Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00
Joel Jaeggli <joelja@bogus.com> Fri, 06 February 2009 02:22 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A706028C177 for <opsec@core3.amsl.com>; Thu, 5 Feb 2009 18:22:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dle2WrQPklDC for <opsec@core3.amsl.com>; Thu, 5 Feb 2009 18:22:31 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by core3.amsl.com (Postfix) with ESMTP id A8D8028C16D for <opsec@ietf.org>; Thu, 5 Feb 2009 18:22:30 -0800 (PST)
Received: from [192.168.1.135] (c-98-207-155-97.hsd1.ca.comcast.net [98.207.155.97]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id n162MSHX060015 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <opsec@ietf.org>; Fri, 6 Feb 2009 02:22:29 GMT (envelope-from joelja@bogus.com)
Message-ID: <498B9EE3.30400@bogus.com>
Date: Thu, 05 Feb 2009 18:22:27 -0800
From: Joel Jaeggli <joelja@bogus.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
To: opsec wg mailing list <opsec@ietf.org>
References: <E3B4452D-A984-439F-9069-7E43F51E3F42@kumari.net>
In-Reply-To: <E3B4452D-A984-439F-9069-7E43F51E3F42@kumari.net>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.94.2/8957/Thu Feb 5 17:31:01 2009 on nagasaki.bogus.com
X-Virus-Status: Clean
Subject: Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2009 02:22:31 -0000
Warren Kumari wrote: > Now, for the big question: > > In the draft we are are requesting a registered BGP community to be used > to signal your provider that you want destination based RTBH applied to > an announced prefix. So I presented this idea and both viewpoints in the NANOG isp security BOF and to be honest I couldn't get a rise out of anyone, They neither called me a moron nor adopted it as their own... I suppose one thought would be to carve it out and drop it in a second draft so we can proceed this document without it. Personally I think a reserved community has sufficient utility to make it a useful addition to the toolkit, but reviews here are obviously mixed. > There are two viewpoints on this -- I will try to capture them both, > apologies if I mess this up: > Viewpoint 1: > This should be removed -- different providers will implement RTBH (src > and dest) in different ways and will provide different capabilities > (drop on the "edge", only install in a specific region, etc) and so > there will need to be multiple communities. Getting this info from your > provider (and having them enable the feature), etc is (and should > remain) a required step. > > Viewpoint 2: > I'd like to keep the registered community -- while different providers > will support different subsets of this, having a well known way to > enable this seems good to me. Currently providers support different > communities for different things (e.g: announce this only to peers, set > the MED, etc) but there are still some well known (e.g NO_EXPORT) > communities that the provider probably implements. I dislike being in > the situation where I am experiencing a DoS attack and have misplaced > the napkin that I scribbled the secret community on last time. Now, > while I am down I need to fight my way through Tier 1 - Tier N trying to > find the magic community to apply for provider X. I'd rather just tag an > announcement with the registerd RTBH community. If the provider doesn't > support this, I'm no worse off, if they do, I've bought some time.
- [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Warren Kumari
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Danny McPherson
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Roland Dobbins
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Roland Dobbins
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Christopher Morrow
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Warren Kumari
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Smith, Donald
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Ryan Mcdowell (rymcdowe)
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Ryan Mcdowell (rymcdowe)
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Joel Jaeggli
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Joel Jaeggli
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Smith, Donald