[OPSEC] Benjamin Kaduk's No Objection on draft-ietf-opsec-urpf-improvements-03: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 21 August 2019 22:45 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsec@ietf.org
Delivered-To: opsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A829D120110; Wed, 21 Aug 2019 15:45:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsec-urpf-improvements@ietf.org, Sandra Murphy <sandy@tislabs.com>, opsec-chairs@ietf.org, sandy@tislabs.com, opsec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.100.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <156642754067.25756.14564875013672898583.idtracker@ietfa.amsl.com>
Date: Wed, 21 Aug 2019 15:45:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/ILla6Y-Q9S6K4qEEIKAagxLjm24>
Subject: [OPSEC] Benjamin Kaduk's No Objection on draft-ietf-opsec-urpf-improvements-03: (with COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 22:45:41 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-opsec-urpf-improvements-03: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsec-urpf-improvements/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you for this well-written document! It will be beneficial to the security of the internet as a whole to have effective BCP38 protections applied more widely. I'm happy to see the discussion about Algorithm A vs. B as recommended default, prompted by Alvaro's ballot position. On the face of things I do share his concern, as having "safe defaults" in the sense of not dropping legitimate traffic seems pretty compelling, but I do recognize that Algorithm A produces a stricter check, and that is in a different sense "more safe". I don't think I have much to add to the discussion, though, so I'll continue to watch it play out. (Perhaps some of the discussion could make it into the security considerations of this document once things get settled, though.) Section 2.1 dropped. The ACLs for the ingress/egress filters need to be maintained to keep them up to date. Updating the ACLs is an operator driven manual process, and hence operationally difficult or infeasible. nit: hyphenate "operator-driven" Section 2.2 In Figure 1, I'm having a hard time understanding why feasible-path uRPF fails for case (2). Or is the intent of the caption and terminology note from above only to say that it fails for at least one of the enumerated cases? (On the other hand, there's a decent chance that the lack of comprehension is entirely on my end...) Section 2.3 can be described as follows. In Scenario 2 (described above, illustrated in Figure 2), it is possible that the second transit provider (ISP-b or AS3) does not propagate the prepended route for prefix P1 to the first transit provider (ISP-a or AS2). This is because AS3's decision policy permits giving priority to a shorter route to prefix P1 via a lateral peer (AS2) over a longer route learned directly from the customer (AS1). In such a scenario, AS3 would not send any route announcement for prefix P1 to AS2 (over the I expect this is just my lack of familiarity here, but does the decision policy "giving priority" to shorter routes vs customer routes mean that it won't propagate the customer advertisement at all or just that it won't route traffic that way? Section 3.2 o Additionally, from the routes it has learned from customers, a non-stub AS SHOULD announce at least one route per origin AS to each of its transit provider ASes. What are the security consequences of this? If, say, an AS only get very specific prefixes with very short paths from a customer and is now "forced" to advertise at least one of them by these practices, can that have a negative impact on routing? Would prepending itself in the path be a usable mitigation? Section 3.4 nit: there's perhaps room for harmonization of language between step (3) here and step (1) of Algorithm A. 4. Create the set of all unique prefixes for which routes exist in Adj-RIB-Ins of all lateral peer and transit provider interfaces Is the intention that "lateral peer and transiti provider interfaces" is equivalent to "all interfaces that are not directly-connected customer interfaces"? Section 3.6.1 The techniques described in this document require that there should be additional memory (i.e., TCAM) available to store the RPF lists in nit: TCAM isn't listed as "well-known" at https://www.rfc-editor.org/materials/abbrev.expansion.txt , so we probably have to expand it. The following table shows the measured customer cone sizes for various types of ISPs [sriram-ripe63]: The table contents make it seem like these are not "per-type" data, but rather specific data from hopefully representative samples. In particular... +---------------------------------+---------------------------------+ | Type of ISP | Measured Customer Cone Size in | | | # Prefixes (in turn this is an | | | estimate for RPF list size on | | | line card) | +---------------------------------+---------------------------------+ | Very Large Global ISP | 32392 | | ------------------------------- | ------------------------------- | | Very Large Global ISP | 29528 | ... perhaps these should be #1 and #2 to disambiguate. Section 3.7 * In general, loose uRPF method for SAV SHOULD be applied on lateral peer and transit provider interfaces. However, for lateral peer interfaces, in some cases an operator MAY apply EFP-uRPF method with Algorithm A if they deem it suitable. Since step (1) of Algorithm A explicitly says "of customer interfaces", we probably need a little bit more text here to say what it means to use Algorithm A for lateral peer and/or transit provider interfaces. (Or, perhaps, some reworking of the text describing Algorithm A, but that seems like a more invasive change. Section 4 This is rather related to Alvaro's Discuss, but how is an AS operator to know what type of peer and the nature of customer cone scenario that applies to a given case? Also, is there a way to know what the probability of dropping legitimate data packets is other than experimenting and waiting for customer complaints? (I guess it's probably okay, given the references, to not bother explicitly saying "erroneously dropping legitimate packets is bad".)
- [OPSEC] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [OPSEC] Benjamin Kaduk's No Objection on draf… Sriram, Kotikalapudi (Fed)