IETF
idr
idr@jabber.ietf.org
Friday, November 14, 2014< ^ >
Room Configuration
Room Occupants

GMT+0
[00:02:47] <raysaikat@jabber.iitsp.com> Q: Hannes
[00:03:04] <raysaikat@jabber.iitsp.com> Q: Jeff Tantsura
[00:04:47] <raysaikat@jabber.iitsp.com> Q: Ahmed Bashandy
[00:04:59] <raysaikat@jabber.iitsp.com> Regarding violation of MPLS architecture
[00:05:39] <raysaikat@jabber.iitsp.com> Q: Xiaohu
[00:07:25] <raysaikat@jabber.iitsp.com> Q: Rob
[00:07:56] <raysaikat@jabber.iitsp.com> What is hte meaning of the LI attr in VPN
[00:08:12] Jie Dong joins the room
[00:10:33] <raysaikat@jabber.iitsp.com> Q: Uma from Ericsson
[00:11:45] <raysaikat@jabber.iitsp.com> Comments from Ahmed
[00:11:59] Rajiv Asati joins the room
[00:12:31] <raysaikat@jabber.iitsp.com> Q: Luan
[00:12:37] <raysaikat@jabber.iitsp.com> Luyuan
[00:14:01] <raysaikat@jabber.iitsp.com> next talk
[00:14:03] <raysaikat@jabber.iitsp.com> Stefano
[00:14:18] <raysaikat@jabber.iitsp.com> Segment routing bgpls egress peer engineering extensions
[00:14:21] <raysaikat@jabber.iitsp.com> Slide 1
[00:14:25] <raysaikat@jabber.iitsp.com> Motivations
[00:14:48] <raysaikat@jabber.iitsp.com> Slide 2: -01 update
[00:15:09] <raysaikat@jabber.iitsp.com> Merged proposal
[00:15:24] <raysaikat@jabber.iitsp.com> Two new descriptors
[00:15:58] <raysaikat@jabber.iitsp.com> Slide 3:
[00:16:10] <raysaikat@jabber.iitsp.com> -01 update
[00:16:19] <raysaikat@jabber.iitsp.com> Questions?
[00:16:32] <raysaikat@jabber.iitsp.com> Next talk: Hannes
[00:16:52] <raysaikat@jabber.iitsp.com> Egress Peer ENgineering using BGP-LU
[00:17:35] <raysaikat@jabber.iitsp.com> Slide 1: Egress TE - Feedback Cycle
[00:18:43] <raysaikat@jabber.iitsp.com> Slides are showing now
[00:19:47] <raysaikat@jabber.iitsp.com> Slide 2: Rationale
[00:20:04] <raysaikat@jabber.iitsp.com> Timely update of their links
[00:20:18] Markus de Bruen leaves the room
[00:20:25] <raysaikat@jabber.iitsp.com> Push instead of Pull model
[00:21:06] <raysaikat@jabber.iitsp.com> Slide 3: Gang of four
[00:21:21] <raysaikat@jabber.iitsp.com> 3107, best-external, add-path, link-BW community
[00:22:26] <raysaikat@jabber.iitsp.com> Slide 4
[00:22:30] <raysaikat@jabber.iitsp.com> Link-BW community
[00:23:34] <raysaikat@jabber.iitsp.com> Slide 5
[00:23:39] <raysaikat@jabber.iitsp.com> Fast re-route
[00:24:48] <raysaikat@jabber.iitsp.com> Slide 6
[00:24:56] <raysaikat@jabber.iitsp.com> Sample Topology in the ID
[00:25:58] <raysaikat@jabber.iitsp.com> Slide 7
[00:26:02] <raysaikat@jabber.iitsp.com> Next steps
[00:26:54] <raysaikat@jabber.iitsp.com> Q: Shane
[00:27:30] Fabian Mejia joins the room
[00:28:21] <raysaikat@jabber.iitsp.com> Q: Keyur
[00:29:39] Abhay Roy joins the room
[00:31:09] <raysaikat@jabber.iitsp.com> Q: Saikat
[00:31:11] <raysaikat@jabber.iitsp.com> Q: Rob
[00:32:00] <raysaikat@jabber.iitsp.com> Some operators might want to do distribtued computation
