Re: [savnet] Fw: New Version Notification for draft-li-sidrops-bicone-sav-00.txt
Lancheng Qin <qlc19@mails.tsinghua.edu.cn> Thu, 21 March 2024 01:23 UTC
Return-Path: <qlc19@mails.tsinghua.edu.cn>
X-Original-To: savnet@ietfa.amsl.com
Delivered-To: savnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A196C14F6B5 for <savnet@ietfa.amsl.com>; Wed, 20 Mar 2024 18:23:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.703
X-Spam-Level:
X-Spam-Status: No, score=-6.703 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=mails.tsinghua.edu.cn
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtqpCdeFI6Mt for <savnet@ietfa.amsl.com>; Wed, 20 Mar 2024 18:23:22 -0700 (PDT)
Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [20.231.56.155]) by ietfa.amsl.com (Postfix) with ESMTP id 7B146C14F6BF for <savnet@ietf.org>; Wed, 20 Mar 2024 18:23:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mails.tsinghua.edu.cn; s=dkim; h=Received:Date:From:To:Cc: Subject:In-Reply-To:References:Content-Transfer-Encoding: Content-Type:MIME-Version:Message-ID; bh=3BdDhzw0J9IyhP7uD5tEzl0 +AsfllKHBPEig170EVn8=; b=ZonIzG8u8/p2nJC7unnuAkMyugxN7mJlm8CnwGM 6mov8dCkbOb1ih/Uv0cLIAc8RHi4S6oteJ7rCnMp1XA5jR1ccnK8ASpnpBMpppTy gpgyYl0QnWU3x7l1FzouMNHE+wvTd154RTfmifhTYmxIE0sm4NWQ9m7izSqmOzPF wVRY=
Received: from qlc19$mails.tsinghua.edu.cn ( [27.33.182.58] ) by ajax-webmail-web3 (Coremail) ; Thu, 21 Mar 2024 09:23:12 +0800 (GMT+08:00)
X-Originating-IP: [27.33.182.58]
Date: Thu, 21 Mar 2024 09:23:12 +0800
X-CM-HeaderCharset: UTF-8
From: Lancheng Qin <qlc19@mails.tsinghua.edu.cn>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org>
Cc: "savnet@ietf.org" <savnet@ietf.org>, Ben Maddison <benm@workonline.africa>
X-Priority: 3
X-Mailer: Coremail Webmail Server Version 2023.2-cmXT5 build 20230915(bf90896b) Copyright (c) 2002-2024 www.mailtech.cn mispb-4df55a87-4b50-4a66-85a0-70f79cb6c8b5-tsinghua.edu.cn
In-Reply-To: <SA1PR09MB8142EAF735256A16E4CE81D0842C2@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <170495617326.14067.5855645553840831931@ietfa.amsl.com> <139ef37d.22028.18cf856f11a.Coremail.qlc19@mails.tsinghua.edu.cn> <SA1PR09MB8142EAF735256A16E4CE81D0842C2@SA1PR09MB8142.namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
Message-ID: <5b3950c9.24dc1.18e5e9ae180.Coremail.qlc19@mails.tsinghua.edu.cn>
X-Coremail-Locale: zh_CN
X-CM-TRANSID: ygQGZQBXGhIAjPtlDuW_Bg--.57074W
X-CM-SenderInfo: 5tofimo6pdxz3vow2x5qjk3toohg3hdfq/1tbiAQIDD2X7aroUmQA BsN
X-Coremail-Antispam: 1Ur529EdanIXcx71UUUUU7IcSsGvfJ3iIAIbVAYjsxI4VWxJw CS07vEb4IE77IF4wCS07vE1I0E4x80FVAKz4kxMIAIbVAFxVCaYxvI4VCIwcAKzIAtYxBI daVFxhVjvjDU=
Archived-At: <https://mailarchive.ietf.org/arch/msg/savnet/-2CORKXD9zsbmcrWZdMquR0PxtA>
Subject: Re: [savnet] Fw: New Version Notification for draft-li-sidrops-bicone-sav-00.txt
X-BeenThere: savnet@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Source Address Validation in Intra-domain and Inter-domain Networks <savnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savnet>, <mailto:savnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/savnet/>
List-Post: <mailto:savnet@ietf.org>
List-Help: <mailto:savnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savnet>, <mailto:savnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 01:23:31 -0000
Thank you for your explanation. It is a good question. Before responding to your question, I would like to clarify that Bicone SAV does not intend to replace allowlist with blocklist. It suggests to use an additional blocklist to avoid improper block caused by the allowlist. When the allowlist is proven to reach 0 improper block, allowlist alone will suffice. Therefore, I think Bicone SAV would be a good solution in transitional period until we ensure that the allowlist can achieve 0 improper block. > [Sriram]: The Bicone proposal makes source address (SA) in the prefixes that are not in the blocklist or the allowlist to be "allowed". That means that effectively only the SA in prefixes in the blocklist are blocked on ingress on a customer