Re: [OPSEC] Adam Roach's No Objection on draft-ietf-opsec-urpf-improvements-03: (with COMMENT)

Jeff Haas <> Wed, 21 August 2019 18:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 311ED1207FC; Wed, 21 Aug 2019 11:55:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eT43Mi_oM5cK; Wed, 21 Aug 2019 11:55:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2BD15120046; Wed, 21 Aug 2019 11:55:35 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id x7LIsbVJ009592; Wed, 21 Aug 2019 11:55:33 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=c2WyacXJJq8iX5yGGtWvZNdSOuet2DZZ6ZVQB7kfXSQ=; b=04JHSuu+vjtYh+g6q+qFVkYeRL8Kpide/wFqdAM6pBGLNpkXG1YMNq66cJx/YV5I6YiO cYonTgeRCzkwRNJu9rZ3UX2EN6paDLEPpc+9lR9rmAU8zap6iDyUiw0ZVkGNjSGF3K4h UkJOqMLM9RZW42GIxpUxCFhW/V1A/azkgoF2U+kn1SU1w0NWkkGAS54Kk7KKdmXAaT3d w0swD8VI7S/jF3jrGIfWmtJkv57F2v9ve51XamY3AQI02OcNm1Rc7y7+V/xSzIMWP+FP diDA44WV5jPOdMwNhjzP9z5Cxqzy2L3aPNkMquyR1XELH2ZQYuVicpwwnxZmwZalnSSs cA==
Received: from ( []) by with ESMTP id 2uhb8s81ey-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 21 Aug 2019 11:55:33 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=it+HFvzBUlromSELzWwo1miHjmerqtX5SRHeYtTvYGMW5oSCDVSsdYl1KHze92nnkxkD8mtkbIePDTWm5TqGr/11PYYOhvfxIdIfLhRB5tOIAi2UlaisaidhjsjGG7vYlbTF5v7xwQYgc1QsgWj54RNVrB9lXuQala0e9beamiAEkMXGS53RoiZIlAV2TiL38k+3cMSYOY1BOXrP3j14bhHAvF+9BnaNj4MjLJzSJSJ0jRO+uRvJE2csJC17VFq0fePEBSsPOwNbpjQQYlcx8dSf4HX/72x6srvrkyY/11PlRCj0FFZaKPkgOeFxlSVrFA6+MykgT1ukKFjQV2wM5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c2WyacXJJq8iX5yGGtWvZNdSOuet2DZZ6ZVQB7kfXSQ=; b=VIn3vrEgi9zfSGPZsoVKq+PWeJ7CbV1DcmkVsSYdYiz3wTIxeMP5VRC0/pEc3SCWkm99SdHkxkdiBX5N1KWB9k4YOBXcVa4qz8UOcBDCDwJ+10CKSQBtHsYDKsSlqpI7lPqhaG+OTS09B0N5XgVq7zbqqxf05ZHQifMTy/ldAyzCsK9uh4nt2IS/fw9b2jGyIlYKKaX7UuuN7+soRsVbUe3ik/artvC/9mUeu7yunP4bFYm2/nqeCG5RhWzCpKqJA82yGAHaTOvWszQlQ+i+x/dCfU5cLvraiMvOP9utJmBgDIaH6QdCFhKSQDyZi9/oQWKP2BTurhGui+NduGo5wQ==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.16; Wed, 21 Aug 2019 18:55:30 +0000
Received: from ([fe80::dc18:4e26:f427:61c0]) by ([fe80::dc18:4e26:f427:61c0%2]) with mapi id 15.20.2199.011; Wed, 21 Aug 2019 18:55:30 +0000
From: Jeff Haas <>
To: Adam Roach <>
CC: The IESG <>, "" <>, Sandra Murphy <>, "" <>, "" <>
Thread-Topic: Adam Roach's No Objection on draft-ietf-opsec-urpf-improvements-03: (with COMMENT)
Thread-Index: AQHVWFIBLZHiDMTq806gj602uQdV4A==
Date: Wed, 21 Aug 2019 18:55:30 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6ad6f5d3-deb5-4f7c-c6a2-08d7266923aa
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:MN2PR05MB5998;
x-ms-traffictypediagnostic: MN2PR05MB5998:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0136C1DDA4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(376002)(396003)(136003)(366004)(39860400002)(346002)(199004)(189003)(6916009)(6512007)(561944003)(99286004)(53936002)(6246003)(229853002)(6436002)(33656002)(6486002)(14454004)(25786009)(4326008)(478600001)(86362001)(66066001)(54906003)(316002)(76176011)(102836004)(53546011)(6506007)(186003)(486006)(476003)(2616005)(11346002)(446003)(91956017)(3846002)(64756008)(76116006)(36756003)(66556008)(6116002)(66446008)(66946007)(66476007)(256004)(14444005)(5660300002)(8676002)(8936002)(7736002)(305945005)(81166006)(26005)(81156014)(2906002)(71200400001)(71190400001); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR05MB5998;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: SSz7buuxcvUECil/9uu/nzA0wUjbKNN38jWmKfA9y25aKaCx6Tg6LuQrTbRVI0EQNsJEoOtSrWrlu4yEYmDzOUrZL/skYEH27ktw9TW+j7wk557r+zjieb83zdqygp5gNec5O/V1pz4UaSxqYNmfqUm8h8jBvKP6Vg4xYktyCOQms9sZwxk0yywef02FZ11WTTGN/UzoD0Wlhz8akiMWH77a1go/HzCM0GhNjgqaXSzHw4+gDVv+1cADQn7KAaqqsr5MHUWnDxjhFgIswoOPJqZi5JvgcvDqTG++9CkxMnH37EZZhycZNf7U4IEd2Di9e61O+wnbvNZ17YnL934s80jzs9a8JhTECmcqU5NOe5fSnhtuWrR2V9Z7Ql9747w7GJKE2vTyFWO0KuRUHkEhHP2eDSIS8mFTLGGmhtsL1sw=
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6ad6f5d3-deb5-4f7c-c6a2-08d7266923aa
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2019 18:55:30.6589 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UPMmfJv+z6lXg8w1K3Byb9Oog2c7TGzXpGCNak2f9pr0SjsbWssjEGCyHzVAvCwsknpo42Y3cpQUveDPWtJNyw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB5998
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-08-21_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=586 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1908210183
Archived-At: <>
Subject: Re: [OPSEC] Adam Roach's No Objection on draft-ietf-opsec-urpf-improvements-03: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Aug 2019 18:55:38 -0000