[00:32:25] <raysaikat@jabber.iitsp.com> Next talk
[00:32:25] <raysaikat@jabber.iitsp.com> Sue
[00:32:42] <raysaikat@jabber.iitsp.com> Extensions to RT-contrstrain for Hierarchical RR scenario
[00:32:50] <raysaikat@jabber.iitsp.com> Title slide
[00:33:37] <raysaikat@jabber.iitsp.com> Slide 1:
[00:33:41] <raysaikat@jabber.iitsp.com> Problem review
[00:33:54] <raysaikat@jabber.iitsp.com> Slide 2
[00:33:59] <raysaikat@jabber.iitsp.com> Typical Scenario
[00:34:17] <raysaikat@jabber.iitsp.com> Slide 4
[00:34:22] <raysaikat@jabber.iitsp.com> Candidate sol #1
[00:35:04] Fabian Mejia leaves the room
[00:35:10] <raysaikat@jabber.iitsp.com> Slide 5
[00:35:15] <raysaikat@jabber.iitsp.com> Candidate sol #2
[00:36:06] <raysaikat@jabber.iitsp.com> Slide 6
[00:36:09] <raysaikat@jabber.iitsp.com> Next steps
[00:36:30] <raysaikat@jabber.iitsp.com> Comment: John Scudder
[00:37:52] DanYork joins the room
[00:38:58] <raysaikat@jabber.iitsp.com> Next talk
[00:39:01] <raysaikat@jabber.iitsp.com> Alvaro
[00:39:09] <raysaikat@jabber.iitsp.com> Add-path implementation report
[00:39:21] <raysaikat@jabber.iitsp.com> Slide 1: History
[00:40:49] <raysaikat@jabber.iitsp.com> Slide 2: Respondents
[00:41:03] <raysaikat@jabber.iitsp.com> Slide 3: Overview of differences
[00:41:31] <raysaikat@jabber.iitsp.com> Slide 4: Next steps
[00:43:54] <raysaikat@jabber.iitsp.com> Last talk
[00:44:07] <raysaikat@jabber.iitsp.com> BGP link-state extensions for seamless bfd
[00:44:13] <raysaikat@jabber.iitsp.com> Spkear: Robin
[00:44:22] <raysaikat@jabber.iitsp.com> Slide 1: Problem and Requirements
[00:46:38] <raysaikat@jabber.iitsp.com> Slide 2: BGP-LS extensions for S-BFD Discribimators Exchanging
[00:46:51] Eric Rosen leaves the room
[00:47:00] Sriganesh Kini joins the room
[00:47:39] brad dreisbach leaves the room
[00:47:42] <raysaikat@jabber.iitsp.com> Slide 4: Use case
[00:48:02] <raysaikat@jabber.iitsp.com> Slide 5: Next steps
[00:48:14] <raysaikat@jabber.iitsp.com> Q: Jeff Haas
[00:50:20] <raysaikat@jabber.iitsp.com> End of meeting
[00:50:23] <raysaikat@jabber.iitsp.com> Mahalo
[00:50:36] Dhruv Dhody leaves the room
[00:50:48] fenner leaves the room
[00:51:09] raysaikat@jabber.iitsp.com leaves the room
[00:51:20] suehares leaves the room
[00:51:24] Abhay Roy leaves the room
[00:55:23] DanYork leaves the room
[00:55:48] Sriganesh Kini leaves the room
[00:55:48] Jie Dong leaves the room
[00:56:21] Kannan Varadhan leaves the room
[00:56:22] Rajiv Asati leaves the room
[01:02:40] Victor Kuarsingh leaves the room
[01:04:52] fenner joins the room
[01:07:16] Meetecho leaves the room
[01:11:34] Kannan Varadhan joins the room
[01:13:31] fenner leaves the room
[01:22:04] Kannan Varadhan leaves the room
[02:16:11] Victor Kuarsingh joins the room
[02:30:40] Victor Kuarsingh leaves the room
[02:47:55] DanYork joins the room
