2.4.13 Routing Policy System (rps)

NOTE: This charter is a snapshot of the 42nd IETF Meeting in Chicago, Illinois. It may now be out-of-date. Last Modified: 23-Jul-98

Chair(s):

Cengiz Alaettinoglu <cengiz@isi.edu>
Carol Orange <orange@ripe.net>

Operations and Management Area Director(s):

Harald Alvestrand <Harald.Alvestrand@maxware.no>
Bert Wijnen <wijnen@vnet.ibm.com>

Operations and Management Area Advisor:

Bert Wijnen <wijnen@vnet.ibm.com>

Mailing Lists:

General Discussion:rps@isi.edu
To Subscribe: rps-request@isi.edu
Archive: ftp://ftp.isi.edu/rps

Description of Working Group:

The Routing Policy System Working Group will (1) define a language, referred to as Routing Policy Specification Language (RPSL), for describing routing policy constraints; (2) define a simple and robust distributed registry model for publishing routing policy constraints; and (3) define a set of tools for analysing registered policy constraints, for checking global consistency, for generating router configurations, and for diagnosing operational routing problems. It is expected that RPSL will enter the standards track.

The RPSL will be routing protocol independent as well as router configuration format independent to support various routing protocols such as BGP, IDRP, SDRP, and various router technologies. The RPSL will be backward compatible with RIPE-181 whenever possible; the registry model will be based on the RIPE database.

The working group will focus on inter-domain routing protocols, but will also instigate, review, or (if appropriate) produce additional RFCs to support other protocols such as multicasting and resource reservation.

Goals and Milestones:

Jul 95

  

Submit initial draft specification of RPSL as an Internet-Draft.

Jul 95

  

Submit draft specification of tools and the database model as an Internet-Draft.

Sep 95

  

Submit revised Internet-Draft.

Dec 95

  

Submit document on RPSL and Experiences to IESG to be considered for publication as an RFC.

Jan 96

  

Submit RPSL specification to IESG for consideration as a Proposed Standard.

Internet-Drafts:

Request For Comments:

RFC

Status

Title

RFC2280

PS

Routing Policy Specification Language (RPSL)

Current Meeting Report

RPS working group: Aug. 27 1998 by Rusty Eddy

* Anne Gockel - ARIN

They have a routing registery coming in the new year.

* Curtis - Distributed RPS

RPSL (rfc2280) may be internal format, must be used externally.
RPS Security (rps-auth)
RPS Distributed (rps-dist)
draft-zsako-ripe-dbsec-pgp-auth-00.txt

Curtis suggests we may need a framework document.

- why not a centralized database? no third party dependence (trust) and keep
internal info private. we need to exchange info with others for topology analysis,
and possibly inter-provider aggregation.

- spoke of motivation and methods for scalable queries and data distribution: full
mesh, mcast or flooding (we know this works).

- Need data integrity: authorization and authentication, two approaches: signed
objects and signed transactions. rps-auth and rps-dist use signed transactions.

Compatible data exchange, this is were a framework doc would come in, support
compatible interop between various databases.

- rps-dist: not yet a draft: http://engr.ans.net/rps-auth/index2.html, spoke of the
portions of the document, intro, transactions and recinding transactions, explained
secure initial object submission and redistribution (provided a couple alternatives,
including lightweight mirrors). Cengiz suggested using timestamps for transactions
and Curtis agreed. Optional commit and confirm (the real advantage is to know at
least one other has received this transaction), allows one to reliably recover from
crashes via a trusted mirror.

- the repositories will have the ability to rollback to a certain extent, but probably not
over an extended period, it becomes unreasonable. e.g. saving a week of data and
finding a problem within a day or so should be ok.

* Jerry Scharf - Cryptographic methods and exporting them

- 3 types of DES: 40 bit export control permitted, 56bit and triple des. IDEA, Safer,
Strength in time to break (56bit DES in 2days, 40bit will take seconds, with special
hardware). Triple DES and safer are still hard.

Public Key: RSA (patent still has a couple years), El Gamal, Elliptic curve methods.
These are probably much stronger.

- shared secret signing, authentication only. MD5, SHA-1, HMAC-MD5, HMAC-
SHA. SHA-1 may infringe upon patents.

- public key signing: Generate a hash, encrypt permute. MD5/RSA, DSS, MD5/Dl Gamal.

- exporting crypto: it's a felony. department of commerce is not repeatable, some
uses of encryption is legal.

RSA can be used for DNSSEC only, stripped signing library for DSS covers any IETF
effort.

