in there)
[17:43:24] <Lorenzo Miniero> Presentation stopped
[17:43:29] <Jeffrey Haas> Next presentation: Steve Kent
[17:43:50] <Lorenzo Miniero> Slide 1:
[17:43:52] <Jeffrey Haas> Suspenders:
[17:43:58] <Lorenzo Miniero> Current presenter: Steve Kent
[17:43:59] <Lorenzo Miniero> Slide 1:
[17:44:30] <Lorenzo Miniero> Slide 2: Reminder LTAM
[17:45:02] Ademar Almeida leaves the room
[17:45:40] mikemlb leaves the room
[17:46:10] <Wes George> LTAM doc didn't tell you how to protect against those errors
[17:46:14] <Lorenzo Miniero> Slide 3: Why suspenders?
[17:47:51] <Jeffrey Haas> Suspenders replaces LTAM for non 1918 space
[17:47:54] <Lorenzo Miniero> Slide 4: The New Model
[17:48:59] <Wes George> people running RP software should check their own stuff to know when badness happens
[17:50:12] <Lorenzo Miniero> Slide 4: Adverse ROA Changes
[17:50:40] Carlos M. Martinez joins the room
[17:52:06] <Wes George> we think these are the two adverse changes, if there are more, tell us
[17:53:06] <Wes George> checking one's own status, you now have a really good diagnostic
[17:53:27] <Lorenzo Miniero> Slide 7: Publishing External Data
[17:53:43] <Lorenzo Miniero> Slide 6: Self monitoring of ROAs
[17:53:49] <Lorenzo Miniero> Slide 7: Publishing External Data
[17:54:04] <Samuel Weiler> good job lorenzo.
[17:54:41] <Lorenzo Miniero> :)
[17:55:04] <Wes George> even with immediate fix, there's a time delay if anyone has already fetched
[17:55:18] <Jeffrey Haas> Distribution latency of certs is in itself a problem.
[17:56:16] <Lorenzo Miniero> Slide 8: The Tough Case
[17:57:04] <Lorenzo Miniero> Slide 9: What could RPs do?
[17:58:33] <Lorenzo Miniero> Slide 10: Solution - Data Structures
[18:00:02] <Lorenzo Miniero> Slide 11: Graphic Details
[18:01:30] <Lorenzo Miniero> Slide 12: Lock Record ASN.1
[18:02:54] <Lorenzo Miniero> Slide 13: INRD File ASN.1
[18:04:18] <Lorenzo Miniero> Slide 15: Solution - Processing
[18:04:49] Dan York leaves the room
[18:05:14] Doug Montgomery leaves the room
[18:05:53] <Lorenzo Miniero> Slide 16: What's Next
[18:06:56] <Wes George> it's possible that this would never be an issue
[18:07:07] <Wes George> may be good to have this as a deterrent, deal with accidents
[18:07:24] <Lorenzo Miniero> Slide 17: Questions
[18:07:43] <Jeffrey Haas> Many people at mic
[18:07:51] <Jeffrey Haas> RB: What's the diff between this and berlin?
[18:07:57] <Jeffrey Haas> SK: The details are worked out here.
[18:08:01] <Jeffrey Haas> - there's a compainion doc.
[18:08:11] lepinski leaves the room
[18:08:16] <Wes George> randy- original LTA had 3 goals, not 2
[18:08:26] <Wes George> outlined in use cases doc
[18:08:30] <Wes George> this doesn't cover 3rd use case
[18:08:38] lepinski joins the room
[18:08:52] <Wes George> probably not best enforced by RP ... something ... republication
[18:09:23] <Wes George> of course no LEA conducting dutch court attack would ever think of removing lock records
[18:09:26] <Jeffrey Haas> RB: dutch court attack would *never* think about removing lock attack.
[18:09:39] <Wes George> sk - read, didn't understand. look forward to less terse update to your draft
[18:09:56] <Wes George> removing lock record would be a good alert to stick with old records
[18:10:07] <Jeffrey Haas> rob Austein: Separate observations - boolean (outsourced) - not sure it's only applicable there.
[18:10:30] <Jeffrey Haas> - overall, interesting. not sure it provides adequate protections. uses separate retrieval path. worth pursuing
[18:10:47] <Jeffrey Haas> - to randy's point, 1918 space, which uses separate TA.
[18:11:03] <Jeffrey Haas> - the third case, I'm not sure if I'm on the same page as randy
[18:11:15] <Jeffrey Haas> - looking at separate ? of LTA
[18:12:00] <Jeffrey Haas> - potentially large entities, operators, don't care about the policies. just want to get stuff done.
