IETF Logo Mail Archive

Re: [OPSEC] Reminder: Call for WG adoption of draft-sriram-opsec-urpf-improvements

Jeff Haas <jhaas@juniper.net> Wed, 18 April 2018 12:53 UTC

Return-Path: <jhaas@juniper.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5A4012D779; Wed, 18 Apr 2018 05:53:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OOBwWLzTQ-V3; Wed, 18 Apr 2018 05:53:41 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 442A51200F1; Wed, 18 Apr 2018 05:53:41 -0700 (PDT)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w3ICeV6m008868; Wed, 18 Apr 2018 05:53:39 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=QOYdRN8jF6XIqaR0MnDN8Conin4BRDif2yF00FNGr44=; b=1Vl9LmRrllOkJKkn74CZEAuFmDXbU34P2hjZstO4ckn/XwgXsA1WGG92y0Ktu/gWAALb xlWFrLQlORJFZMTNIYpCsPUCXmXY9bIK6kw7S24CRNjugim2AnUF+157nhZ6EvbNeZdC T9LEcYSauW8Jw7m7yo+sMPKcbGQtrC/tmbMwwYokmnWPyF9bGoourh/++/kA/gh9ChE5 7nVC79YfkXD2/uwXxP1L05mHC2xjhGX1dbRL0m18BQ7Cc799lxyV5aD7B4TZiv0q/kSZ T1E17hJq4mPwVGJdtFcslM3JOqtKTJVG5l5gMARs/+X5n/7lBHAzsMXMRwnFrV3fq6T5 Gg==
Received: from nam02-bl2-obe.outbound.protection.outlook.com (mail-bl2nam02lp0081.outbound.protection.outlook.com [207.46.163.81]) by mx0b-00273201.pphosted.com with ESMTP id 2he5q7g2nr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 18 Apr 2018 05:53:39 -0700
Received: from MWHPR05MB3183.namprd05.prod.outlook.com (10.173.229.138) by MWHPR05MB2813.namprd05.prod.outlook.com (10.168.245.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.696.10; Wed, 18 Apr 2018 12:53:37 +0000
Received: from MWHPR05MB3183.namprd05.prod.outlook.com ([fe80::99de:815c:1ca6:c43b]) by MWHPR05MB3183.namprd05.prod.outlook.com ([fe80::99de:815c:1ca6:c43b%4]) with mapi id 15.20.0696.013; Wed, 18 Apr 2018 12:53:37 +0000
From: Jeff Haas <jhaas@juniper.net>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
CC: Amir Herzberg <amir.lists@gmail.com>, "opsec@ietf.org" <opsec@ietf.org>, "Montgomery, Douglas (Fed)" <dougm@nist.gov>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>
Thread-Topic: [OPSEC] Reminder: Call for WG adoption of draft-sriram-opsec-urpf-improvements
Thread-Index: AQHT1oU7RYs4tLPULki18qcgJsLIeQ==
Date: Wed, 18 Apr 2018 12:53:37 +0000
Message-ID: <972BDFF8-FBA9-4825-ADDC-FBF4100BDD77@juniper.net>
References: <62EC3E74-6837-4E22-B9C8-FD738316DED6@cisco.com> <SN6PR05MB4240AA845A5245E08E49CACAAEB70@SN6PR05MB4240.namprd05.prod.outlook.com> <A976E7E7-327B-4B30-B975-D92F6B2309B9@senki.org> <209728A1-B747-4B59-AB0F-F21669B67E6C@juniper.net> <B153D7AF-3F8D-4BFE-9A8C-1361AB8A2731@senki.org> <20180418083010.GE89741@Space.Net> <BYAPR09MB27738C811ECFB524F41CB08B84B60@BYAPR09MB2773.namprd09.prod.outlook.com>
In-Reply-To: <BYAPR09MB27738C811ECFB524F41CB08B84B60@BYAPR09MB2773.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR05MB2813; 7:DxAPxDEewtprfVMpNQxcolBYyiqek++ABJ3DKpIhVhtJ8K6ik7Bk8aQPh5mgB079g4dLAg/gf2TFLDzhAHFq/61m68snRZuXA3ABnxG8gwGDQRrAPz4sbQQ22XszSf3chTi7UdkgkXgUDiZRru+Aej06b+BhRrPCYhS3SSU9RZFaOAO4CImuInXOQ3gtqb+lWvW/CGMyQIv+AdY0k52PHbO5gjVFIbjZm+L60mOKDKvdJtWe8CXtbKsrY4Fk1R99
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:MWHPR05MB2813;
x-ms-traffictypediagnostic: MWHPR05MB2813:
authentication-results: outbound.protection.outlook.com; spf=skipped (originating message); dkim=none (message not signed) header.d=none; dmarc=none action=none header.from=juniper.net;
