IETF Logo Mail Archive

Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds

Erik Kline <ek.ietf@gmail.com> Thu, 18 February 2021 00:21 UTC

Return-Path: <ek.ietf@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C19F3A1E6C for <opsawg@ietfa.amsl.com>; Wed, 17 Feb 2021 16:21:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j4E8wtlPFbKy for <opsawg@ietfa.amsl.com>; Wed, 17 Feb 2021 16:21:07 -0800 (PST)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86EA63A1E6B for <opsawg@ietf.org>; Wed, 17 Feb 2021 16:21:07 -0800 (PST)
Received: by mail-oi1-x229.google.com with SMTP id 6so89906ois.9 for <opsawg@ietf.org>; Wed, 17 Feb 2021 16:21:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DbK1phGO//+2dseoHgNOz/cJTdZNaVXjXB3SXS+lImE=; b=kXRSjqtXqxLkWY9sW3shxRVxyFkMfJPlOJZ3F1uzRVeXP0Acihofi1Aov8V9USPycS 5lYVKP3vLwebQJeqjnmnngTjdfH0t43gymV/e+Mqi3ccI2vP95RG5OiTHA1OFVk5QZs0 +1gU+R0soMBOPpAMFJbLgWe61V9V9h2YmegE9lmM2tlKLBpLfLmVZc0Hy0qe962GDWgv VbrHDSbOU4QMO6NMYlGKMNvq+BDqv/2/Mj+SPOiUicng5QO0VfYc3+753/Z+hLxDO6z+ lByyOhuFbf9VGIxUyHwUP99zuGoYYuOzGJRVIY8I3ET5C+0tGsvtoDNuLlvuienslX7+ JnkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DbK1phGO//+2dseoHgNOz/cJTdZNaVXjXB3SXS+lImE=; b=S9ZUbp9iM/BGp+tXXUbvR0IoG4lAKc8wUFWtP0LFqP329x5LM0KZXZkSmy7nYP5P3l +ttj7HNbza620qbQmwvWKpTInHsJrL60X0W3QNbzBwS6EWtN1UhU0wPDsdEi1lD90MYs YMLsi9rdv7ZtulKJSw0n8pDzQKWTk7YdYULCMJ42sWkNdohGm+t1AK4TSmwuzOtZnX4N aIPeaW/aFG4m0e2Cbs1SD2i+YoThrMTjDUGa/18XounL9kE5Z91DWVnrIu5BpvIqlhD4 mTW9Wdb/zQu4ExmCeKX4KecpIt2KipYKoS3jpJoTwp0+HpQco0Tw8SuN9q1TaI3pJaqb zpSw==
X-Gm-Message-State: AOAM5305k/0OYeVe6TMOORuD692iaB5iNQ7QyElocqOTiXudbXVZVnet 2GICvoSw25+Y6UVIUawyjeec3jQGyKhsawU+faM=
X-Google-Smtp-Source: ABdhPJxYOiZQT7qXQsxZQFcTnq2gUrJE4ms/Jsb8ettrqf0/IcpgOspvFfpbXjCSkRBuGelWiKW3qkBpnEu8jiO8PMY=
X-Received: by 2002:aca:d587:: with SMTP id m129mr953508oig.77.1613607666753; Wed, 17 Feb 2021 16:21:06 -0800 (PST)
MIME-Version: 1.0
References: <BN6PR11MB1667D4EB91373CCB7F7A3F5AB8A09@BN6PR11MB1667.namprd11.prod.outlook.com> <BN6PR11MB166714171776B9AF0AC8F04EB88F9@BN6PR11MB1667.namprd11.prod.outlook.com> <m2czwyi88j.wl-randy@psg.com>
In-Reply-To: <m2czwyi88j.wl-randy@psg.com>
From: Erik Kline <ek.ietf@gmail.com>
Date: Wed, 17 Feb 2021 16:20:56 -0800
Message-ID: <CAMGpriUAkXybSAnDNcxyWjA_X2tNqFqiiTM0c1LYLUSrV0bQdw@mail.gmail.com>
To: Randy Bush <randy@psg.com>
Cc: Joe Clarke <jclarke@cisco.com>, Ops Area WG <opsawg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/ienZWGKe8UNHj_gz0l1xaSkDtmQ>
Subject: Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2021 00:21:09 -0000

On Wed, Feb 17, 2021 at 3:29 PM Randy Bush <randy@psg.com> wrote:
>
> now that last call is over, it's time to make trouble by requesting to
> add a hack.  ggm, doc shepherd, has this idea about hierarchic signing
> which would affect this doc by adding
>
>    If an inetnum: A points to a geofeed file which is signed per
>    Section 4, then a geofeed file pointed to by inetnum: B which is
>    covered by A (i.e., B is for a more specific prefix of A) the
>    geofeed file pointed to by inetnum: B SHOULD also be signed.  If not,
>    then the consumer should be suspicious of data within the geofeed
>    file pointed to by B.
>
> to 5.  Operational Considerations
>
> would anyone care to comment, object, maybe even support?

I agree that this proposed addition seems to highlight and may address
a potential security issue.

But if a lookup process was interested in finding a geofeed for an IP
address within B, would it have any reason or automated means to
backtrack and lookup knowledge of the signed geofeed for A?  Do
inetnum lookups return all superprefix inetnums as well?  (asking for
a friend)

v2.23.0 | Report a Bug | By Email