[18:12:00] <Wes George> operators don't care about certs, they're a tool to get stuff done
[18:12:10] <Jeffrey Haas> - Different way to approach LTAN - whatever you need, go for it.
[18:12:19] <Wes George> leave the tree and structure unchanged, just replace keys
[18:12:21] <Jeffrey Haas> - leave the structure unchanged. just replace them where you need it.
[18:12:31] <Jeffrey Haas> - simplifies a lot of things
[18:12:45] <Jeffrey Haas> SK: I didn't hear a good characterization of 3rd case with large ops
[18:12:55] <Jeffrey Haas> RA: I don't care what rpki says roa is. *I* care that it is:
[18:13:13] <Jeffrey Haas> - I don't object to simplified ltan document.
[18:13:33] <Jeffrey Haas> - solves the adverse change problem.
[18:13:47] <Wes George> sriram - competition roa
[18:14:06] <Wes George> if b has /16, A creates roas for 2 /17s
[18:14:31] <Wes George> first roa not revoked, two more specific -- how is this protecting?
[18:14:57] <Wes George> intitial setup includes lock and inrd
[18:15:14] <Wes George> later someone issues a roa underneath, you ignore as competition
[18:15:22] <Wes George> (assuming you're paying attention to this data)
[18:15:45] <Wes George> when a change occurs, I'm intrinsically suspiscious
[18:16:33] <Wes George> key is that different pub point, diff parent cert that raises problem
[18:16:47] <Wes George> doug montgomery - some sort of whacking is a good thing - eg nonpayment
[18:16:59] <Wes George> can we tell socially acceptable whacking from not?
[18:17:07] <Wes George> sk - this errs on the side of the little guy
[18:17:28] <Wes George> if you hav ePA space and decide to go away with it, and you're not allwoed -this may delay revocation
[18:17:42] <Wes George> ultimately RP gets to decide what to do
[18:18:19] <Wes George> default situation is to assume that adverse changes are bad
[18:18:29] <Wes George> could have a really strong sticky bit instead of expiring
[18:19:06] <Wes George> sam - as someone who has doubts about single trust hierarchy, pointing to bakcup data sounds good
[18:19:12] <Wes George> is there a circular dependency?
[18:19:20] <Wes George> sk - if you come up with one, we'd like to know
[18:19:51] <Wes George> jeff, I'm going to get in line, your turn to scribe
[18:20:09] Doug Montgomery joins the room
[18:20:42] <Jeffrey Haas> k
[18:21:00] <Jeffrey Haas> RA: Part of this is trying to reuse existing code.
[18:21:12] <Jeffrey Haas> Andrei: This little while, how long?
[18:21:38] <Jeffrey Haas> SK: The validity / duration is how far back it goes. As of this date, it changes. That's why I updated my INRD file. They're add/deletes.  how far back is that?
[18:21:42] <Jeffrey Haas> - we don't want to grow forever.
[18:21:52] <Jeffrey Haas> - the choices are: this goes back 1w,2w,1m
[18:22:07] <Jeffrey Haas> - The doesnt' expire.  you change only when you need to reprotect your resource.s
[18:22:14] <Jeffrey Haas> - how long someone holds on to them depends on them.
[18:22:23] <Jeffrey Haas> AR: If my roa is whacked, this could last forever.
[18:22:32] <Jeffrey Haas> SK: That's up to the RPs.
[18:22:37] <Jeffrey Haas> - roa has eecert.
[18:22:48] <Jeffrey Haas> - if it lasts for a year, and you can't fix in a year, that's a problem.
[18:23:33] <Jeffrey Haas> AR: Maybe not maliciously. Your proposal says you have to maintain your 3rd universe apart from rpki, bgp - not in sync by design. Discrepancies are by design. This third universe can infinitely grow.
[18:23:46] <Jeffrey Haas> - Can continue creating objects under whacked cert
[18:24:09] <Jeffrey Haas> SK: They're somewhat out of sync, but there's an order.  If the change is adverse, you're telling people to not believe your own change.
[18:24:15] <Jeffrey Haas> - There's always the potential for race conditions.
[18:24:38] <Jeffrey Haas> - Permission for something here, but updating over there - people with old and new, depending on order is mostly okay.
[18:24:59] <Jeffrey Haas> - Since the goal is to delay by some amount of time to accept changes.  Remember if you get more resources, that's not an adverse change.
