Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Fri, 30 August 2019 17:43 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01F391200B8; Fri, 30 Aug 2019 10:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q_8naQVgg1Xa; Fri, 30 Aug 2019 10:43:51 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2130.outbound.protection.outlook.com [40.107.91.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BA8812080D; Fri, 30 Aug 2019 10:43:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hZnXN0hw52RJyDIDFfoAexQnh/W0qmemyFaqQjOrkwKMX0EZyZolOBA5gWdqjUtio+QlMLhxXRZYcSlaYWUANz68Vof8WZALXNSrJDHY8RRl8OasWNuDRcPTZaWP+i18OCKUCsPiDFOy3lXgEuKNw/iBNdpxOgwpuGkJ1C3EwfuLMEY7ZAOx3qz1jel+c9TRI4+VftZXM/FzlQ85lPkKWo+AhIhTW1jLVAX2ZVO7Y+T1hpeyfO7f3Es5QA/272zYktriU+NHxFRnjAWTB1E00Gol8//qPpdz7OVQ94dL0guWIC/vF54l87Br6EF/4adhbnleGMLR+otk5mFlAL3wJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ga1MiVVLly87Uo6B+hRfu2UzCTisgMdNXjn3PykD6FM=; b=SjCFlJduscb+fA+nADt70CfjabyJgmFvbxPrQRRvjEhreG3YCioy9pJUtExdOpf0u2m3isr95cfppEYJLr7uP8w71ERcWAi3uNfEfafmr639jkxraEKCyKzQHxgQor0BkAQRnMFF/5dxsQk9VvFIW6Pcgzzmc9L1THdtWa1efeuc/0xdHuGe5XRHEF0GwC3cdlGKuBmxfGl5UA342OmFuY+b3lQGMMzi3BVyFqB5v6VvZkn85qo5uU5onnEwibyzzP2ugPWukVtzRBmRoHuPIkMAJO+VkrAljb+7ejAjTk3OGpumZtiuKNhKnN1IfYKj4Un1j8YDbMXvPyTKNSkuEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ga1MiVVLly87Uo6B+hRfu2UzCTisgMdNXjn3PykD6FM=; b=Dgpaot/T6ZRWSR4QxNp4Kwegp/j47ve6+7QgRTsa3W1p4vDnkOp8VlheYDiyDZOwH2Qo6ZFRjxWA2CG9g99qxnbCsahW9LEHn03C43Kl5hX76IqkopNku5unaUd0NU475MZF8MUOniXiFtss33Js4zKj8TqHRVtsekBJt4K/MsM=
Received: from BL0PR0901MB4563.namprd09.prod.outlook.com (52.135.47.206) by BL0PR0901MB4308.namprd09.prod.outlook.com (52.135.47.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2220.19; Fri, 30 Aug 2019 17:28:20 +0000
Received: from BL0PR0901MB4563.namprd09.prod.outlook.com ([fe80::b532:35b9:abd0:ee7e]) by BL0PR0901MB4563.namprd09.prod.outlook.com ([fe80::b532:35b9:abd0:ee7e%4]) with mapi id 15.20.2220.013; Fri, 30 Aug 2019 17:28:19 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Alvaro Retana <aretana.ietf@gmail.com>, The IESG <iesg@ietf.org>
CC: "Murphy, Sandra" <sandra.murphy@parsons.com>, Sandra Murphy <sandy@tislabs.com>, "draft-ietf-opsec-urpf-improvements@ietf.org" <draft-ietf-opsec-urpf-improvements@ietf.org>, Jen Linkova <furry13@gmail.com>, "opsec@ietf.org" <opsec@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Warren Kumari <warren@kumari.net>
Thread-Topic: Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)
Thread-Index: AQHVVH41+WK2q56zSkaIVPY4TX30Q6cBbRMZgAGRGwCAARoHb4AAGHgAgAAaK2mAD7LyAg==
Date: Fri, 30 Aug 2019 17:28:19 +0000
Message-ID: <BL0PR0901MB4563CF6C33424946EA0D2B3B84BD0@BL0PR0901MB4563.namprd09.prod.outlook.com>
References: <156599290421.23877.9763694862590191063.idtracker@ietfa.amsl.com> <DM6PR09MB3019F390CA4A798F87F7DFBC84A90@DM6PR09MB3019.namprd09.prod.outlook.com> <CAMMESsyW17-dn--FJZYQQyeMvBZ5vyOJVaVH7t3TF+ngDsMyyw@mail.gmail.com> <DM6PR09MB3019C877AB5B6B903EDE9A5084AB0@DM6PR09MB3019.namprd09.prod.outlook.com>, <CAMMESsz1g6HYbQL_7poc=J3gHbLgSxeOy_tBFD0G9H2fggOopA@mail.gmail.com>, <DM6PR09MB3019712D96B064FF567A421C84AB0@DM6PR09MB3019.namprd09.prod.outlook.com>
In-Reply-To: <DM6PR09MB3019712D96B064FF567A421C84AB0@DM6PR09MB3019.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.223.123]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dba5d49f-08dd-471b-06d1-08d72d6f7394
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:BL0PR0901MB4308;
x-ms-traffictypediagnostic: BL0PR0901MB4308:|BL0PR0901MB4308:
x-ms-exchange-purlcount: 1