x-microsoft-antispam-prvs: <MWHPR05MB28134D9AA743D9ED94DB55F2A5B60@MWHPR05MB2813.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(3231232)(944501368)(52105095)(93006095)(93001095)(6055026)(6041310)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(6072148)(201708071742011); SRVR:MWHPR05MB2813; BCL:0; PCL:0; RULEID:; SRVR:MWHPR05MB2813;
x-forefront-prvs: 06469BCC91
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39380400002)(39860400002)(376002)(366004)(346002)(12213003)(6506007)(53546011)(36756003)(26005)(7736002)(14454004)(102836004)(99286004)(76176011)(6486002)(186003)(8656006)(478600001)(82746002)(86362001)(83716003)(59450400001)(2906002)(6512007)(3280700002)(3660700001)(53936002)(93886005)(25786009)(8676002)(39060400002)(316002)(5250100002)(81166006)(229853002)(54906003)(4326008)(305945005)(97736004)(8936002)(5660300001)(2616005)(476003)(3846002)(2900100001)(6436002)(6116002)(6246003)(11346002)(6916009)(446003)(561944003)(33656002)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR05MB2813; H:MWHPR05MB3183.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; MLV:ovrnspm; PTR:InfoNoRecords;
x-microsoft-antispam-message-info: TuuvzKu5vT43tuew9QZmsNn3XBsZrV2sLcBAvSeLkUC628QLIcEtu4L2e4TGI4T1nSOdrTmHi/AhGkVkwqpU/+b89/iHXSelKGnL2MTiyKdXl4gSiZCk81gKzr2ULojO+Gc0mItqi91Ztt/oshWU2x4E5liEBTgv6u1E0Z1NiuSBFntTcKyLWH4qcR8cxoCI
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <327308C956711C47941E92D29A609C10@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: f0fc60bc-35e2-4b67-d200-08d5a52b671f
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: f0fc60bc-35e2-4b67-d200-08d5a52b671f
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2018 12:53:37.3927 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR05MB2813
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-04-18_02:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804180116
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/rYJHKLrPN5oDjWqSHIma87OWTmg>
Subject: Re: [OPSEC] Reminder: Call for WG adoption of draft-sriram-opsec-urpf-improvements
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2018 12:53:50 -0000

> On Apr 18, 2018, at 8:20 AM, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov> wrote:
>> Let me mention that I think the WG should also consider potential use of
>> RPKI as a complementary mechanism to improve uRPF. Namely, if there is an
>> ROA for the prefix-origin pair, it should be allowed (even if the
>> (enhanced/preferred)uRPF check fails. In a future (fantasy?) where RPKI is
> 
> I agree with you here. When you say, "if there is an
> ROA for the prefix-origin pair, it should be allowed", I think you mean
> ROA for prefix-origin pair with origin AS in the ISP's customer cone.
> What you propose can be done even in partial deployment of RPKI, 
> of course not stand alone but for augmenting the RPF lists 
> constructed with the methods proposed in the draft.

It's worth emphasizing that an indirect part of the proposal in the draft is that RPF filters may be augmented from secondary sources.

The fact we've chosen BGP routes that aren't necessarily active in forwarding is one good example of it.

The main operational headache of any secondary seeding of the filters though is the maintenance of their source.  Both BGP and RPKI provide a distributed way such things can be maintained.

Observant and old-enough readers will also be reminded of the "issues" that AOL used to have where your routes weren't used if they weren't properly registered. 

-- Jeff

v2.23.0 | Report a Bug | By Email