IETF Logo Mail Archive

Re: [Secdispatch] Comments on draft-xu-ipsecme-risav-00.txt

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 28 March 2023 03:32 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30E42C14CEFD for <secdispatch@ietfa.amsl.com>; Mon, 27 Mar 2023 20:32:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJI5weZ-qJFB for <secdispatch@ietfa.amsl.com>; Mon, 27 Mar 2023 20:32:25 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E95F3C14F738 for <secdispatch@ietf.org>; Mon, 27 Mar 2023 20:32:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id BF695389A4; Tue, 28 Mar 2023 00:05:47 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id RUbqeI_T6R3H; Tue, 28 Mar 2023 00:05:47 -0400 (EDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 2C84A389A3; Tue, 28 Mar 2023 00:05:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1679976347; bh=eY0lct5orOI/ptWKaoUzKc1ucCtmCTbCqO8elaxR56Y=; h=From:To:Subject:In-Reply-To:References:Date:From; b=GnpsJhoOyQBbh8vxHFCraqprb/JiQptHWaNS6kxg21HyGf+i3TiomFZdG5CWBWAJA AAhk5IA4N4aPjU/8ednGmw6p/SZhQ0ytL+voYsvPyKM6+n6EXgVnmNtT7Kt3feCv9K bvgrZzgpCqSN8qcVV9O4lBwp4Z84fFMrFjABX/Y6RpqkS1M3ZwIfhF4ee/8LlIxrhJ ftucCPbdBu+ZKIEXl+N+UV4EsyAQbpqhDMoKbQnbNYwOPV5HiIyIsUyyKE4zv0yBnz y/gej+keCIOXPv12TmgXkGeKw3MaiaG5Z3JEdkSexj0L0KP3llv25mfybgrIqCBskz ZJXfkiBvQPTYg==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 91FBB18C5; Mon, 27 Mar 2023 23:32:22 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Tero Kivinen <kivinen@iki.fi>, IETF SecDispatch <secdispatch@ietf.org>
In-Reply-To: <25634.15454.416990.669430@fireball.acr.fi>
References: <CABcZeBNp2bneLHU000E0jZ_kD9Q7wYG+jMH5FDCfzz3e7faipQ@mail.gmail.com> <31867.1679894307@localhost> <25633.41128.91087.566196@fireball.acr.fi> <11936.1679964729@localhost> <25634.15454.416990.669430@fireball.acr.fi>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 27 Mar 2023 23:32:22 -0400
Message-ID: <8911.1679974342@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/qAz_9tkOnkypizo-Xj9ZI2MMya4>
Subject: Re: [Secdispatch] Comments on draft-xu-ipsecme-risav-00.txt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 03:32:29 -0000

Tero Kivinen <kivinen@iki.fi> wrote:
    >> At the cost of significant impacts to often needed traffic analysis
    >> that is used for load balancing/traffic engineer, and DoS impact.
    >> (DDoS are still possible: but now you know who is doing it)

    > That would require you to block every AS not doing this... Otherwise
    > attackers will simply spoof to be from those ASes who do not support
    > this.

So, when the attackers move elsewhere, that's a win for the ASs involved.

For the AS receiving a DDoS, yes, it might mean that the attack just moves,
but that's also a win, because it means that they can re-prioritize traffic
from the DoS-free AS.  That provides the incentives for more ASs to deploy.

    >> There are still jurisdictions where encryption is a problem, and I'd
    >> prefer to know when they are being spoofed (or not), so we can blame
    >> the right parties.

    > They can use ESP-NULL and if deep packet inspection is needed we can
    > point them to Heuristics for Detecting ESP-NULL Packets (RFC 5879)
    > document...

Yeah, I never liked that process, when we could just signal it with AH.
Still, if you can convince the RISAV people, then more power to you.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email