[GROW] FW: [OPSEC] BCP 84, RFC 8704 on Enhanced Feasible-Path Unicast Reverse Path Forwarding
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Mon, 10 February 2020 17:37 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CCD612080E; Mon, 10 Feb 2020 09:37:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YjBK0e11Zdo1; Mon, 10 Feb 2020 09:37:47 -0800 (PST)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on20713.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::713]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D30E812001B; Mon, 10 Feb 2020 09:37:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jWfdo2v1PUGwlArjCCpcf7VGeN5mgtK8Tf1I2F2hxXJryOj2Y6rgQp5APiPfdgjXQ7FbdjvSsw3jJtR5Zn01PKCrx4lH4f9gwvIlrJfbFoCcIAN5AmkRzI3RpVP7Mwx3ZsJg8N3OGuAWVPxG+F0Yo1yfgeblYl9rhPmb0f2fjb1EBJZCVmH17ZU81vwSPq7spw98gtbGe0bw0LFbSRsjkh869crc0aRDdbVwUpkIIU9CiPfBMvJmI5N6CBjBkKU+P5PqdL9tLC+F55RkEMXf/Hi/BAZcfi9mQokG/+TFqhXb8twyi+qpUMjCR4PuZH9ELAPEDYoeK6i6AoLzQro4oQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ovG0dGRIM6BeLZL310M085QzCDSn89RLmWK2NZt4MNM=; b=e4c25cwWe5psUhhuT7qOv6UaHacKAfohqr5/C3S+FyPMaHvEnNXmaAYFD4AORM53A1wU1lVWoBfq30WiDz8EddGOcCLQ7kwpwgb/xbjwgaaK/Q4oBlmsOC38UofZUq81wm6caa3xXl4hKYnpIl+Eu1gphVDNgqHDfmjA5vUFNFlMlWyZF+VXUKfTplexBiVhPEJrZHYClzdeFDbbr3LIfgk3c53DMytOgUCQ1+vQ6FyI9gOxH5ICL01YhsJjnmYDCOiVDN6GQZpVQbAnS8pYVnrW2SAV2h8R1g1MZnda48BoK5iVlNG2kQj/vmno4FRGh+O+rYYzVaUFyX+BcBvtQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ovG0dGRIM6BeLZL310M085QzCDSn89RLmWK2NZt4MNM=; b=tkz7VRZ1a9DK1QQKmvVSCJnoaKZhjRlewelXRuCzqv1vRPIE3LC9SCQb1bOEQCXBBmIoxBfqCp2w0E6D+acep4WafLHpcdThjJ4tZuMpdJ2wI0S4xiVfaGd/8zswszD+RqjcgHk0PEdz1yrYA34baqosXEa01AiD/TofYLK9pgw=
Received: from CH2PR09MB4571.namprd09.prod.outlook.com (10.186.138.209) by CH2PR09MB4540.namprd09.prod.outlook.com (10.186.137.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2707.21; Mon, 10 Feb 2020 17:37:40 +0000
Received: from CH2PR09MB4571.namprd09.prod.outlook.com ([fe80::7c1e:6458:a461:cd4]) by CH2PR09MB4571.namprd09.prod.outlook.com ([fe80::7c1e:6458:a461:cd4%3]) with mapi id 15.20.2707.030; Mon, 10 Feb 2020 17:37:40 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "grow@ietf.org" <grow@ietf.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [OPSEC] BCP 84, RFC 8704 on Enhanced Feasible-Path Unicast Reverse Path Forwarding
Thread-Index: AdXgM/+fEA66ukMMRQmkBvs8PWN/4A==
Date: Mon, 10 Feb 2020 17:37:40 +0000
Message-ID: <CH2PR09MB4571A56AE1AED4CE70C9F98784190@CH2PR09MB4571.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.140.161]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 386abd3f-4ba0-4d0d-1abf-08d7ae4fed7f
x-ms-traffictypediagnostic: CH2PR09MB4540:
x-microsoft-antispam-prvs: <CH2PR09MB4540261B3B76BC89D7BC026784190@CH2PR09MB4540.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03094A4065
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(136003)(366004)(376002)(39860400002)(199004)(189003)(966005)(52536014)(5660300002)(76116006)(478600001)(66446008)(33656002)(66556008)(66946007)(64756008)(66476007)(316002)(8936002)(81166006)(81156014)(8676002)(71200400001)(6916009)(86362001)(4326008)(2906002)(450100002)(9686003)(66574012)(6506007)(55016002)(186003)(7696005)(26005); DIR:OUT; SFP:1102; SCL:1; SRVR:CH2PR09MB4540; H:CH2PR09MB4571.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ycBVeYPnkM5GIIhHI0usyneTKSauz/+T6VQIVC5gxOgVcf0l8kYhVn+0auoAIyYAmOf13csnPAiVq2FEA2ff2zQAZCtok+jQ3YTqUrabMqcXq0+JVogX7OI+X3Ng8lSk5JTV2Zf+qPipnICH+BSsR/djoYeNaxtBp8e5lbUuNqggR7xOOSdSSECxiDhxYjc5SViRME++R0CzZiwqqllYnNprkBJ0g1UpQkqhRoEqe4lg80vo86a3GqvhEFXwObrcp8owa6burobi/bpC/QkTra1GZ8PeLfIoNmrwhk4yNwx5EodMLgkCClBddrHDEpeAkSTCu4Ty6FcT/gbg85gJ81HWPihkOtBYiz7hh8R7s5k2DNC2YmDWNpmsP+Y9dyAMw9IqPAUug9NIkDM4y0f9GIxRKNwZDvj6KceGg3UgqIDNhzrO2+NHSQxOGwlYCon7sq33s5q1JNxmGrMRNMcbBH3zOrvJNVuUw9H8AbJsIth6FlD5GLbENtAv44ZshXsooBQTXYcYZAp+Cv8KYIepew==
