Re: [OPSEC] http://www.ietf.org/internet-drafts/draft-kumari-blackhole-urpf-00.txt
"Smith, Donald" <Donald.Smith@qwest.com> Thu, 18 September 2008 19:46 UTC
Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA1243A6986; Thu, 18 Sep 2008 12:46:40 -0700 (PDT)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE3663A6986 for <opsec@core3.amsl.com>; Thu, 18 Sep 2008 12:46:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BFt5PmSsoJXy for <opsec@core3.amsl.com>; Thu, 18 Sep 2008 12:46:38 -0700 (PDT)
Received: from suomp64i.qwest.com (suomp64i.qwest.com [155.70.16.237]) by core3.amsl.com (Postfix) with ESMTP id 9E3C73A696D for <opsec@ietf.org>; Thu, 18 Sep 2008 12:46:38 -0700 (PDT)
Received: from suomp61i.qintra.com (suomp61i.qintra.com [151.117.69.28]) by suomp64i.qwest.com (8.14.0/8.14.0) with ESMTP id m8IJknLs011379; Thu, 18 Sep 2008 14:46:49 -0500 (CDT)
Received: from ITDENE2KSM01.AD.QINTRA.COM (localhost [127.0.0.1]) by suomp61i.qintra.com (8.14.0/8.14.0) with ESMTP id m8IJkSRP022553; Thu, 18 Sep 2008 14:46:43 -0500 (CDT)
Received: from ITDENE2KM02.AD.QINTRA.COM ([10.1.4.66]) by ITDENE2KSM01.AD.QINTRA.COM with Microsoft SMTPSVC(6.0.3790.1830); Thu, 18 Sep 2008 13:46:38 -0600
X-MessageTextProcessor: DisclaimIt (2.70.270) [Qwest Communications International Inc.]
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 18 Sep 2008 13:46:36 -0600
Message-ID: <A15EF332BA1FE04888F87DFEC06629F005EF5370@ITDENE2KM02.AD.QINTRA.COM>
In-Reply-To: <050CFA9F-8C05-4D35-AFA9-1AFEEF1BA9D8@kumari.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OPSEC] http://www.ietf.org/internet-drafts/draft-kumari-blackhole-urpf-00.txt
thread-index: AckZF0cDWjaaRXGdS9WSpv+neZaxCwArHKHg
References: <48C95C1A.4070408@bogus.com> <A15EF332BA1FE04888F87DFEC06629F005C34A9C@ITDENE2KM02.AD.QINTRA.COM> <050CFA9F-8C05-4D35-AFA9-1AFEEF1BA9D8@kumari.net>
Importance: normal
Priority: normal
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: Warren Kumari <warren@kumari.net>
X-OriginalArrivalTime: 18 Sep 2008 19:46:38.0425 (UTC) FILETIME=[43D8FC90:01C919C7]
Cc: opsec wg mailing list <opsec@ietf.org>
Subject: Re: [OPSEC] http://www.ietf.org/internet-drafts/draft-kumari-blackhole-urpf-00.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org
Security through obscurity WORKS against some worms and ssh attacks:) Donald.Smith@qwest.com giac > -----Original Message----- > From: Warren Kumari [mailto:warren@kumari.net] > Sent: Wednesday, September 17, 2008 4:47 PM > To: Smith, Donald > Cc: Joel Jaeggli; opsec wg mailing list > Subject: Re: [OPSEC] > http://www.ietf.org/internet-drafts/draft-kumari-blackhole-urpf-00.txt > > Hi all, > > I am feeling a little bad that I received this a while ago > and haven't > responded yet -- I have visitors at the moment and things have been > hectic keeping them amused, etc... > > Anyway, thank you very much for your comments -- I haven't > had time to > fully digest them, so these are incomplete thoughts... > > > On Sep 11, 2008, at 3:00 PM, Smith, Donald wrote: > > > First let me say this is valuable work and it is well done. > > It should be accepted as a WG document. > > > > > > Yay! Thank you :-) > > > > > It suffers from inconsistent use of the following teams > which appear > > to > > mean the same thing I recommend Remote Triggered Black Hole > filtering > > but which ever term is used should be used consistently. > > Thank you, will search and replace... > > > > > > > > Triggered black-hole routing, Remote triggered black hole > routing and > > RTBH filtering. > > > > > > If "As a matter of policy, operators SHOULD NOT accept > source-based > > RTBH > > announcements from their peers or customers" then why > bother asking > > for > > a registered community from IANA? > > Bah... I was hoping no-one would notice this :-P. I started off > writing this because there was a (perceived) need for standard > community so that customers can signal their provider that > they would > like DESTINATION based RTBH applied (I have often run into the "OMG, > I'm being attacked, what was $PROVIDERs community for this > again? 