[02:48:17] DanYork leaves the room
[03:59:35] Victor Kuarsingh joins the room
[06:28:12] Victor Kuarsingh leaves the room
[17:29:00] Victor Kuarsingh joins the room
[18:26:18] Victor Kuarsingh leaves the room
[18:36:38] dseomn joins the room
[18:40:17] Victor Kuarsingh joins the room
[18:55:50] atanu joins the room
[18:58:50] lminiero joins the room
[18:58:59] Eric Rosen joins the room
[18:59:21] Jay Borkenhagen joins the room
[19:01:23] DanYork joins the room
[19:02:06] Jared Mauch joins the room
[19:02:31] dhruv dhody joins the room
[19:02:50] <Jared Mauch> the meeting has not yet started
[19:04:23] <Jared Mauch> John Scudder: Waiting for a few more people to filtere in
[19:04:32] Micahel Baer joins the room
[19:07:14] <Jared Mauch> Note well on screen
[19:07:29] <Jared Mauch> last call for BGPSEC Review
[19:08:01] mikemlb joins the room
[19:10:02] <Jared Mauch> sandy murphy presenting - interim BGP Security
[19:10:10] <Jared Mauch> slide #2 showing
[19:10:36] akatlas joins the room
[19:11:03] christopher.morrow joins the room
[19:11:31] <christopher.morrow> if folk have commentary about the audio, please speak up (here or in the room)
[19:11:32] <christopher.morrow> thanks!
[19:11:45] <Jared Mauch> Slide #4 showing
[19:11:54] <Jared Mauch> (i can't find the link to the slides on the site, when i find it, i will put it here)
[19:12:18] Victor Kuarsingh leaves the room
[19:12:35] <Jay Borkenhagen> anyone else listening to web audio?  coming in very faint here...
[19:12:46] <christopher.morrow> eggcellent - jared is also doing jabber scribing.
http://tools.ietf.org/agenda/91/slides/slides-91-idr-15.pdf
[19:13:22] <Jay Borkenhagen> heard that!
[19:13:25] <christopher.morrow> :)
[19:13:32] <christopher.morrow> that link is the current slides, btw
[19:13:56] <Jared Mauch> slide #7 showing
[19:14:29] <lminiero> Jay Borkenhagen: low audio volume you mean?
[19:14:41] <Jay Borkenhagen> yes, exactly.
[19:14:45] Samuel Weiler joins the room
[19:14:52] <Jared Mauch> is audio ok now?
[19:14:57] <lminiero> we'll check that, tnx
[19:15:11] <Samuel Weiler> audio on meetecho is good.  mp3 has a bit of an echo but seems usable.
[19:15:26] <Jared Mauch> slide #9 showing
[19:15:42] <Jay Borkenhagen> i'll try the audio on meetecho...
[19:15:55] <Jared Mauch> slide #10 showing
[19:15:56] <lminiero> http://www.meetecho.com/ietf91/idr_II
[19:16:48] <Jared Mauch> slide #11
[19:17:44] Jay Borkenhagen_8897 joins the room
[19:19:20] <Jared Mauch> Rob @ MIC - For people who haven't been doing x509 on the router, there is a RPKI-RTR protocol that feeds you the crypto payload
[19:19:38] <Jared Mauch> Dan York @ MIC -
[19:19:51] <Jared Mauch> Are there vendors doing BGPSEC?
[19:19:59] <Jared Mauch> Sandy: two open source implementations
[19:20:13] <Jared Mauch> Lou @ mic - Question: How does this work inside a VPN?