[18:25:09] <Jeffrey Haas> AR: I still can use and build my infra under whacked...
[18:25:12] <Jeffrey Haas> SK: You can never expand it.
[18:25:20] <Jeffrey Haas> - beyond the resources at the time you had at the time.
[18:25:41] <Jeffrey Haas> AR: Use case for strawman for law enforcement. A placebo.  Unless you mandate all RPs, there's no guarantee that this will be respected.
[18:25:52] <Jeffrey Haas> - Not sure how effective this would be for LE.
[18:26:10] <Jeffrey Haas> SK: If no one ever publishes lock record, no one will care respective of perceived threat.
[18:26:16] <Jeffrey Haas> - RPs are always in charge.
[18:27:08] <Jeffrey Haas> Wes George: Two comments. 1. In operational environment, how do you envision me to set this up to see which seodary record I trust or not.  A list of ASNs?  I feel like there's a serious problem of how to do this systematically.
[18:27:43] <Jeffrey Haas> SK: You get these by processing records out of repository.  When you validate the lock record from the sig on that key, you know it was bound at that point.  You then impose constraints on what you knew before in the rpki.
[18:27:55] <Jeffrey Haas> - You can't expand, you can only use what was there before.
[18:28:10] <Jeffrey Haas> WG: Case where that's where it always happens. Trust Randy, don't trust Ron. How do I manage that?
[18:28:32] <Jeffrey Haas> - This is a matter about the RP who they trust. There must be a management method - may not be a binary decision.
[18:28:47] <Jeffrey Haas> SK: If we forgot about this additional file, how did your notion work for normal validation?
[18:28:57] <Jeffrey Haas> WG: In that situation, there's no side band.
[18:29:04] <Jeffrey Haas> SK: Trusting validation.
[18:29:23] <Jeffrey Haas> WG: Do you trust everyone or assume there are situations where this is legitimate?
[18:30:12] <Jeffrey Haas> SK: The parallel file can't expand trust. The specific circumstance is an adverse change has occurred.  something you weren't using before or didn't exist, use new data.  Now an option to check 1) I gave back space. 2) they didn't make that change.  
[18:30:28] <Jeffrey Haas> - You've been alerted to it.  How do you decide you approve this adverse change? I don't know how.
[18:30:42] <Jeffrey Haas> WG: We've spent a lot of time flailing over route leak.  This is just as messy.
[18:30:49] <Jeffrey Haas> SK: This case is algorithmally defined.
[18:31:16] Doug Montgomery leaves the room
[18:31:50] <Jeffrey Haas> WG: Protecting addresses against spamming. Have to move quickly?  There are situations where this will move quickly.
[18:32:13] <Jeffrey Haas> Doug Montgomery: There is the supposition that the permutations in rpki based on normal business transactions should outnumber whacks.
[18:32:34] <Jeffrey Haas> - almost like introducing a disputed state.
[18:32:46] <Jeffrey Haas> - I fear we'll muddy the value of the rpki.
[18:32:49] <Wes George> +1 to doug
[18:33:25] <Jeffrey Haas> - Almost fear a third validation state: valid, invalid under dispute.
[18:33:34] <Wes George> tim - as implementer
[18:33:53] <Jeffrey Haas> - suspicious of adverse changes by nature
[18:34:21] <Wes George> we added to our validator - can specify ignore
[18:34:26] <Wes George> can add to whitelist
[18:34:35] Doug Montgomery joins the room
[18:34:52] <Jeffrey Haas> Rüdiger Volk:
[18:35:11] <Jeffrey Haas> - proposal answers problems that have been lurking for a few years.
[18:35:27] <Jeffrey Haas> - I wanted rpki as a system that I use, trust and am happy.
[18:35:37] <Wes George> naive rp approach
[18:36:06] <Wes George> not useful for "serious" routing infra
[18:36:36] <Wes George> aka critical infra
[18:36:53] <Jeffrey Haas> (implication, requiring user intervention is bad)
[18:38:44] <Jeffrey Haas> - how do the tools help me? The proposal can't help right now.
[18:39:07] <Jeffrey Haas> - I'm very happy to see specific proposals are out there.
[18:39:41] <Jeffrey Haas> RB: agreed. we saw this in berlin. We don't have the use cases.
[18:39:54] <Jeffrey Haas> - we don't have requirements. we have point solution with *serious* complexity.
[18:40:12] <Jeffrey Haas> - Adding a time dimension and retention which doesn't have intuitive appeal.
