Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Wed, 06 July 2016 18:46 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E27C12D198 for <sidr@ietfa.amsl.com>; Wed, 6 Jul 2016 11:46:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.891
X-Spam-Level:
X-Spam-Status: No, score=-1.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYVVt4OQ3aPF for <sidr@ietfa.amsl.com>; Wed, 6 Jul 2016 11:46:14 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0136.outbound.protection.outlook.com [23.103.200.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16D6512D17A for <sidr@ietf.org>; Wed, 6 Jul 2016 11:46:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1Qu35luUkU5pehE34Vr7DiCB4KLgPtbRS7wO+ZoHbGM=; b=FfeK/oI8LXq1+qkZpv1cBAgZuSzxYrW3RxnTL7nHIdPL89JOE4q/if/0+HgUsjeMX5xki6SlltGgFEb0ViECJDzvwX7jVFYszaV/W/+AMidlInnZoP5sQAnYvt2J5+gkYC1eca1Jq3mFnAhjLTS6avDFjA4xuFgQLpryNnVM9T8=
Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0447.namprd09.prod.outlook.com (10.161.252.146) with Microsoft SMTP Server (TLS) id 15.1.534.14; Wed, 6 Jul 2016 18:46:12 +0000
Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) by DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) with mapi id 15.01.0534.020; Wed, 6 Jul 2016 18:46:13 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Stephen Kent <kent@bbn.com>, Randy Bush <randy@psg.com>, Sandra Murphy <sandy@tislabs.com>
Thread-Topic: [sidr] wglc for draft-ietf-sidr-adverse-actions-00
Thread-Index: AQHR0xRGPXiPOJv19EuOijpsn+iICqACoTkAgAEJf4CAAIH1gIAF3zwAgAAX14CAAZGKgIAABtgQ
Date: Wed, 6 Jul 2016 18:46:12 +0000
Message-ID: <DM2PR09MB04461EF1F9B3A093E14ADE1C843A0@DM2PR09MB0446.namprd09.prod.outlook.com>
References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> <m2wpl6ffdp.wl%randy@psg.com> <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> <m28txldluq.wl%randy@psg.com> <F3FB0B9E-A069-4381-9D37-305C4C96A1F8@tislabs.com> <m2furo6kte.wl%randy@psg.com> <93749241-0ef4-8328-7393-cffe3a7846c4@bbn.com>
In-Reply-To: <93749241-0ef4-8328-7393-cffe3a7846c4@bbn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.140.122]
x-ms-office365-filtering-correlation-id: 22482204-40e7-4226-3878-08d3a5cdcded
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0447; 6:qWDV+0Ks55VQTtKviQp3GsyB0BTICJYVBBkvIW2c7djoWGyRqaPSPEGZUdi1vsoCID4Y+pI14QwWNQWmgTbIziqcEbv2pB7h9okr1/dyOubyzOG3ZmlKSVQGY47VDA4vQbaByZAwd3Vq8t5e8oBXVMenAgoIDIAIG/Y8nfP86M1apJJv4ch5sGINrzjlcN9y0RLz3zxOz3dhHMJ7+K4PkDdMPgbaDtv2Ab9IfYLJyHc5Y7w3n2HcBDW28c7eKrribhp8TmBpwIVni8GZuSeVlF5BJfqLOZ8iaQGpGODeKOfUrnxiVq3YSAStcjHFwEDGa9NvD4ac/pIG1K85shi95Q==; 5:+2ph7O6gNCBI/7yhl8JLA3otCkED6NcRZsIsK6xCz8Bk6eZTVegiNFKEIO4tK7mlPZrOTgvQVftUsgi5LL/F8c0FjjwYn0o2a7Lx97xwESg2a5/iK8273bEAN2MB2wUvdCMi8Rbd6hDV0bMsJAj2Ng==; 24:+s/7DV2CtmpAMsLfx8aubSvQd4GR/EiRRFQWKhGjQrOpXdJWM9Za7HjXuPhkax3foUOVu66pIQIGVE2H8qaxemuOHWG/hQwn+khvpWN/tjk=; 7:zRoAjEq2IXbOBwKCr36syFePJxQnyKWwX4GJrFreoOAe9NpXjaU7afN1vocEuacowPcaM4bsSd6jhLgU1CjyPkTPapz4NMAwkI0rtf02izk2YyYx+JP2sLyXXYh9OztXN2OJkL6R5xINGw9T1+q3q30mowRf2UGPErfSE1Ze74zhpRYs02xVY9N8skJdnVCMd3qWCzVB8j6eM1891rvfI2poqMHdCSuHwCLd57pmUrI+xYd1nP8cEwZWWquEq9KE
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR09MB0447;
x-microsoft-antispam-prvs: <DM2PR09MB0447AB2978194C049BA4F583843A0@DM2PR09MB0447.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:DM2PR09MB0447; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0447;
x-forefront-prvs: 0995196AA2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(199003)(377454003)(790700001)(66066001)(2906002)(7846002)(8676002)(10400500002)(5003600100003)(7736002)(7696003)(5002640100001)(4326007)(92566002)(15975445007)(74316002)(102836003)(189998001)(3846002)(6116002)(99286002)(122556002)(106356001)(93886004)(105586002)(77096005)(68736007)(106116001)(16236675004)(19580405001)(9686002)(87936001)(19580395003)(101416001)(76576001)(54356999)(8936002)(76176999)(3660700001)(2900100001)(3280700002)(81156014)(81166006)(50986999)(230783001)(19300405004)(33656002)(97736004)(86362001)(5001770100001)(586003)(19625215002)(2950100001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0447; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR09MB04461EF1F9B3A093E14ADE1C843A0DM2PR09MB0446namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2016 18:46:12.6933 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0447
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/KgM-0hn5PHrlNLg5aA-QDIAUapk>
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2016 18:46:17 -0000

>A newer ROA competes with an older ROA if the newer ROA points to a

   different ASN, contains the same or a more specific prefix, and is
   issued by a different CA.

For DDoS mitigation service, (as an example) a /16 prefix owner may create (well in advance)
two new ROAs for more specific /17s (covered by the /16 prefix).
The new ROAs would have a different ASN – the ASN of the DDoS mitigation service provider.
The CA remains the same.
(The prefix owner already has a /16 ROA with its own ASN for its normal route announcement.)
The idea is that in the event of a DDoS attack, the mitigation service provider will be able to
announce the more specifics immediately and attract the attack traffic away from the victim.

Would you consider these two new ROAs as competing ROAs?  Or, is there a different name for them?
They would be competing (for a good purpose) with the /16 ROA only in emergency scenarios.

Sriram

From: sidr [mailto:sidr-bounces@ietf.org] On Behalf Of Stephen Kent
Sent: Wednesday, July 06, 2016 1:42 PM
To: Randy Bush <randy@psg.com>om>; Sandra Murphy <sandy@tislabs.com>
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00


Here is the revised text for the relevant part of the intro.

I don't see a need to change the text in the specific attack descriptions, given this revised intro text.



   Additionally, when a ROA or router certificate is created that

   "competes" with an existing ROA or router certificate (respectively),

   the creation of the new ROA or router certificate may be adverse.

   (A newer ROA competes with an older ROA if the newer ROA points to a

   different ASN, contains the same or a more specific prefix, and is

   issued by a different CA.  A newer router certificate competes with

   an older router certificate if the newer one contains the same ASN

   a different public key, and is issued by a different CA.)  Note that

   transferring resources, or changing of upstream providers may yield

   competing ROAs and/or router certificates, under some circumstances.

   Thus not all instances of competition are adverse actions.

Steve