interface and any other SA is permitted. So, the allowlist is not really used. Improper admits would increase a lot. This points to the design flaw. Simple example: Consider AS A and AS B are lateral peers. AS A is doing Bicone on its customer interfaces. Bicone makes SA in the prefixes in the customer cone of AS B allowed on AS A's customer interfaces. [Lancheng]: The primary design goal of SAV is avoiding improper block while maintaining directionality. Your example is correct and avoiding improper block is the first goal of Bicone SAV. Using both allowlist and blocklist can avoid improper block while preventing ASes in the customer cone from using source addresses in the provider cone. So, I think this aligns with the design goal. In addition, checking the allowlist first can avoid improper block when a source prefix is in both allowlist and blocklist. So, the allowlist is actually used. > [Sriram]: In trying to solve the NO_EXPORT situation, a much more important thing is overlooked by Bicone. I think BAR-SAV gets it right. If an AS has the unusual NO_EXPORT on all prefixes towards a provider, it should have an ASPA. This fixes the issue. Also, we may be making a bigger issue of "all prefixes having NO_EXPORT" than what might be true. I mean it might be very rare or non-existent. Usually, when more-specific prefixes have NO_EXPORT, there would be a covering less-specific prefix that propagate everywhere. [Lancheng]: I agree this situation might be less usual. But once it exists, SAV solutions solely using an allowlist may block legitimate traffic. I think this is why RFC8704 particularly analyses this situation in Section 3.3 and proposes the EFP-uRPF Algorithm B. I also agree that the improper block problem of allowlist can be addressed if we can get ASPAs of some ASes. But determining which ASes must deploy ASPAs and waiting for those AS to do so takes time and effort, because having an ASPA is optional, not mandatory. Next, I am planning to make some measurements to analyze the feasibility of Bicone SAV. Thank you. Best, Lancheng > -----原始邮件----- > 发件人: "Sriram, > Kotikalapudi (Fed)" <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org> > 发送时间:2024-03-19 23:18:58 (星期二) > 收件人: "Lancheng Qin" <qlc19@mails.tsinghua.edu.cn>, "savnet@ietf.org" <savnet@ietf.org> > 抄送: "Ben Maddison" <benm@workonline.africa> > 主题: Re: [savnet] Fw: New Version Notification for draft-li-sidrops-bicone-sav-00.txt > > Hi Lancheng, > > You requested me to explain in more detail my comment yesterday during your presentation on this draft in the SAVNET meeting. > > The Bicone proposal makes source address (SA) in the prefixes that are not in the blocklist or the allowlist to be "allowed". That means that effectively only the SA in prefixes in the blocklist are blocked on ingress on a customer interface and any other SA is permitted. So, the allowlist is not really used. Improper admits would increase a lot. This points to the design flaw. > > Simple example: Consider AS A and AS B are lateral peers. AS A is doing Bicone on its customer interfaces. Bicone makes SA in the prefixes in the customer cone of AS B allowed on AS A's customer interfaces. > > In trying to solve the NO_EXPORT situation, a much more important thing is overlooked by Bicone. I think BAR-SAV gets it right. If an AS has the unusual NO_EXPORT on all prefixes towards a provider, it should have an ASPA. This fixes the issue. Also, we may be making a bigger issue of "all prefixes having NO_EXPORT" than what might be true. I mean it might be very rare or non-existent. Usually, when more-specific prefixes have NO_EXPORT, there would be a covering less-specific prefix that propagate everywhere. > > Thanks. > > Sriram > -- > savnet mailing list > savnet@ietf.org > https://www.ietf.org/mailman/listinfo/savnet
- [savnet] Fw: New Version Notification for draft-l… Lancheng Qin
- Re: [savnet] Fw: New Version Notification for dra… Sriram, Kotikalapudi (Fed)
- Re: [savnet] Fw: New Version Notification for dra… Lancheng Qin