Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 20 August 2019 17:14 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5160A120232; Tue, 20 Aug 2019 10:14:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UyrB1e0fnu_C; Tue, 20 Aug 2019 10:14:29 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2129.outbound.protection.outlook.com [40.107.91.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D88C212018D; Tue, 20 Aug 2019 10:14:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ff0YPQDgWOk3d0vZpI/DhLV3vQ6rfoG8wezmDpkkIlqizPjwjaWc7BeK/BSA9iutSLs55zf7LMIq33l9jdoYxW2oeStQ953UTciNXVd8QehauM4v0Exw7ul/pYGay6WOyE43UItExo7rCZ+yWcRjQzQ/I8A0QjP1ZIBj4pU/9T2xEP4GJ7+hmrdiCPKG+ZGYlINpfxSorrYLjmiF9S3pqhnEzgx5aamYoyuv6eGStuXpsT+nwnhsqpX/kVLfPl4eFb2K4dTYcGwM8WcYgER0SnHVNj5uBrGFNFfaVTyYRFpPQXCuxZ/BIYcozsACaQKENMjAbTbXRUYGsNpM3SrQ+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GgM6IHN1I1Dfva9gHMciwCdRHe71Pol0Ae5+GxemQxA=; b=KPvDGViuNP3/irGRnQlvW4jXYhRhbgN1GoGEptcsEb3Xp/PUXSjrZeEDDImOmiwit5r8wiwJnIkaGS4YNyrXbYb+G4hvfGeadUh89eEd4OfU0vDcTptKZ2R71LEvwbL+xeXWWfulT1V8PbBuOYENTB3HbvvQOp5Ox0UMSebr8qw5maqIeo6PAVUCBMXB7EGbZKYNH1lKZKH9aRbYi3EsTIRI2/h0Nrvu2DNr5npJviekW2mZrEeEL42aQuZnBO1x0ZYk9CIl1tXvYIfSjo3zb2cfs9hBviIJuMeUYXQ3WmHU2Kx0xj/n2UdcEPllKxnKrN+hjAMmlHQfcI4n3Q6aHw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GgM6IHN1I1Dfva9gHMciwCdRHe71Pol0Ae5+GxemQxA=; b=I3inSkBcv1tlWiqeJ8A+LWAbeWnRR9PzQs+u5aL0qIcP0/0Tlj+IFoxp0ePUEiymcpPvDT36h+metU7jM6BhVQwoS7Oy+xxsViDoLuoYNytMex2sXyPnvIK2ulbBemo/ARpnUlzty4IUCSy30S7KglZVsefON0z2hwLFA7BLpoo=
Received: from DM6PR09MB3019.namprd09.prod.outlook.com (20.178.2.203) by DM6PR09MB4011.namprd09.prod.outlook.com (10.141.166.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.16; Tue, 20 Aug 2019 17:14:27 +0000
Received: from DM6PR09MB3019.namprd09.prod.outlook.com ([fe80::fc5a:9648:8e8f:7968]) by DM6PR09MB3019.namprd09.prod.outlook.com ([fe80::fc5a:9648:8e8f:7968%6]) with mapi id 15.20.2178.018; Tue, 20 Aug 2019 17:14:27 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Alvaro Retana <aretana.ietf@gmail.com>, The IESG <iesg@ietf.org>
CC: "Murphy, Sandra" <sandra.murphy@parsons.com>, Sandra Murphy <sandy@tislabs.com>, "draft-ietf-opsec-urpf-improvements@ietf.org" <draft-ietf-opsec-urpf-improvements@ietf.org>, Jen Linkova <furry13@gmail.com>, "opsec@ietf.org" <opsec@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Warren Kumari <warren@kumari.net>
Thread-Topic: Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)
Thread-Index: AQHVVH41+WK2q56zSkaIVPY4TX30Q6cBbRMZgAGRGwCAARoHb4AAGHgAgAAaK2k=
Date: Tue, 20 Aug 2019 17:14:27 +0000
Message-ID: <DM6PR09MB3019712D96B064FF567A421C84AB0@DM6PR09MB3019.namprd09.prod.outlook.com>
References: <156599290421.23877.9763694862590191063.idtracker@ietfa.amsl.com> <DM6PR09MB3019F390CA4A798F87F7DFBC84A90@DM6PR09MB3019.namprd09.prod.outlook.com> <CAMMESsyW17-dn--FJZYQQyeMvBZ5vyOJVaVH7t3TF+ngDsMyyw@mail.gmail.com> <DM6PR09MB3019C877AB5B6B903EDE9A5084AB0@DM6PR09MB3019.namprd09.prod.outlook.com>, <CAMMESsz1g6HYbQL_7poc=J3gHbLgSxeOy_tBFD0G9H2fggOopA@mail.gmail.com>
In-Reply-To: <CAMMESsz1g6HYbQL_7poc=J3gHbLgSxeOy_tBFD0G9H2fggOopA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.223.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 33db428d-f6f2-423d-4ad3-08d72591db14
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DM6PR09MB4011;
x-ms-traffictypediagnostic: DM6PR09MB4011:
x-microsoft-antispam-prvs: <DM6PR09MB4011D430B128949CB5F026D984AB0@DM6PR09MB4011.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 013568035E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(366004)(136003)(396003)(39860400002)(346002)(199004)(189003)(71190400001)(76176011)(229853002)(478600001)(14454004)(26005)(102836004)(5660300002)(53546011)(6506007)(33656002)(6246003)(6436002)(9686003)(561944003)(55016002)(66066001)(86362001)(446003)(476003)(186003)(7696005)(66574012)(7736002)(25786009)(11346002)(66556008)(305945005)(4326008)(74316002)(3846002)(91956017)(81156014)(81166006)(256004)(8676002)(14444005)(6116002)(99286004)(71200400001)(53936002)(2906002)(66446008)(64756008)(66946007)(76116006)(110136005)(66476007)(8936002)(54906003)(486006)(316002)(52536014)(87944003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR09MB4011; H:DM6PR09MB3019.