[19:21:19] <Jared Mauch> Lou @ MIC - how do i protect my routes i import into a VPN table?
[19:21:33] <Jared Mauch> Morrow: You may be able to do a local-TA
[19:22:12] <Jared Mauch> Kahrir - Most providers use the same ASNs in PE/CE boundary so doesn't apply
[19:22:47] <Jared Mauch> Volk: @ mic - RPKI meant for public unique resources, local trust anchor can be used to work-around this.
[19:24:10] <Jared Mauch> Scudder - VPNS were seen as a non-goal for SIDR effort
[19:24:48] Jay Borkenhagen leaves the room
[19:24:54] <Jared Mauch> Iljitsch @ mic - when i went to IETF for the first time, there was SBGP, cpu usage was a concern.
[19:25:04] <Jared Mauch> Scudder: there is upcoming presentation about this
[19:25:04] <Samuel Weiler> lminiero: IM me out of band, please?
[19:25:11] Jay Borkenhagen_8897 leaves the room
[19:25:27] <Jared Mauch> Lou @ mic - If you were in a VPN with public addresses, you can tie that into regular infrastructure and that will work.  Good.
[19:26:01] <Jared Mauch> Lou @ mic - if you wanted to stand up own private infrastructure, it will also work.  Sandy - Yes.  Lou - Good
[19:26:32] <Jared Mauch> sandy - Being careful means that you use ASNs so you can discriminiate between uses
[19:27:20] <Jared Mauch> Bruno @ mic - Can you go back to slide #6, ...
[19:28:01] <Jared Mauch> Bruno - what is the scope exactly?
[19:28:10] <Jared Mauch> sandy - goal is to protect the bgp announcements
[19:28:26] <Jared Mauch> bruno - which one is covered?  sandy: check out threat model document
[19:28:44] Victor Kuarsingh joins the room
[19:28:48] Jay Borkenhagen joins the room
[19:28:53] <Jared Mauch> doug montgomery @ mic - we set VPNs aside when we started considering this.  wasn't an initial goal when we considered this.
[19:29:07] <Jared Mauch> http://tools.ietf.org/agenda/91/slides/slides-91-idr-16.pdf now showing
[19:29:56] <Jared Mauch> slide #2 showing
[19:30:39] Juan P. Cerezo joins the room
[19:30:57] Juan P. Cerezo leaves the room
[19:31:18] <Jared Mauch> slide #3 showing
[19:31:31] Jay Borkenhagen leaves the room
[19:31:35] jpc joins the room
[19:32:29] <Jared Mauch> slide #5 showing
[19:32:38] <Jared Mauch> slide #6 showing
[19:33:13] <Jared Mauch> slide #7 showing
[19:34:56] <Jared Mauch> slide #8 showing - overview what attribute looks like
[19:35:28] dhruv dhody leaves the room
[19:36:06] <Jared Mauch> slide #9 showing - important everyone uses same crypto alg, signing for everyone who sees message needs to be able to validate message.
[19:38:27] <Jared Mauch> slide #11 showing
[19:38:43] Dhruv Dhody joins the room
[19:39:47] <Jared Mauch> slide #14 showing
[19:41:43] Lorenzo Miniero joins the room
[19:41:47] <Jared Mauch> slide #16 showing - initially need only one suite identifier
[19:41:57] Lorenzo Miniero leaves the room
[19:42:15] <Jared Mauch> slide #17 - subject key identifier
[19:43:56] Steve Kent joins the room
[19:44:03] <Jared Mauch> slide #18 showing - validation
[19:45:03] <Jared Mauch> jeff haas @ mic - proves you have valid signature up to a point which may be interesting to some people
[19:45:29] christopher.morrow leaves the room
[19:46:02] christopher.morrow joins the room
[19:46:26] <Jared Mauch> uma chunduri - each router needs to cache all the information?  is that true?
