IETF Logo Mail Archive

Re: [sidr] AD Review of sidr-origin-validation-signaling-09

"Alvaro Retana (aretana)" <aretana@cisco.com> Sun, 13 November 2016 23:48 UTC

Return-Path: <aretana@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C246129699 for <sidr@ietfa.amsl.com>; Sun, 13 Nov 2016 15:48:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.017
X-Spam-Level:
X-Spam-Status: No, score=-16.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fX87dJsWgUcV for <sidr@ietfa.amsl.com>; Sun, 13 Nov 2016 15:48:14 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AC6312968E for <sidr@ietf.org>; Sun, 13 Nov 2016 15:48:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10264; q=dns/txt; s=iport; t=1479080888; x=1480290488; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=/qt3PsmafaYrGBbXAQA2jSDL2MlnBMoMrqOCC1xgDbM=; b=ZKdy9WTgy2nJCMH4lfmaXndkTAz3PyBkBOKlasoSsFtEinPR+KbLFWi4 +Bcph60s0wtQ+ESdj8s/m7uNkOcLE0swVXH+I+a/gMWOk1SMcaoNwUThi FMmSe16Rsl04h1gz1+uaIDRs02wsf1RHTEoawp/iRieWlsZNFpF25AVwJ Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DPAQCu+ihY/5RdJa1cGgEBAQECAQEBAQgBAQEBgnM+AQEBAQEfWIEAB403pkyFHIIHhiMCGoFyPxQBAgEBAQEBAQFiKIRiAQEEI1YQAgEIPwMCAgIwFBECBA4FFIhNry+CKS+LFAEBAQEBAQEBAQEBAQEBAQEBAQEBARyGPIF9gl2HTC2CMAWUWYVoAZBcgW+Edok7kU0BHjeBA4U2coUIK4EDgQwBAQE
X-IronPort-AV: E=Sophos;i="5.31,487,1473120000"; d="scan'208,217";a="348013791"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Nov 2016 23:48:07 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id uADNm7uE012960 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 13 Nov 2016 23:48:07 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 13 Nov 2016 17:48:06 -0600
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1210.000; Sun, 13 Nov 2016 17:48:06 -0600
From: "Alvaro Retana (aretana)" <aretana@cisco.com>
To: Randy Bush <randy@psg.com>
Thread-Topic: AD Review of sidr-origin-validation-signaling-09
Thread-Index: AQHSPXjONv4V5/cl2U+lT6vbr4sK26DW5+QAgAGpXoA=
Date: Sun, 13 Nov 2016 23:48:06 +0000
Message-ID: <85CA93EA-0B8E-438F-9C36-84982F1143E2@cisco.com>
References: <88A45E79-880B-4F82-9FAA-80C05627A49F@cisco.com> <m2k2c7j0y7.wl-randy@psg.com>
In-Reply-To: <m2k2c7j0y7.wl-randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.70.231.147]
Content-Type: multipart/alternative; boundary="_000_85CA93EA0B8E438F9C3684982F1143E2ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/EhUS1CAkBpztmCgt9WLCbjZXw64>
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] AD Review of sidr-origin-validation-signaling-09
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 23:48:16 -0000

Either way is fine.  The document is scheduled for the Telechat on Dec/15. I expect maybe a couple of directorate reviews before that – if they come in by Dec/9 and you have time to pdate, then please do.  Otherwise, let’s wait for the IESG to comment.

Thanks!

Alvaro.

On 11/13/16, 4:25 PM, "Randy Bush" <randy@psg.com<mailto:randy@psg.com>> wrote:

C1. The reference to rfc7607 should be Informative.
C2. [Major] Security Considerations.  I think that there is one
consideration that should be mentioned in this section: Given that the
largest value is preferred (2 = invalid), there is an attack vector
where a router in the path (yes, even an internal router) can inject a
community indicating that the route is invalid; the communities are
not protected.  This action could result in inconsistent routing or in
even a DoS.  I know the document is not explicit about what to do with
the validation state (which is ok), but the clear intention (from
rfc6811 and rfc7115) is that it will be used to make routing
decisions.  Please add some text about this potential issue.

would you prefer a revision soon, or wait for other iesg comments?

randhy

v2.23.0 | Report a Bug | By Email