Q: Cengiz: is it illegal if you don't export the libraries, rather export hooks to the library?

A: i don't know, can't say.

Curtis: we're not really interested in encryption, rather just signing/authentication.

* Joao L.S. Damas - Certificate objects and PGP experience

- draft: need for better authentication methods for data maintenance. data is protected
by a maintainer object. Currently possible auth fields: none, mail-from, crtptpw,
merit's pgp. goals to have stronger auth and use current available mechanism. thus
the krt-cert object. gave examples of the object format and an object itself. all that
is needed is a new value to the auth field. You need a maintainer object and you
need a pgp key.

Q: how do you bootstrap

A: you don't need to worry about it, it's only a once in the beginning, a highly

Curtis suggests that a submitted key is required to be signed by a key already in the
object. in other words the initial send would need to sponsored.

- consensus for this draft to be a wg draft was reached.

* Cengiz - Implementation and Deployment status (and changes to RPSL)

Deployment: There are some registries, ISI, ripe, telstra, ...?

Changes:

- integer packing: two 16bits into a 32bit. using braces for communities, problematic,
mistakes are easy to make. an alternative is to use a ':' e.g. 3561:70. Cengiz will
change to the ':' notation.

- communities using the .= notation, problematic. have community always use a set
"comm .= {10, 20, 30}".

Dictionary: typedef: <name> <type> and make union a first level type.

- RAToolSet 4.1.0 parser: close to 100% compliant 100%: autnum, as-set, route-set,
etc. gave examples of the policy of AS2764 and some of the more advanced features
were shown in the output generated by RtConfig.

- BIRD: distributed IRR server, propagator ucast flood and mcast flood, not yet in sync
with rps-dist. registrar: rpsl syntax checking, authorize and authent. checking. dist
consistency, etc.

- Schedule: Demo available now, Beta in sept. need to sync propagator, registrar,
with the drafts.

Q: Curtis: size of Mark Prior autnum and generator.

A: Object 9k, config 6k for one peer where there are 42 such peers.

Q: Harald requests a formal specification of grammer rules (yacc rules???).
A: Cengiz will add

* Jerry Winters - RPSL in IRRd (with Jake, Craig and Tom Spindler)

He gave a history of events. adding rpsl was not too difficult, no syntax checking.
Reactions from the community are good, users are rising. range operators and route-
set expansion, should this be done? and if so how? he gave some examples (should
the operation be and/or or ignore one).

Cengiz: don't allow it's an error, don't allow ranges over ranges.
Curtis: they are simple except for on example, put on the list and get a discussion.

Their initial choice was not to allow ranges over ranges syntax checker and pgp auth.

Cengiz: this was discussed on the list a couple years ago, Curtis recognized

* David Kessens - RPSL Transition Status

phase 1: server software development status.
phase 2: realtime mirrors, tooltesting ripe, ans and merit are in phase 2

MCI and ca*net are testing isi rpsl telstra...

- education: first tutorial at nanog in detroit was done. next in setp ripe in edinburgh
and more...

- available tools: ratoolset, ripe data with rpsl extensions fully supported. will move
to beta soon.

- ripe181 to rpsl dbase converter

- http://www.isi.edu/ra/rps/transition

Jerry: how does this relate to BIRD.

David: the ripe rpsl extensions are transitionary until BIRD becomes production.

* Glen Mansfield - Internet Routing Registry MIB

- they have Chain, they have a web site using java 1.1. the internals from the OSPF
mibs. they have a AS-level mapper. policy browser. get ASpath trees. wide-area
fault management they have a irr visualization mesh. they need the mib because:
their management applications would like to access this information via a MIB,
this allows their products to use SNMP to access this information for monitoring, etc.
spoke of the information that would be managed by the mib. have an
implementation independent access, access control and security.

- would like to know were things will go from here? in addition to router configuration.
Curtis suggests that snmp may be adequate for some needs, and that should be
addressed. however for many things such as router config, snmp would be sorely in
appropriate, large volumes for transactions. Cengiz thinks snmp queries would be
helpful. Curtis does not think it will be useful.

* Przygienda - Routing Policy Configuration Language (RPCL). Ardas Cilingiroglu

- what is policy? dynamic rpsl. triggered aggregates, etc.

- it's like rpsl, rpcl specifies a language for defining routing policy, however it's just
for a single router. it also supports IGP's. they have aggregation policies. they
have running code and a draft. draft-ardas-rpcl-00.txt

Q: any thought into an ios conversion tool.

A: yes, they have.

Slides

Agenda
Chain: Charting the Internet
Transition

Attendees List

go to list