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: WsPNhmopRYpMeKxEBsXtG6fk34VQxBgmq77eyzJet1wUicseg9wdIl61ihlxnRaalwn9bxQDL/KNvT2ZtwyQ+QX8YQyR126lZttgC5uZovE25KciHYAccoNdpc+fd21QH2cCGpYjFJN886dgxMg1stpAi9mr2u6vtCXhoXrmIGfMqkp/468bYIjKzEzmxo+3KzpWe15LQbAEfUd/Am0N4qSryLVKq6Y0k7IEzvi3SiwDHKl6hDta4JjL2Y/bLNpzyMHAXAZqr396Naj6CvfGj5wFZdrr9ic2N0mXOSDB6ZVzY8CiozUIvUgvpMOqSiS59r6bC9dxMbwL+a6v5mPFezJ+6RtNnnXFd+b9orFwXhf6+gNVIv5fg+uHpvporDSRUT50avFmbSyBjbeW7PW9Z8iKrZ5SA8F1QoXILfZRq2w=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 33db428d-f6f2-423d-4ad3-08d72591db14
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2019 17:14:27.0961 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HSDJ+fb3JPmoBK1zt9GmXVH7WvXBrBqyNv9sssHsGoRbvVnLPYHlcsGZk9SlJHYD3tzdnKeU0dw7ssJLexiXOA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB4011
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/YNNEx6LMEU7-IpyoQCA-qaItbMY>
Subject: Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2019 17:14:31 -0000
Thank you, Alvaro. This has been a very helpful discussion. I'll update the draft following your recommendations/suggestions. I think I can upload a new version by tomorrow morning. Sriram ________________________________________ From: Alvaro Retana <aretana.ietf@gmail.com> Sent: Tuesday, August 20, 2019 11:35 AM To: Sriram, Kotikalapudi (Fed); The IESG Cc: Murphy, Sandra; Sandra Murphy; draft-ietf-opsec-urpf-improvements@ietf.org; Jen Linkova; opsec@ietf.org; opsec-chairs@ietf.org Subject: Re: Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT) On August 20, 2019 at 10:29:22 AM, Sriram, Kotikalapudi (Fed) (kotikalapudi.sriram@nist.gov<mailto:kotikalapudi.sriram@nist.gov>) wrote: Sriram: Hi! Let’s cut to the chase… >>Of course, according to Section 3.7, if an ISP is uncertain that >>Algorithm A is applicable in their scenario, then they SHOULD apply Algorithm B. >True, but that still doesn’t provide any tools for the ISP to know either way. If there’s no way to know (other than trusting your neighbors) that the network is not in the middle of a “challenging scenario”, then why wouldn't Algorithm B always be used? Yes, it may end up being true that Algorithm B is always used. We also want to let ISPs make their own decision about applicability of Algorithm A. I am hoping for agreement on the proposed wording change in Section 3.7 (with modifications you may suggest). It may be just me…in fact, I didn’t find significant discussion about the applicability of the algorithms on the list, beyond the initial discussion of draft-sriram-opsec-urpf-improvements-00, where the “challenging scenario” was introduced because (in my interpretation) the original proposal didn’t address real deployments. Given that Algorithm B is more flexible, and that the limitations from Algorithm A are overcome (§3.4), I would like to see B be the recommendation. I am ok if Algorithm A is mentioned as an alternative (not a recommendation); one that is less flexible and has specific limitations — even if those limitations are not expected/assumed, the vulnerability to a change in conditions should be clearly spelled out. >>>Still looking at Figure 4, if the operator of ISP4 uses Algorithm A (because >>>he/she thinks they may not be in a "challenging scenario"), then it opens the >>>door to ISP2 changing its policy so that the uRPF check in ISP4 fails, as shown >>>in Figure 4. IOW, an attacker in ISP2 could stop advertising reachability to >>>some prefixes and cause ISP4 to fail the uRPF check and drop the traffic. The >>>victim in this case could be AS1, whose traffic (through ISP2 to ISP4) was >>>flowing fine and then it stopped. >> >>There are two observations that are in order here: >>1. An ISP would not normally drop its own paying customer’s >>routes with malicious intent. >>2. It is also hard to envision that ISP2 would attack its upstream ISP4 >>(in Figure 4) just to disrupt its SAV (uRPF), while that results in >>absolutely