Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00
"Smith, Donald" <Donald.Smith@qwest.com> Fri, 06 February 2009 15:50 UTC
Return-Path: <Donald.Smith@qwest.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 17FA428C246 for <opsec@core3.amsl.com>; Fri, 6 Feb 2009 07:50:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.04
X-Spam-Level:
X-Spam-Status: No, score=-2.04 tagged_above=-999 required=5 tests=[AWL=-0.240, BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWtFGbTgPeAW for <opsec@core3.amsl.com>; Fri, 6 Feb 2009 07:50:41 -0800 (PST)
Received: from sudnp799.qwest.com (sudnp799.qwest.com [155.70.32.99]) by core3.amsl.com (Postfix) with ESMTP id 28E4428C0FF for <opsec@ietf.org>; Fri, 6 Feb 2009 07:50:41 -0800 (PST)
Received: from suomp60i.qintra.com (suomp60i.qintra.com [151.117.69.27]) by sudnp799.qwest.com (8.14.0/8.14.0) with ESMTP id n16FoeAY023128; Fri, 6 Feb 2009 08:50:40 -0700 (MST)
Received: from ITDENE2KSM01.AD.QINTRA.COM (localhost [127.0.0.1]) by suomp60i.qintra.com (8.14.0/8.14.0) with ESMTP id n16FoVSk013790; Fri, 6 Feb 2009 09:50:34 -0600 (CST)
Received: from qtdenexhtm21.AD.QINTRA.COM ([151.119.91.230]) by ITDENE2KSM01.AD.QINTRA.COM with Microsoft SMTPSVC(6.0.3790.1830); Fri, 6 Feb 2009 08:50:34 -0700
Received: from qtdenexmbm24.AD.QINTRA.COM ([151.119.91.226]) by qtdenexhtm21.AD.QINTRA.COM ([151.119.91.230]) with mapi; Fri, 6 Feb 2009 08:50:28 -0700
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: 'Joel Jaeggli' <joelja@bogus.com>, 'opsec wg mailing list' <opsec@ietf.org>
Date: Fri, 06 Feb 2009 08:50:26 -0700
Thread-Topic: [OPSEC] draft-ietf-opsec-blackhole-urpf-00
Thread-Index: AcmIAcfQhfkndigkRuqoZKOhUdnBcwAb35pQ
Message-ID: <B01905DA0C7CDC478F42870679DF0F100493CCF7EF@qtdenexmbm24.AD.QINTRA.COM>
References: <E3B4452D-A984-439F-9069-7E43F51E3F42@kumari.net> <498B9EE3.30400@bogus.com>
In-Reply-To: <498B9EE3.30400@bogus.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 06 Feb 2009 15:50:34.0545 (UTC) FILETIME=[A5C32A10:01C98872]
Subject: Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2009 15:50:42 -0000
(coffee != sleep) & (!coffee == sleep) Donald.Smith@qwest.com gcia > -----Original Message----- > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] > On Behalf Of Joel Jaeggli > Sent: Thursday, February 05, 2009 7:22 PM > To: opsec wg mailing list > Subject: Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 > > Warren Kumari wrote: > > Now, for the big question: > > > > In the draft we are are requesting a registered BGP > community to be used > > to signal your provider that you want destination based > RTBH applied to > > an announced prefix. > > So I presented this idea and both viewpoints in the NANOG isp security > BOF and to be honest I couldn't get a rise out of anyone, They neither > called me a moron nor adopted it as their own... > > I suppose one thought would be to carve it out and drop it in a second > draft so we can proceed this document without it. Personally I think a > reserved community has sufficient utility to make it a useful addition > to the toolkit, but reviews here are obviously mixed. > > > There are two viewpoints on this -- I will try to capture them both, > > apologies if I mess this up: > > Viewpoint 1: > > This should be removed -- different providers will > implement RTBH (src > > and dest) in different ways and will provide different capabilities > > (drop on the "edge", only install in a specific region, etc) and so > > there will need to be multiple communities. Getting this > info from your > > provider (and having them enable the feature), etc is (and should > > remain) a required step. That sounds like what I said:) I agree with 1. > > > > Viewpoint 2: > > I'd like to keep the registered community -- while > different providers > > will support different subsets of this, having a well known way to > > enable this seems good to me. Currently providers support different > > communities for different things (e.g: announce this only > to peers, set > > the MED, etc) but there are still some well known (e.g NO_EXPORT) > > communities that the provider probably implements. I > dislike being in > > the situation where I am experiencing a DoS attack and have > misplaced > > the napkin that I scribbled the secret community on last time. Now, It had better be better documented then scribbled on a napkit. It should be part of a standard operations document that your NOC has available to them:) > > while I am down I need to fight my way through Tier 1 - > Tier N trying to > > find the magic community to apply for provider X. I'd > rather just tag an > > announcement with the registerd RTBH community. If the > provider doesn't > > support this, I'm no worse off, if they do, I've bought some time. If the provide supports it but only allows /32s or only allows you to advertise your own space (tm good idea) you might be worse off especally if you think you have done something to mitigate an attack only to find that the mitigation didn't work because you advertised a /30 or space you don't own/route or ... So while I lean away from a reserved community the worse effect I can come up with is you think you started mitigation but it hasn't started yet. It wouldn't be long before a victim realized the mitigation isn't working and contacted their upstream to find out why:) > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >
- [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Warren Kumari
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Danny McPherson
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Roland Dobbins
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Roland Dobbins
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Christopher Morrow
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Warren Kumari
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Smith, Donald
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Ryan Mcdowell (rymcdowe)
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Ryan Mcdowell (rymcdowe)
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Joel Jaeggli
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Joel Jaeggli
- Re: [OPSEC] draft-ietf-opsec-blackhole-urpf-00 Smith, Donald