Re: [OPSEC] Reminder: Call for WG adoption of draft-sriram-opsec-urpf-improvements
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Wed, 18 April 2018 12:20 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E220129C53; Wed, 18 Apr 2018 05:20:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7JXjsC8FhB6y; Wed, 18 Apr 2018 05:20:31 -0700 (PDT)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on072f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd00::72f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D135127978; Wed, 18 Apr 2018 05:20:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=u5KXbdn4f6mAJAHaa2SeRP67EyLqHhm//OMc2Ct6TGM=; b=huNB9lRSf5AumNBiicxowdFttDTs9pkC6BhZ383nyheZyZ0D3XtXb3YCPiTgPwwQeJ/gy2dOYL2Sto/aTo9yJwleaTWstnpRYKw+YhSNca7QDqMP+jQSf/LMHH52X59YB6MGcbYs2fJZsKijxmZ9WLb1PQ+rIju6pzaL/gy9vKE=
Received: from BYAPR09MB2773.namprd09.prod.outlook.com (52.135.224.26) by MW2PR0901MB2507.namprd09.prod.outlook.com (52.132.145.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.696.13; Wed, 18 Apr 2018 12:20:29 +0000
Received: from BYAPR09MB2773.namprd09.prod.outlook.com ([fe80::4cf3:af64:d3c9:6d33]) by BYAPR09MB2773.namprd09.prod.outlook.com ([fe80::4cf3:af64:d3c9:6d33%13]) with mapi id 15.20.0675.015; Wed, 18 Apr 2018 12:20:29 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Amir Herzberg <amir.lists@gmail.com>
CC: Jeff Haas <jhaas@juniper.net>, "opsec@ietf.org" <opsec@ietf.org>, "Montgomery, Douglas (Fed)" <dougm@nist.gov>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>
Thread-Topic: [OPSEC] Reminder: Call for WG adoption of draft-sriram-opsec-urpf-improvements
Thread-Index: AQHT1lLIbGeU5Xqc/UquFQvfMyg346QFVeQAgAAIBQCAAAjdAIAAy4EAgAA5nFY=
Date: Wed, 18 Apr 2018 12:20:28 +0000
Message-ID: <BYAPR09MB27738C811ECFB524F41CB08B84B60@BYAPR09MB2773.namprd09.prod.outlook.com>
References: <62EC3E74-6837-4E22-B9C8-FD738316DED6@cisco.com> <SN6PR05MB4240AA845A5245E08E49CACAAEB70@SN6PR05MB4240.namprd05.prod.outlook.com> <A976E7E7-327B-4B30-B975-D92F6B2309B9@senki.org> <209728A1-B747-4B59-AB0F-F21669B67E6C@juniper.net> <B153D7AF-3F8D-4BFE-9A8C-1361AB8A2731@senki.org>, <20180418083010.GE89741@Space.Net>
In-Reply-To: <20180418083010.GE89741@Space.Net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: juniper.net; dkim=none (message not signed) header.d=none;juniper.net; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [129.6.218.35]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MW2PR0901MB2507; 7:JY+0hFBIVN/sLp8bsZonItYpVlj1C1PbfM76QfyK+w835aaAI7ZAhdH/ANEUVkRcKXQ3L+jA/6SJyH7k5I8Ay2CTsKk+wwgQ+pAKJH8QhNc9xewv+xu+JswOTCbuHGURdb/3+F/aQBLP7IZqfTzo58XqNrTmnxPyo+Mt8tTY05SdL6JKHrUUymSDl8IVFRypbwOv2uM+9kEiIEbFO9y2mRY+vJr6B0DoD/A5egxANufevaj4qXbD8IF0bbd2hdGR
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:MW2PR0901MB2507;
x-ms-traffictypediagnostic: MW2PR0901MB2507:
x-microsoft-antispam-prvs: <MW2PR0901MB250749B0A515DD6BD19147F884B60@MW2PR0901MB2507.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231232)(944501368)(52105095)(10201501046)(3002001)(6055026)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123562045)(20161123558120)(6072148)(201708071742011); SRVR:MW2PR0901MB2507; BCL:0; PCL:0; RULEID:; SRVR:MW2PR0901MB2507;
x-forefront-prvs: 06469BCC91