[19:47:03] <Jared Mauch> each AS needs to have a box in the network that consumes the x509 certificiates and output subject key/ASN/verification key for each AS certificate in RPKI
[19:47:22] <Jared Mauch> uma @ mic - cache holds certifications and revocation state?
[19:47:39] <Jared Mauch> yes, validating cache will discard revoked and invalid certificates
[19:47:51] <Jared Mauch> and extract good tuples from certificiates
[19:48:02] <Jared Mauch> uma @ mic - what happens if update comes and certificate isn't the latest one?
[19:48:20] <Jared Mauch> certainly the certificate information doesn't propagate instantly
[19:48:49] <Jared Mauch> updates with revoked certificates will be passed for this duration
[19:49:29] <Jared Mauch> rob austein @ mic - whole mechanism exists to duplicate this data.  data is distributed.  router either has a key or it doesn't
[19:49:45] <Jared Mauch> rob - do i have a key matching this SKI, if so done.
[19:50:03] <Jared Mauch> rob - things going on behind the scenes outside of the routers control
[19:50:25] <Jared Mauch> doug montgomery @ the mic - there are multiple implementations in routers today.
[19:50:33] anonymous coward joins the room
[19:51:37] anonymous coward leaves the room
[19:51:37] <Jared Mauch> randy - routers may have different keys within ASN
[19:51:53] anonymous coward joins the room
[19:52:03] <Jared Mauch> matt - it is a local policy how you wish to do key management within ASN
[19:53:26] <Jared Mauch> slide #19 showing
[19:54:38] <Jared Mauch> slide #20 - partial deployment
[19:57:06] <Jared Mauch> slide #21 showing
[19:59:11] <Jared Mauch> hannes - maximum signature blocks is 2?
[19:59:14] <Jared Mauch> matt: yes
[20:00:30] <Jared Mauch> matt - if we need a 2nd transition we will continue to send two good algos
[20:01:20] <Jared Mauch> hannes: this is where i'm very concnerned, when you release a patch and roll it out, wait, the problem is larger scope.  i feel a bit discomfortable with having only two algos
[20:01:57] <Jared Mauch> sean turner: make an algo drop off the planet it's not that hard
[20:02:15] <Jared Mauch> matt - happy to have discussion about the number of sigs to send per peer
[20:03:22] <Jared Mauch> randy - except i have to test the router code and have 300 routers, hard to reload them all
[20:03:44] <Jared Mauch> randy - never been comfortable with either - if we have partial, what are we attesting to
[20:04:46] <Jared Mauch> rob - if enough of the internet understands alg #2, we can flag day and phase out #1
[20:05:37] <Jared Mauch> hannes - see the concerning terms are flag day
[20:06:14] <Jared Mauch> hannes - this is hard stuff we have seen in doing this with bgp for how long the attributes are out there
[20:06:32] <Steve Kent> commnent for the room: the algorith  algility document does envision a multi-day transition. the term "flag day" is not a good choice.
[20:06:53] <Steve Kent> whoops, meant to say "multi-year" transition, sorry.
[20:08:00] <Jared Mauch> scudder [at mic] - every algo you add doubles the storage cost in the router
[20:08:49] <Jared Mauch> matt - i would be very sad if we did this often, conservative in writing rope into the spec.
[20:09:57] <Jared Mauch> hannes - this is our emergency exit, is it a good thing to have the exit be so narrow.
[20:10:21] <Jared Mauch> scudder [ at mic] - the flip side is what would this cost us as bits on the wire
[20:10:48] <Jared Mauch> matt - as long as we don't use it
[20:11:36] <Jared Mauch> jeff - we have plenty of experience putting multiple paths in multiple sessions
[20:12:05] <Jared Mauch> matt - the reason we are here is to get more voices
[20:12:40] <Jared Mauch> http://tools.ietf.org/agenda/91/slides/slides-91-idr-17.pdf
[20:12:45] <Jared Mauch> Sriram presenting
[20:13:03] <Jared Mauch> slide #3 showing
[20:13:32] <Jared Mauch> what is the incremental cost...