x-ms-exchange-antispam-messagedata: Rd/4bvZXV0u8w2p/6baEXB7EOZ/FZ7T8jPf42qEQ918rMAujmLvaxePWlQuAIgz+rQe9Y88TRfaVpNpTyaTaX9AtCxfhOfK6Te/HLZZBoMHgLIbC2xphDfzf+2dxy83VbQAkocrzAj6Ne05Z8B4WyA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 386abd3f-4ba0-4d0d-1abf-08d7ae4fed7f
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2020 17:37:40.5408 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PA53LtTYFoo6Hp9gbyONQ8Neva0ukvDND8qGCsN2VwX3vHqhNA1z76pXYKNesM9o9kalqxSNG1C103b9Sv0YmA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR09MB4540
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/fNIFunKexCaW4jYfddWkFjjxzLU>
Subject: [GROW] FW: [OPSEC] BCP 84, RFC 8704 on Enhanced Feasible-Path Unicast Reverse Path Forwarding
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2020 17:37:51 -0000
This new RFC is a product of the OPSEC WG. https://tools.ietf.org/html/rfc8704 I thought I should share the publication notice in GROW because substantial discussion and feedback occurred also in the GROW WG when this RFC was in draft form. Thank you. CC'ing SIDROPS WG also since the RFC (BCP) recommendations include using ROA data as part of the overall EFP-uRPF scheme. Sriram ------------------------- A new Request for Comments is now available in online RFC libraries. BCP 84 RFC 8704 Title: Enhanced Feasible-Path Unicast Reverse Path Forwarding Author: K. Sriram, D. Montgomery, J. Haas Status: Best Current Practice Stream: IETF Date: February 2020 Mailbox: ksriram@nist.gov, dougm@nist.gov, jhaas@juniper.net Pages: 17 Updates: RFC 3704 See Also: BCP 84 I-D Tag: draft-ietf-opsec-urpf-improvements-04.txt URL: https://www.rfc-editor.org/info/rfc8704 DOI: 10.17487/RFC8704 This document identifies a need for and proposes improvement of the unicast Reverse Path Forwarding (uRPF) techniques (see RFC 3704) for detection and mitigation of source address spoofing (see BCP 38). Strict uRPF is inflexible about directionality, the loose uRPF is oblivious to directionality, and the current feasible-path uRPF attempts to strike a balance between the two (see RFC 3704). However, as shown in this document, the existing feasible-path uRPF still has shortcomings. This document describes enhanced feasible-path uRPF (EFP-uRPF) techniques that are more flexible (in a meaningful way) about directionality than the feasible-path uRPF (RFC 3704). The proposed EFP-uRPF methods aim to significantly reduce false positives regarding invalid detection in source address validation (SAV). Hence, they can potentially alleviate ISPs' concerns about the possibility of disrupting service for their customers and encourage greater deployment of uRPF techniques. This document updates RFC 3704. This document is a product of the Operational Security Capabilities for IP Network Infrastructure Working Group of the IETF. BCP: This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. ***************
- [GROW] FW: [OPSEC] BCP 84, RFC 8704 on Enhanced F… Sriram, Kotikalapudi (Fed)