[18:40:47] <Jeffrey Haas> - until I step back and know what I'm trying to achieve, I'm alarmed.
[18:41:11] <Jeffrey Haas> Wes George: One other comment Rüdiger made me realize: This is the moral equivalent of route flap dampening.
[18:41:26] <Jeffrey Haas> - From the inertia perspective, we have this opposite problem that if we went into a bad state
[18:41:48] <Jeffrey Haas> - while I'm working to fix it, and this safety net evaporates, I'm dampened on the wrong side.
[18:42:05] <Jeffrey Haas> - going from an adverse state to a correct state (false positives) before the world sees it as accurate.
[18:42:14] <Jeffrey Haas> SK: If the resources change, I don't think this will be true.
[18:42:17] <Jeffrey Haas> WG: Will be timing.
[18:42:33] <Jeffrey Haas> Wes ?: two different pieces.
[18:42:41] <Wes George> hardaker
[18:42:42] <Jeffrey Haas> - 1. A list of all things that can go wrong.
[18:43:07] <Jeffrey Haas> - you can detect that something got whacked. you leap to the conclusion that we can publish a whacked list without knowing why they did.
[18:43:22] <Jeffrey Haas> - tempted to split into two docs
[18:43:26] <Jeffrey Haas> - a. a detection document
[18:43:39] <Jeffrey Haas> - what have we seen that can go wrong
[18:43:50] <Jeffrey Haas> - software can be built, management stations can monitor
[18:44:05] <Jeffrey Haas> - later date, come back and publish new definitions of whacked.
[18:44:29] <Jeffrey Haas> SK: When you talk about detecting, you mean the self detect?
[18:44:47] <Jeffrey Haas> WH: Issues with that. There's a lot that can be done from self detection, but also detect others issues.
[18:44:52] <Jeffrey Haas> - Did I make my own problem?
[18:45:01] <Jeffrey Haas> SK: detection is "I'm the target?"
[18:45:19] <Jeffrey Haas> WH: The list of what you *can* detect is useful immediately.
[18:45:54] <Wes George> RV - split out the different concerns
[18:46:05] <Wes George> I as a resource holder want to control what the system is doing to me
[18:46:25] <Wes George> or figuring out all the ways to check what I get out of the software and databases as an rp
[18:46:30] <Wes George> check for whatever looks suspicious
[18:46:54] <Wes George> was it done consciously in a ca or are the results botched because transfers didn't work, etc
[18:46:58] Doug Montgomery leaves the room
[18:47:50] <Wes George> sandy - conflicting roas
[18:48:16] <Wes George> noted in the past that in ripe community, strong repeated urgings from NCC to their members, they are responsible for everything that happens in their space
[18:48:28] <Wes George> tutorials how to manage auth in order to maintain control
[18:48:41] <Wes George> you noted that the design is skewed to protect little guy against big
[18:48:51] <Wes George> this and the ripe culture just described are in conflict
[18:49:13] <Wes George> sk - ripe among all rirs does best job trying to maintain the database separate from the rpki
[18:49:20] <Wes George> getting people to publish accurate info
[18:50:52] <Wes George> randy - when DHS whacks thousands of domains, interested to see what happens
[18:51:00] <Wes George> definition of "rare"
[18:51:12] <Wes George> ruediger
[18:51:36] <Wes George> might get into a situation where things get whacked
[18:51:47] <Wes George> if we don't hvae these tools to provide deterrned
[18:52:15] Doug Montgomery joins the room
[18:52:18] <Jeffrey Haas> Next presentation: Reconsidering the validation algorithm.
[18:52:21] Ailton joins the room
[18:52:33] <Lorenzo Miniero> Slide 1: "RPKI Validation Reconsidered" Revisted
[18:52:40] <Lorenzo Miniero> Current presenter: Sandra Murphy
[18:52:41] <Lorenzo Miniero> Slide 1:
[18:52:44] <Lorenzo Miniero> Slide 2: Multiple    motivations?
[18:53:13] Samuel Weiler leaves the room
[18:53:20] Samuel Weiler joins the room
[18:53:34] <Samuel Weiler> Jeff and Wes: thank you very much!  
