Origin Validation Policy Considerations for Dropping Invalid Routes
draft-sriram-sidrops-drop-invalid-policy-06
SIDROPS Working Group K. Sriram
Internet-Draft O. Borchert
Intended status: Best Current Practice D. Montgomery
Expires: May 28, 2021 USA NIST
November 24, 2020
Origin Validation Policy Considerations for Dropping Invalid Routes
draft-sriram-sidrops-drop-invalid-policy-06
Abstract
Deployment of Resource Public Key Infrastructure (RPKI) and Route
Origin Authorizations (ROAs) is expected to occur gradually over
several or many years. During the incremental deployment period,
network operators would wish to have a meaningful policy for dropping
Invalid routes. Their goal is to balance (A) dropping Invalid routes
so hijacked routes can be eliminated, versus (B) tolerance for
missing or erroneously created ROAs for customer prefixes. This
document considers a Drop Invalid if Still Routable (DISR) policy
that is based on these considerations. The key principle of DISR
policy is that an Invalid route can be dropped if a Valid or NotFound
route exists for a subsuming less specific prefix.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 28, 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Sriram, et al. Expires May 28, 2021 [Page 1]
Internet-Draft Dropping Invalid Routes November 2020
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Drop Invalid if Still Routable (DISR) Policy . . . . . . . . 3
2.1. Motivation for the DISR Policy . . . . . . . . . . . . . 3
3. Algorithm for Implementation of DISR Policy . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 5
5. Normative References . . . . . . . . . . . . . . . . . . . . 5
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
Deployment of Resource Public Key Infrastructure (RPKI) [RFC6481] and
Route Origin Authorizations (ROAs) [RFC6482] is expected to occur
gradually over several or many years. ROA-based BGP Origin
Validation (OV) process and the OV states are defined in [RFC6811].
During the incremental deployment period, network operators would
wish to have a meaningful policy for dropping Invalid routes. Their
goal is to balance (A) dropping Invalid routes so hijacked routes can
be eliminated, versus (B) tolerance for missing or erroneously
created ROAs for customer prefixes. This document considers a Drop
Invalid if Still Routable (DISR) policy that is based on these
considerations. The key principle of DISR policy is that an Invalid
route can be dropped if a Valid or NotFound route exists for a
subsuming less specific prefix.
The DISR policy applies in addition to (1) preferring Valid when more
than one route exists for the same prefix, and (2) always including
NotFound routes in the best path selection process. Note that for a
router performing OV, the existence of a NotFound route excludes the
possibility of an alternate Valid or Invalid route for the same
prefix or a subsuming less specific prefix.
This document also provides an algorithm for best path selection
policy that considers Origin Validation (OV) outcome and includes the
DISR policy.
Sriram, et al. Expires May 28, 2021 [Page 2]
Internet-Draft Dropping Invalid Routes November 2020
Show full document text