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BL0PR0901MB4308AF71877A0AEBD07E20A484BD0@BL0PR0901MB4308.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0145758B1D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39850400004)(376002)(136003)(366004)(346002)(189003)(199004)(66066001)(52536014)(54906003)(110136005)(6436002)(5660300002)(256004)(102836004)(6506007)(4326008)(71200400001)(486006)(11346002)(25786009)(71190400001)(316002)(476003)(6246003)(229853002)(66946007)(186003)(33656002)(26005)(99286004)(66446008)(64756008)(66556008)(66476007)(76116006)(9686003)(81156014)(55016002)(53936002)(446003)(14444005)(3846002)(76176011)(6116002)(14454004)(86362001)(966005)(478600001)(2906002)(7696005)(6306002)(7736002)(305945005)(8936002)(8676002)(81166006)(74316002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR0901MB4308; H:BL0PR0901MB4563.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: y+AzwCE1+oUhneNOKdhw/TjOl1Lp4XMAj5/1mXIhzGT37C/VjpJmSKygbTRP97VRiDgxNkMmqEeU3aQiJ2Bda+AJVwnQ7qS7z3xNUzATF4qWqPppJ+0m9ctzsgYhno/+13E5Ci3ktpsZAhwfQTjVYP3FsA5GR3yqjsjkVJ5fo465Gd7fJWKmLMR88t4g8E08H01yRa/qIqUwPCfFQZkQeqgozrJQNMLYdRTk9CxEFyjRoxH4pY5KT07lDUOBGiKJ8wXtrMIwI2IPpgcRzgFUvi5XztqNqx8jvyIVZE7AUHj0QftLfW1VPRS0cFQeNidz5ouHE70JQeHTWnr4GbAtULYwSYmWCjqH7aAfLR5krgiVa2rxnYGa8eumsWBuFsDmpLh3KZiRIssq11zqIB9m09zopk4zG6X1LeoM0qBI5Y4=
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: dba5d49f-08dd-471b-06d1-08d72d6f7394
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2019 17:28:19.8043 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 58MJqOill7FkzjR3D62OTK/TfQd9O5/yFl+A+pWbwmp110ruEdpTH1FnjCqv2rKL2qSencdBPim0mjO1zJF+8A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR0901MB4308
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/dX5nbbZTF2vX0RTvle2bnSuw5J4>
Subject: Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2019 17:43:55 -0000
Alvaro, A new version -04 has been uploaded that includes changes based on your Discuss and other comments. It took sometime because we (authors) thought it was best to incorporate all of the IESG reviewers' comments before uploading a new version. That is done now. >.... >Given that Algorithm B is more flexible, and that the limitations from Algorithm A are overcome (§3.4), I would like to see B be the recommendation. >... >I am ok if Algorithm A is mentioned as an alternative (not a recommendation); one that is less flexible and has specific limitations — even if those limitations are not expected/assumed, the vulnerability to a change in conditions should be clearly spelled out. >... These main changes per your recommendation are incorporated. Please take a look at the revised Section 3.7, where we've added a new Section 3.7.1 to speak about applicability and limitations of Algorithm A. You may take a look at the diff: https://tools.ietf.org/rfcdiff?url2=draft-ietf-opsec-urpf-improvements-04.txt >Yes…but it is important to clearly mention the known vulnerabilities of the solutions being proposed. We have carefully revised the Security Considerations section. There we mention again the limitations of Algorithm A and refer back to Section 3.7.1 for details. We also discuss (in the Security Considerations) the risks of augmenting the RPF list based on ROA data (per your suggestion). We also mention the need for "security hardening of routers and other supporting systems (e.g., Resource PKI (RPKI) and ROA management systems) against compromise..." Please let us know if you have any additional comments. Thanks very much for your help. Sriram
- [OPSEC] Alvaro Retana's Discuss on draft-ietf-ops… Alvaro Retana via Datatracker
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Sriram, Kotikalapudi (Fed)
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Alvaro Retana
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Alvaro Retana
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Sriram, Kotikalapudi (Fed)
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Alvaro Retana
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Sriram, Kotikalapudi (Fed)
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Sriram, Kotikalapudi (Fed)
- Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf… Alvaro Retana