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39380400002)(376002)(366004)(39860400002)(396003)(12213003)(5250100002)(25786009)(3280700002)(33656002)(446003)(8676002)(14454004)(186003)(76176011)(316002)(6246003)(3660700001)(66066001)(53936002)(99286004)(2906002)(3846002)(476003)(86362001)(81166006)(11346002)(6116002)(97736004)(7736002)(4326008)(6506007)(26005)(229853002)(8936002)(6916009)(6436002)(102836004)(54906003)(93886005)(39060400002)(5660300001)(7696005)(8666007)(74316002)(305945005)(2900100001)(9686003)(55016002)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR0901MB2507; H:BYAPR09MB2773.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; MLV:ovrnspm; PTR:InfoNoRecords;
x-microsoft-antispam-message-info: +QwNVJltasjjNz/fVABoFa2jq0ABxFXh9bycG8RAarl2upzZ0nVQWdUHw+lPokN0PfJn/PhzteChw+ZvAk8AjBY+bXPDpnwQH5YQuq7+GKkxBLRL8Co621L0ku7B8ERx9pefI6uqhNSJQ2cl/MyCL30ic8MbHTQMCNCArk3wFMrOpin4BJDs9vQTjwDq3vtX
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 9b590c03-8e33-455a-3f62-08d5a526c5e9
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 9b590c03-8e33-455a-3f62-08d5a526c5e9
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2018 12:20:28.9593 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR0901MB2507
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/nS1sCw8NoRl24_BLlAfW7UlbgiM>
Subject: Re: [OPSEC] Reminder: Call for WG adoption of draft-sriram-opsec-urpf-improvements
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2018 12:20:33 -0000
Amir, >I support the adoption of "draft-sriram-opsec-urpf-improvements" as an >OPSEC Working Group document. Thank you. > >Let me mention that I think the WG should also consider potential use of >RPKI as a complementary mechanism to improve uRPF. Namely, if there is an >ROA for the prefix-origin pair, it should be allowed (even if the >(enhanced/preferred)uRPF check fails. In a future (fantasy?) where RPKI is I agree with you here. When you say, "if there is an ROA for the prefix-origin pair, it should be allowed", I think you mean ROA for prefix-origin pair with origin AS in the ISP's customer cone. What you propose can be done even in partial deployment of RPKI, of course not stand alone but for augmenting the RPF lists constructed with the methods proposed in the draft. It helps to add completeness and/or perform additional sanity checks for the RPF filters. Of course, the benefit of doing this (as a complementary mechanism) gets increasing better as the RPKI deployment grows. Sriram >widely deployed, this solution may have even been better. I'm aware that >this is, unfortuately, far cry from current situation, hence I definitely >support moving forward with this draft. My comment can be discussed as part >of this or separately (or not at all). > >thanks, Amir > >
- [OPSEC] Reminder: Call for WG adoption of draft-s… Eric Vyncke (evyncke)
- Re: [OPSEC] Reminder: Call for WG adoption of dra… Ron Bonica
- Re: [OPSEC] Reminder: Call for WG adoption of dra… Barry Raveendran Greene
- Re: [OPSEC] Reminder: Call for WG adoption of dra… Jeff Haas
- Re: [OPSEC] Reminder: Call for WG adoption of dra… Barry Greene
- Re: [OPSEC] Reminder: Call for WG adoption of dra… Amir Herzberg
- Re: [OPSEC] Reminder: Call for WG adoption of dra… Gert Doering
- Re: [OPSEC] Reminder: Call for WG adoption of dra… Sriram, Kotikalapudi (Fed)
- Re: [OPSEC] Reminder: Call for WG adoption of dra… Amir Herzberg
- Re: [OPSEC] Reminder: Call for WG adoption of dra… Jeff Haas