[18:53:41] Jeffrey Haas takes a bow
[18:53:44] <Lorenzo Miniero> Slide 3: Solution
[18:53:51] Samuel Weiler leaves the room
[18:54:32] <Lorenzo Miniero> Slide 4: My Opinion on Motivations
[18:55:05] <Lorenzo Miniero> Slide 5: My Own Opinion on Solution
[18:55:11] <Lorenzo Miniero> Slide 4: My Opinion on Motivations
[18:55:17] <Wes George> geoff : misrepresentation
[18:55:31] <Wes George> pointed out that there were certain things that had to happein in transfers, no protocol for how
[18:55:35] <Wes George> bottom up vs top down
[18:56:05] Brian Haberman leaves the room
[18:56:28] <Wes George> randy : why are we hearing geoff's preso from chair
[18:56:58] <Lorenzo Miniero> Slide 5: My Own Opinion on Solution
[18:57:00] <Lorenzo Miniero> Slide 6: Now Discuss
[18:57:11] <Jeffrey Haas> Sandy breaks out the wrath...
[18:58:23] <Wes George> geoff  - system demands perfection all the time from those high in the tree
[18:58:36] <Wes George> consequences of "stuffing up" could be continental
[18:58:47] <Wes George> we don't want huge amounts of infra to accompany a stuff up
[18:59:00] <Wes George> system is incredibly fragile if it demands perfection
[19:00:55] <Wes George> transfers was an example that the system has tight reliance on the sequence of operations in disjoint parties
[19:03:06] <Wes George> steve - ill write a daft about transfers
[19:03:27] <Wes George> er... draft
[19:03:56] <Wes George> slide presentations on transfers say many steps for transfers, 12-15 depending on whose slides you look at
[19:04:26] <Wes George> bar chart for xfers show from july 13, something like single-digit transfers from arin to apnic
[19:05:05] <Wes George> don'tt know what trend for transfers will be (cost of IPv4 addresses might be falling?)
[19:06:46] <Wes George> sandy - might be ways to address xfer problem, still need to address accidents and mistake
[19:07:10] <Wes George> ?? ripe-ncc - this solves operational issue
[19:07:38] <Wes George> looking at what we have donein this WG, we've tried to solve issues that never happened
[19:08:06] <Wes George> geoff - to answer steve - using that model, question in my head is "are all of the resources listed in that ee cert validly signed"
[19:08:26] <Wes George> take that set off resources and the chain of certs that go to your ta, can I find that every intermediate cert is a superset of the resources
[19:08:40] <Wes George> relationship of all of the certs in that chain to the thing I'm trying to validate
[19:08:54] <Wes George> equally valid question to pull one resource from ee cert and do the same for one resource
[19:09:39] <Wes George> rob austein - agree with steve, my udnerstand of change of semantics
[19:10:03] <Wes George> more general problem - don't understand what the certs mean in geoff's model
[19:10:19] <Wes George> signing a statement affects something - attest to {blah}
[19:10:36] <Wes George> attesting to the holder of private key correspondingg to pulic keyt holds these resources now
[19:10:48] <Wes George> what exactly I'm signing in the certs is fuzzy, makes me twitch
[19:11:04] <Wes George> this is a point solution of single specific error of commission by someone high in the tree
[19:11:15] <Wes George> only one kind of error of commission, there are probably more
[19:11:20] <Wes George> add beer
[19:11:40] <Wes George> george michaelson - co author
[19:11:57] <Wes George> our belief that there is no substantive change to semantics, except OID change
[19:12:08] <Wes George> inherent nature of what I attest when I sign is unchanged
[19:12:44] <Wes George> Steve - not mentioned: caching of certs
[19:13:02] <Wes George> not going to work properly, adverse effect, may require re-do of code, affect performance
[19:13:28] <Wes George> not sure he understands "change OID" -- which OID?
[19:14:20] <Wes George> ruediger - need for documenting how xfers should be handled
[19:14:41] <Wes George> I as an RP operator need to know, in context of detecting suspicious behavior
[19:15:38] <Wes George> need to identify problems high in the tree and find ways to avoid
[19:16:54] <Wes George> other side nto pointed out so far, lower parties might join resources under one cert for multiple RIRs
[19:17:02] <Wes George> RA - doesn't understand how you would generate
[19:17:09] <Wes George> randy - geoff offering to show you
[19:17:57] <Wes George> when apnic shrinks a cert, I'm validating 4 down the chain, unable to reach an intermediate pub point
[19:18:07] <Wes George> so I 'm using stale data, relied on unshrunk cert
[19:18:19] <Wes George> validation will fail, even though resource could validate under their hack
[19:18:42] <Wes George> shrink didn't relate to what I'm trying to validate
[19:19:05] <Wes George> not sure if add'l semantic complexity, exposures to risk is worht saving that situation
[19:19:21] <Wes George> sandy - re: semantics not changed...