[20:15:11] <Jared Mauch> slide #4 showing
[20:15:42] <Jared Mauch> slide #5 showing
[20:17:08] <Jared Mauch> slide #6 showing
[20:17:33] <Jared Mauch> estimates in BGP memory increased usage
[20:17:57] <Jared Mauch> slide #8 showing
[20:19:11] <Jared Mauch> jeff haas @ mic - per signature operation
[20:19:29] <Jared Mauch> slide #9
[20:19:55] Eric Rosen leaves the room
[20:20:18] <Jared Mauch> for signing it's constant, with AS_PATH it [performance] declines inversely with path length
[20:20:40] <Jared Mauch> slide #10 showing
[20:23:15] <Jared Mauch> scudder @ mic - people benchmarking bgp implementations tend to like to benchmark cold-boot time, and customer acceptance tests.  a cold boot is going to have 300k or 500k routes in it
[20:24:00] <Jared Mauch> rob shakir @ mic - the number for cold-boot is important, need to look at realistic numbers,
[20:24:27] <Jared Mauch> randy bush - the point of this isn't the whole world is signed, this is an island model.  none of this will show up for 3 years, this is what happens initially
[20:25:11] <Jared Mauch> randy - this isn't for 1Mil routes
[20:25:46] Daniele Iamartino joins the room
[20:25:50] <Jared Mauch> doug montgomery - the spec permits for 'lazy evaluation', lets you announce path and withdraw it when you have determined it's invalid
[20:27:45] <Jared Mauch> andrei - what would the memory usage numbers look like with this island scale?
[20:28:14] <Jared Mauch> andrei - helpful to include non-bgpsec memory scale information
[20:29:22] <Jared Mauch> Oliver - the costs may not go up with the length of the path, depending on the capability of doing parallel computing, can speed things up
[20:30:32] <Jared Mauch> randy bush - is there anyone here that has a rib-in?  what's going to get eaten in memory here is when i as a router won't know where i get paths, i will need memory to hold every key for every router.
[20:30:45] <Jared Mauch> randy bush - also routers see 32bit limit
[20:31:27] <Jared Mauch> randy - question - what's this relative to this boot-up, it's about 5 minutes.  Adding another ~30 seconds or so.
[20:31:34] <christopher.morrow> there is the trampoline magics to get 16gb in a 32bit system, right? but still 32bit is painful.
[20:31:48] <Jared Mauch> chris - no there isn't :(
[20:32:00] <christopher.morrow> oh dang it
[20:32:11] <christopher.morrow> y u no 64bit yet?
[20:32:32] <Jared Mauch> keyur - because we are caching when a session is reset, you can hold the data.  see enhanced-gr draft
[20:33:10] <Jared Mauch> bruno - slide #4 please - does this include add-path?  sriram: no.  bruno: may be interesting to simulate this
[20:35:17] <Jared Mauch> wes george - since we started talking aboug BGPSEC, we've said wait for moores law to catch-up.  That has been resolved by doing multiple cores to get overall clock throughput.  routers are not optimized for SMP.
[20:35:55] <Jared Mauch> wes george - doesn't account for background radiation of the internet
[20:36:31] <Jared Mauch> wes george - would be interesting to feed it actual routes and see more realistic data
[20:38:24] <Jared Mauch> wes george - if this changes the slope curve for me upgrading my routers and scaling them
[20:38:46] <Jared Mauch> wes george - that is a tough sell.  i'm starting to sense a theme that this may not scale.
[20:40:27] ida leung joins the room
[20:42:05] <Jared Mauch> wes george - seems like we are always lowering the bar so we can get over it.
