RPS working group: Aug. 27 1998 by Rusty Eddy * Anne Gockel - ARIN They have a routing registery coming in the new year. * Curtis - Distributed RPS RPSL (rfc2280) may be internal format, must be used externally. RPS Security (rps-auth) RPS Distributed (rps-dist) draft-zsako-ripe-dbsec-pgp-auth-00.txt Curtis suggests we may need a framework document. - why not a centralized database? no third party dependence (trust) and keep internal info private. we need to exchange info with others for topology analysis, and possibly inter-provider aggregation. - spoke of motivation and methods for scalable queries and data distribution: full mesh, mcast or flooding (we know this works). - Need data integrity: authorization and authentication, two approaches: signed objects and signed transactions. rps-auth and rps-dist use signed transactions. Compatible data exchange, this is were a framework doc would come in, support compatible interop between various databases. - rps-dist: not yet a draft: http://engr.ans.net/rps-auth/index2.html, spoke of the portions of the document, intro, transactions and recinding transactions, explained secure initial object submission and redistribution (provided a couple alternatives, including lightweight mirrors). Cengiz suggested using timestamps for transactions and Curtis agreed. Optional commit and confirm (the real advantage is to know at least one other has received this transaction), allows one to reliably recover from crashes via a trusted mirror. - the repositories will have the ability to rollback to a certain extent, but probably not over an extended period, it becomes unreasonable. e.g. saving a week of data and finding a problem within a day or so should be ok. * Jerry Scharf - Cryptographic methods and exporting them - 3 types of DES: 40 bit export control permitted, 56bit and triple des. IDEA, Safer, Strength in time to break (56bit DES in 2days, 40bit will take seconds, with special hardware). Triple DES and safer are still hard. Public Key: RSA (patent still has a couple years), El Gamal, Elliptic curve methods. These are probably much stronger. - shared secret signing, authentication only. MD5, SHA-1, HMAC-MD5, HMAC- SHA. SHA-1 may infringe upon patents. - public key signing: Generate a hash, encrypt permute. MD5/RSA, DSS, MD5/Dl Gamal. - exporting crypto: it's a felony. department of commerce is not repeatable, some uses of encryption is legal. RSA can be used for DNSSEC only, stripped signing library for DSS covers any IETF effort. Q: Cengiz: is it illegal if you don't export the libraries, rather export hooks to the library? A: i don't know, can't say. Curtis: we're not really interested in encryption, rather just signing/authentication. * Joao L.S. Damas - Certificate objects and PGP experience - draft: need for better authentication methods for data maintenance. data is protected by a maintainer object. Currently possible auth fields: none, mail-from, crtptpw, merit's pgp. goals to have stronger auth and use current available mechanism. thus the krt-cert object. gave examples of the object format and an object itself. all that is needed is a new value to the auth field. You need a maintainer object and you need a pgp key. Q: how do you bootstrap A: you don't need to worry about it, it's only a once in the beginning, a highly unlikely, the sender will receive the object back and will be able to detect and correct. Curtis suggests that a submitted key is required to be signed by a key already in the object. in other words the initial send would need to sponsored. - consensus for this draft to be a wg draft was reached. * Cengiz - Implementation and Deployment status (and changes to RPSL) Deployment: There are some registries, ISI, ripe, telstra, ...? Changes: - integer packing: two 16bits into a 32bit. using braces for communities, problematic, mistakes are easy to make. an alternative is to use a ':' e.g. 3561:70. Cengiz will change to the ':' notation. - communities using the .= notation, problematic. have community always use a set "comm .= {10, 20, 30}". Dictionary: typedef: and make union a first level type. - RAToolSet 4.1.0 parser: close to 100% compliant 100%: autnum, as-set, route-set, etc. gave examples of the policy of AS2764 and some of the more advanced features were shown in the output generated by RtConfig. - BIRD: distributed IRR server, propagator ucast flood and mcast flood, not yet in sync with rps-dist. registrar: rpsl syntax checking, authorize and authent. checking. dist consistency, etc. - Schedule: Demo available now, Beta in sept. need to sync propagator, registrar, with the drafts. Q: Curtis: size of Mark Prior autnum and generator. A: Object 9k, config 6k for one peer where there are 42 such peers. Q: Harald requests a formal specification of grammer rules (yacc rules???). A: Cengiz will add * Jerry Winters - RPSL in IRRd (with Jake, Craig and Tom Spindler) He gave a history of events. adding rpsl was not too difficult, no syntax checking. Reactions from the community are good, users are rising. range operators and route- set expansion, should this be done? and if so how? he gave some examples (should the operation be and/or or ignore one). Cengiz: don't allow it's an error, don't allow ranges over ranges. Curtis: they are simple except for on example, put on the list and get a discussion. Their initial choice was not to allow ranges over ranges syntax checker and pgp auth. Cengiz: this was discussed on the list a couple years ago, Curtis recognized possible problems and said not to allow. however a discussion will follow. * David Kessens - RPSL Transition Status phase 1: server software development status. phase 2: realtime mirrors, tooltesting ripe, ans and merit are in phase 2 MCI and ca*net are testing isi rpsl telstra... - education: first tutorial at nanog in detroit was done. next in setp ripe in edinburgh and more... - available tools: ratoolset, ripe data with rpsl extensions fully supported. will move to beta soon. - ripe181 to rpsl dbase converter - http://www.isi.edu/ra/rps/transition Jerry: how does this relate to BIRD. David: the ripe rpsl extensions are transitionary until BIRD becomes production. * Glen Mansfield - Internet Routing Registry MIB - they have Chain, they have a web site using java 1.1. the internals from the OSPF mibs. they have a AS-level mapper. policy browser. get ASpath trees. wide-area fault management they have a irr visualization mesh. they need the mib because: their management applications would like to access this information via a MIB, this allows their products to use SNMP to access this information for monitoring, etc. spoke of the information that would be managed by the mib. have an implementation independent access, access control and security. - would like to know were things will go from here? in addition to router configuration. Curtis suggests that snmp may be adequate for some needs, and that should be addressed. however for many things such as router config, snmp would be sorely in appropriate, large volumes for transactions. Cengiz thinks snmp queries would be helpful. Curtis does not think it will be useful. * Przygienda - Routing Policy Configuration Language (RPCL). Ardas Cilingiroglu - what is policy? dynamic rpsl. triggered aggregates, etc. - it's like rpsl, rpcl specifies a language for defining routing policy, however it's just for a single router. it also supports IGP's. they have aggregation policies. they have running code and a draft. draft-ardas-rpcl-00.txt Q: any thought into an ios conversion tool. A: yes, they have.