[19:19:30] <Wes George> certs certifying allocations?
[19:19:49] <Wes George> mechanism as suggested allows rec'ing side to issue certs for resources it has not yet been allocated
[19:19:55] <Wes George> certifying things that it doesn't hold
[19:20:14] <Wes George> intersection - valid resources are only those in hand, but that's not in the cert, it's a local computation
[19:20:28] <Wes George> geoff - everything about cert issuance is unaltered
[19:20:49] <Wes George> as you pointed out, the issue comes on what RPs do
[19:20:54] <Wes George> or what folks do inside the tree
[19:21:10] <Wes George> typically the keys you use upwards are no t the same as the keys you use downwards
[19:21:24] <Wes George> subordinate certs use keypair b, upstream keypair a
[19:21:39] <Wes George> creating cert signed by a about b, union of what you get form upstreams
[19:21:53] <Wes George> possible if I use the same keypair all the time, can make cert that defines that union
[19:22:04] <Wes George> only resources validated tare those that go all the way up to the TAs
[19:22:12] <Wes George> allows more flexibility
[19:22:34] <Wes George> legal intervention - problems iwth one ASN vs all issues from APNIC
[19:23:27] Carlos M. Martinez leaves the room
[19:23:28] <Wes George> not cert semantics causing this, it's strict validation
[19:24:33] <Wes George> as you assemble cache top down, you assemble a relationship bewtween TA
[19:24:44] <Wes George> [aside, I think I'm mangling some of this...]
[19:25:07] <Wes George> ruediger - don't have an opinion on what this means in pki system
[19:25:17] <Wes George> just responding to randy - is it worth the complexity
[19:25:50] <Wes George> if we could go along with this proposl, certain types of problems go away, and don't need to be identifieid by non-naive RPs
[19:26:20] <Wes George> if not, have to deal with complexity and heuristics of identifying why certain resources were valid yesterday, but not today
[19:26:30] <Wes George> no opinion where the complexity should be added, but it exists around this problem
[19:26:35] <Wes George> [unavoidable]
[19:26:46] <Wes George> rob austein - hadn't considered case of stale data
[19:26:53] <Wes George> need to think about this more, might be compelling case
[19:26:56] <Wes George> timing screwups common
[19:27:14] <Wes George> sandy - thought variation and skew was ok
[19:27:32] <Wes George> andrei robachevsky - need to look to be sure no semantic change - semantics of resource whacking changes
[19:27:40] leaves the room
[19:28:07] Jeffrey Haas leaves the room
[19:28:12] <Wes George> sandy - good discussion
[19:28:13] lepinski leaves the room
[19:28:20] <Wes George> geoff -- where does the wg goe with this discussion
[19:28:46] <Wes George> randy - wg adopts doc not when it's perfect, but when it's interested in discussing and working on it
[19:28:54] <Wes George> sandy - intent was to talk
[19:28:56] <Wes George> we have talked
[19:29:09] <Wes George> no indication of anyone saying "not a problem"
[19:29:12] <Wes George> overlap with suspenders?
[19:29:23] <Wes George> consider problem we're addressing, whether good solution, etc
[19:29:31] <Wes George> can we characterize carefully, know what we're workingon?
[19:29:48] <Wes George> -- session ends --
[19:29:51] <Lorenzo Miniero> Presentation stopped
[19:29:53] dseomn leaves the room
[19:29:54] Wes George leaves the room
[19:30:12] <Lorenzo Miniero> we'll make recordings available ASAP on
[19:30:41] Arturo Servin leaves the room
[19:31:08] Jay Borkenhagen leaves the room: offline
[19:31:14] Pablo Costa leaves the room
[19:31:15] Ângelo Fukase leaves the room
[19:31:17] Ailton leaves the room
[19:32:06] Lorenzo Miniero leaves the room
[19:32:09] Doug Montgomery leaves the room
[19:33:16] russ leaves the room: Replaced by new connection
[19:33:16] russ joins the room
[19:33:42] leaves the room
[19:33:53] Doug Montgomery joins the room
[19:34:11] Doug Montgomery leaves the room
[19:35:28] russ leaves the room
[20:01:45] Doug Montgomery joins the room
[20:20:20] russ joins the room
[20:50:46] Doug Montgomery leaves the room
[20:54:56] russ leaves the room
[22:53:18] joins the room
[23:59:12] leaves the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!