[20:42:37] <Jared Mauch> randy bush - i agree with you completely, lets model it with real numbers against real measurements
[20:43:58] <Jared Mauch> doug montgomery - if this was valid, would it be best path, lets see how we can look at these huerestics.
[20:45:16] <Jared Mauch> saikat - as-paths are shared
[20:45:49] <Jared Mauch> saikat - are next-hops protected
[20:46:15] <Jared Mauch> wes george - a few slides ago some information for how long it takes based on number of ASNs in the path, there is an interesting attack vector there
[20:47:13] <Jared Mauch> wes george - aspath limit exists on some routers due to these, need to look at the longest 'credible' as-path to determine what's managable
[20:47:55] <Jared Mauch> jeff haas- most attacks are because people can insert arbitrary nonsense,
[20:48:23] <Jared Mauch> jeff haas - prepend gets done with a counter
[20:49:09] <Jared Mauch> matt - when it's invalid - can shortcircuit the process
[20:49:21] <Jared Mauch> randy - we are discussing a valid area of attack
[20:49:24] <Jared Mauch> slide #12 showing
[20:50:32] <Jared Mauch> validating + signed takes ~73 seconds
[20:50:35] <Jared Mauch> slide #14 showing
[20:50:49] Zhutao Cheng joins the room
[20:51:37] <Jared Mauch> jeff haas  [at mic] - comment mostly in IDR vs SIDR, the numbers are good, the core takes less of a hit overall.  the place where this is a problem is leaf networks that are 4-6 hops away and having to do longest signature validations on equipment that's a lot slower
[20:53:37] <Jared Mauch> http://www.ietf.org/proceedings/91/slides/slides-91-idr-9.pdf showing
[20:54:04] <Jared Mauch> slide #3 showing
[20:54:53] <Jared Mauch> slide #4 showing
[20:56:48] <Jared Mauch> slide #5 showing
[20:57:02] <Jared Mauch> these updates may require extended messages (beyond 4k byte messages)
[20:57:31] <Jared Mauch> rob austein - as a practical matter, we don't know what the next key size is going to be
[20:58:18] <Jared Mauch> matt - i am not convinced that we are going to blow out 4096 limit immediately, the reference to extended messages is a prudent to include
[20:59:34] <Jared Mauch> slide #6 showing
[21:00:36] <Jared Mauch> jeff haas @ mic - does in theory break peer grouping, depending on your architecture, you can save doing signatures for the end of the TX process
[21:00:55] <Jared Mauch> slide #7 showing
[21:01:26] Zhutao Cheng leaves the room
[21:01:42] Steve Kent leaves the room
[21:01:56] <Jared Mauch> question about validating next-hops, and remote-next-hops ..
[21:02:16] <Jared Mauch> john - still relevant to the review, are we solving the right problem, or not solving it
[21:03:43] <Jared Mauch> randy bush - the internet is highly assymetric, don't make assumptions.
[21:04:04] <Jared Mauch> randy: path validation is there to say the protocol isn't being gamed.
[21:04:49] Victor Kuarsingh leaves the room
[21:06:13] <Jared Mauch> jeff haas - been awhile since i did a full read through of the bgp spec, the entire set of the updates are not part of the signature.  some attributes must change from node to node.
[21:06:36] <Jared Mauch> jeff haas - we have route targets in VPN, this can cause issues as well.
[21:07:10] <Jared Mauch> jeff haas - if this is not good enough, the WG needs to speak up now.
[21:07:45] <Jared Mauch> rob austein - the basic goal is to protect the core semantics of bgp, make them behave the way people think they already do.
[21:09:08] <Jared Mauch> rob austein - we are trying to have this ready for when attacks do show up.  the bit about the data plane we would like to solve, but that can't be done today.
[21:09:13] alex amirante joins the room
[21:10:18] <Jared Mauch> randy bush - cardigan exchange nz had servers that were origin validation enabled and you couldn't get a packet from sites not validated
[21:10:43] <Jared Mauch> warren kumari will present some slides, i don't think these are online
[21:11:01] <christopher.morrow> chairs have the slides, so we can post them at the end.