no gain but only causes unreachability for >>its (ISP2’s) own customer and self-inflicted loss of revenue/customers. >I also doubt that an operator would take actions to harm its own paying customers — but the routers can be compromised anyway...or the advertisement can come from the customer itself with a NO_EXPORT community, etc.. The main case I’m thinking of is the compromised/rogue router. In any of those cases, choosing Algorithm A opens the door to vulnerabilities. Yes, they might be the same (or at least similar) as what exists with FP-uRPF — but they are not mentioned. Even for other BGP security mechanisms, the issue of compromise of a router or RPKI/ROA management system exists. Due to such compromises, malicious ROAs may get created, AS prepend count in BGPsec may be changed maliciously, or the route leak protection (RLP) attribute in the route leak solution may be maliciously altered. We hope that such malicious activity is 1% or less of the attacks, and that we are successfully addressing the other 99% in our solution methods. I’ll add text accordingly for EPF-uRPF/Algorithm A in the Security Considerations section. We all hope that malicious activity on the Internet is kept to a minimum…but that doesn’t mean that the risk doesn’t exist, or that the effect of minimal activity will also be minimal. Not all prefixes are made the same: affecting just one could have significant consequences. >>>---------------------------------------------------------------------- >>>COMMENT: >>>——————————————————————————————————— >... >>>ASes in an ISP's customer cone SHOULD be used to augment the appropriate RPF >>>lists." How? Note that the Introduction already sets the stage by saying that >>>"the routes under consideration are assumed to have been vetted based on prefix >>>filtering [RFC7454] and possibly (in the future) origin validation [RFC6811]." >>>If ROAs SHOULD be used (§3.5), why is origin validation only "possibly (in the >>>future)" considered (§1)? Maybe a better statement would be that "routes >>>SHOULD be validated using prefix filtering, origin validation and IRR route >>>objects". >> >>We agree with your suggested rewording in Section 1. We’ll use that. >>What is advised in Section 3.5 regarding ROAs is as follows. >>In Figure 3, suppose that prefix P4 a ROA with AS1, >>and AS4 (ISP4) may not have received a route for P4 (on a given customer interface). >>But AS4 (ISP4) has received (on that customer interface) a route for P1 with >>the same origin AS (AS1) as in the ROA for P4. >>Then AS4 (ISP4) should augment its corresponding RPF list with P4 >>to allow the possibility that AS1 could legitimately announce >>a route for P4 and potentially use a SA (in a data packet) belonging in P4. >>We'll add this explanation in Section 3.5. >Hmm… Except that the “possibility” that an announcement exists *and* the use as a SA, is different from AS1 really doing it. IOW, augmenting with the expectation that it may happen has its own risks… > Yep, there is that trade-off. Here we choose to further reduce the possibility of false positive (for SA invalid) at the expense of some other risk. Yes, a malicious actor at another AS in the neighborhood within the customer cone might take advantage to some extent. But the same vulnerability exists even if the update were announced. Yes…but it is important to clearly mention the known vulnerabilities of the solutions being proposed. Thanks! Alvaro.
- [OPSEC] Alvaro Retana's Discuss on draft-ietf-ops… Alvaro Retana via Datatracker
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Sriram, Kotikalapudi (Fed)
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Alvaro Retana
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Alvaro Retana
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Sriram, Kotikalapudi (Fed)
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Alvaro Retana
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Sriram, Kotikalapudi (Fed)
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Sriram, Kotikalapudi (Fed)
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Alvaro Retana