> On Aug 20, 2019, at 23:29, Adam Roach via Datatracker <> wrote:
> §3.3:
> I believe I understand how the described Algorithm B, is applied by AS4, will
> result in acceptance of AS1's packets from AS2. I'm a bit lost, however, about
> the means by which AS2 will accept them such that they could be delivered to
> AS4.  Is there an assumption that AS2 is employing an ACL-based approach? If
> so, this should probably be stated explicitly. (This might be implied by text
> elsewhere, in which case I apologize for my confusion; although it may still be
> worth explicitly explaining.)

For the examples, it's not important whether AS2 or AS3 are filtering.  However, even if they are, there's sufficient information in the routing for it to work.

BGP NO_EXPORT community means that routes received from AS1 at AS2 are not propagated to AS4.  So, we can use one of the routing based mechanisms.

BGP does have an additional community, NO_ADVERTISE that wouldn't work well for this example.  This would prevent propagation of P1,P2 to other routers in AS2.  However, even that may be fine depending on where uRPF is applied; typically that's only AS border routers.

> ---------------------------------------------------------------------------
> §3.5:
>> It is worth emphasizing that an indirect part of the proposal in the
>> draft is that RPF filters may be augmented from secondary sources.
> Nit: "the draft" won't age gracefully. I suggest changing to "this document"
> or somesuch.
> ---------------------------------------------------------------------------
> §3.6.1:
>> +---------------------------------+---------------------------------+
>> | Very Large Global ISP           | 32392                           |
>> | ------------------------------- | ------------------------------- |
>> | Very Large Global ISP           | 29528                           |
>> | ------------------------------- | ------------------------------- |
> I suspect there was a transcription error copying these lines from the source
> material, as the appearance of two rows with identical labels seems unlikely
> to be intended. I skimmed the cited source material to see if I could figure
> out what happened here, but found neither of these numbers (nor any mention of
> "Mid-size Global ISP"), so I'm afraid I can't make a concrete suggestion for a
> fix. I did find that adding the numbers in the first column on slide 6
> yielded 32393, which is tantalizingly close to the first number, but that
> might just be a coincidence.

I believe a proper reading of this is that each row is a distinct service provider.  Perhaps updating the labeling to Very Large Global ISP1/2 would be helpful?

-- Jeff