[21:17:03] <Jared Mauch> sharon goldberg: this is really cool, how can you explain this when you see the nist validation monitor
[21:17:10] <Jared Mauch> warren: some prefixes are more useful than others
[21:19:29] <Jared Mauch> randy bush [IIJ]: we started collecting hourly RPKI data, RIRs root certificates expired for 9 months, RPKI data compared to route-views/RIPE RIS data, how many invalids were seen.  What we learned is people get a /16 and also have /24's within that with same origin
[21:20:15] <Jared Mauch> warren: this is a biased group, no cat videos
[21:20:30] <Jared Mauch> randy: cat videos on youtube are big
[21:21:13] <Jared Mauch> doug montgomery: arin measurement tool takes any unique prefix + origin .  many invalids should be invalid, such as /28's and /32s
[21:22:07] <Jared Mauch> carlos - lacnic - talk about experiment in ecuador - they impelmented rpki and origin validation in the IXP, dropping invalids.. result: nothing occured.
[21:22:23] <Jared Mauch> carlos - most invalids are covered by valid less-specifics
[21:22:45] <Jared Mauch> randy - if dropping them isn't making a difference, why aren't we doing this.
[21:22:52] Victor Kuarsingh joins the room
[21:22:55] <Jared Mauch> warren- maybe next IETF meeting we will do this
[21:23:25] <Jared Mauch> randy: no, if dropping invalids has no impact, why are we doing this
[21:23:31] <Jared Mauch> warren: rpki is hard, lets go shopping
[21:23:42] <Jared Mauch> brian: we are here to try to stop the attacks
[21:23:58] <Daniele Iamartino> Is it possible to have the "raw" data of this measurement?
[21:24:04] <Jared Mauch> rob austein: waiting for kaminski
[21:24:35] <Jared Mauch> rob austein: we're doing it because someone learned to combine two well known attacks
[21:25:24] <Jared Mauch> volk: we are perhaps trying to push them aganist from attacking valid stuff.  this doesn't fix those who are attacking the origin ASNs
[21:25:54] <Jared Mauch> volk: we were being attacked by those with RPSL generated routes.
[21:26:01] Dhruv Dhody leaves the room
[21:26:07] atanu leaves the room
[21:26:09] <Jared Mauch> randy: we see many bgp path attacks in the real world
[21:27:50] akatlas leaves the room
[21:27:55] dseomn leaves the room
[21:28:05] <Jared Mauch> BGPSEC lives in SIDR, not sure if chairs have a plan to do WGLC, thank you everyone for attention today.  Please use momentum to review the spec. Hopefully RFC before Dallas.
[21:28:13] <Jared Mauch> End of meeting
[21:28:19] Jared Mauch leaves the room
[21:28:22] christopher.morrow leaves the room
[21:28:45] mikemlb leaves the room
[21:28:53] Micahel Baer leaves the room
[21:29:04] anonymous coward leaves the room
[21:29:51] Daniele Iamartino leaves the room
[21:33:39] Victor Kuarsingh joins the room
[21:33:49] Victor Kuarsingh leaves the room
[21:34:22] lminiero leaves the room
[21:36:09] DanYork leaves the room
[21:45:20] DanYork joins the room
[21:53:19] atanu joins the room
[21:58:06] DanYork leaves the room
[21:59:04] atanu leaves the room
[22:08:49] Victor Kuarsingh leaves the room
[22:10:33] DanYork joins the room
[22:17:41] DanYork leaves the room
[23:01:32] jpc leaves the room
[23:21:30] DanYork joins the room
[23:23:42] Victor Kuarsingh joins the room
[23:34:16] DanYork leaves the room
[23:46:25] DanYork joins the room
[23:48:14] DanYork leaves the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!