666? > 37? something? Help!" issues. Usually people start calling their > provider at this point, then realize that the first tier support has > no idea, etc..). This document then morphed into a source based RTBH > document... > > I do still believe that it would be beneficial if there was a > standardized community to signal your provider that you want > DESTINATION based RTBH applied, but probably not SOURCE RTBH. > How does > this sound? That sounds good. 666 is a fairly commonly used community for that. >I DID try figuring out how to word this in the doc, but, > well... > > > > > > > > The cisco and juniper examples only covers destination based RTBH > > filtering no urpf statements are included and therefore source based > > RTBH is not provided by the example configs. That may have been the > > intention of the authors but it wasn't what I expected. > > Yeah, I was going to put in multiple examples, one for destination, > then one for source, but apparently got sidetracked -- I'll try fix > this... If you just add the loose mode (and feasible vs active paths for junos maybe?) that should be enough. > > > > > > > Does this imply that strict mode urpf can't be used for source based > > RTBH? > > > > Nope, not at all... I was a little wary of suggesting strict mode > because, all to often I have seen the "Oooh, a config > snippet, let me > paste it onto all of our routers without understanding it..." > syndrome > -- I didn't want to get grumpy emails asking why I suggested that :-) > > > "In loose mode some vendors also verify that the destination route > > does not point to a discard interface." > > If so going from strict mode to loose to support source > based RTBH has > > some serious security implications. How about: "In strict or loose mode some vendors also verify that the destination route does not point to a discard interface." That way you can leave strict mode out of the config sample but others won't wonder if strict mode would work with uppf for src based RTBHF. > > > > > Nope, if you have strict mode, thats fine, but if you have no URPF, > you need to be a little more careful turning on strict than loose... > > > Security through obscurity WORKS against some worms and ssh > attacks:) > > Donald.Smith@qwest.com giac > > > Once again, thank you for you comments, I will try and update the > draft ti include them soon... > > W > > > > > > >> -----Original Message----- > >> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] > >> On Behalf Of Joel Jaeggli > >> Sent: Thursday, September 11, 2008 11:58 AM > >> To: opsec wg mailing list > >> Subject: > >> [OPSEC]http://www.ietf.org/internet-drafts/draft-kumari-blackh > >> ole-urpf-00.txt > >> > >> Was one of the upcoming documents mentioned in the dublin meeting. > >> > >> this document expands on the method in RFC3882 and I think > much more > >> accurately represents current operational practice. > >> > >> some review on it's current form and consensus as to whether we > >> should > >> accept it as a working group document would be appreciated. > >> > >> Thanks > >> joelja > >> _______________________________________________ > >> OPSEC mailing list > >> OPSEC@ietf.org > >> https://www.ietf.org/mailman/listinfo/opsec > >> > > > > > > This communication is the property of Qwest and may contain > > confidential or > > privileged information. Unauthorized use of this communication is > > strictly > > prohibited and may be unlawful. If you have received this > > communication > > in error, please immediately notify the sender by reply e-mail and > > destroy > > all copies of the communication and any attachments. > > _______________________________________________ > > OPSEC mailing list > > OPSEC@ietf.org > > https://www.ietf.org/mailman/listinfo/opsec > > > > _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] http://www.ietf.org/internet-drafts/draft… Joel Jaeggli
- Re: [OPSEC] http://www.ietf.org/internet-drafts/d… Smith, Donald
- Re: [OPSEC] http://www.ietf.org/internet-drafts/d… Christopher Morrow
- Re: [OPSEC] http://www.ietf.org/internet-drafts/d… Warren Kumari
- Re: [OPSEC] http://www.ietf.org/internet-drafts/d… Joel Jaeggli
- Re: [OPSEC] http://www.ietf.org/internet-drafts/d… Smith, Donald
- Re: [OPSEC] http://www.ietf.org/internet-drafts/d… J. Gill
- Re: [OPSEC] http://www.ietf.org/internet-drafts/d… Warren Kumari
- Re: [OPSEC] http://www.ietf.org/internet-drafts/d… Warren Kumari
- Re: [OPSEC] http://www.ietf.org/internet-drafts/d… Smith, Donald
- Re: [OPSEC] http://www.ietf.org/internet-drafts/d… Warren Kumari