IETF Logo Mail Archive

Re: [sidr] ROA management recommendations for users

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Thu, 15 September 2011 23:25 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 464A821F8B4E for <sidr@ietfa.amsl.com>; Thu, 15 Sep 2011 16:25:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.799
X-Spam-Level:
X-Spam-Status: No, score=-5.799 tagged_above=-999 required=5 tests=[AWL=0.800, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLxuMXw8-oz5 for <sidr@ietfa.amsl.com>; Thu, 15 Sep 2011 16:25:24 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 7788D21F8B4C for <sidr@ietf.org>; Thu, 15 Sep 2011 16:25:16 -0700 (PDT)
Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.323.0; Thu, 15 Sep 2011 19:29:01 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Thu, 15 Sep 2011 19:26:51 -0400
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: "carlos@lacnic.net" <carlos@lacnic.net>, "sidr@ietf.org" <sidr@ietf.org>
Date: Thu, 15 Sep 2011 19:27:21 -0400
Thread-Topic: [sidr] ROA management recommendations for users
Thread-Index: Acxz836i0KlQWNGXR1uFeXlIj20QjgACQvoA
Message-ID: <D7A0423E5E193F40BE6E94126930C49308E09C0F50@MBCLUSTER.xchange.nist.gov>
References: <CA+z-_EViJv72KMbZNhAodftYBhJWdWXLBFZvD8uGB+Avh-Ae1A@mail.gmail.com>
In-Reply-To: <CA+z-_EViJv72KMbZNhAodftYBhJWdWXLBFZvD8uGB+Avh-Ae1A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Subject: Re: [sidr] ROA management recommendations for users
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2011 23:25:25 -0000

Please see comments below.
Sriram

> -----Original Message-----
> From: sidr-bounces@ietf.org [mailto:sidr-bounces@ietf.org] On Behalf Of Carlos
> 
> Broadly speaking, and looking at what people have created in the
> repositories so far, there seem to be two different views on the
> matter:
> 
> - ROAs that mirror BGP announcements and/or block de-aggregation within networks
> For example, an organization with as 100  holding 10.1/16 and having
> sub-allocated 10.1.128/18 to as 200 creates something like this:
> 
> ROA #1: 10.1.0/17-18, 10.1.192/18-18 origin-as 100
> ROA #2: 10.1.128/18-18 origin-as 200
> 
> - ROAs that protect all the way to /32 (in IPv4)
> 
> Using the same example as above, they would have:
> ROA #1: 10.1/16-32 origin-as 100
> ROA #2: 10.1.128/18-32 origin-as 200

The first approach (minimal maxLength in the ROA) is recommended.
Please see Section 3 of 
http://tools.ietf.org/html/draft-ietf-sidr-origin-ops-10 
where it says:
"One advantage of minimal ROA length is that the forged origin attack
   does not work for sub-prefixes that are not covered by overly long
   max length.  E.g. if, instead of 10.0.0.0/16-24, one issues
   10.0.0.0/16 and 10.0.42.0/24, a forged origin attack can not succeed
   against 10.0.66.0/24.  They must attack the whole /16, which is more
   likely to be noticed.
   Therefore, ROA generation software MUST use the prefix length as the
   max length if the user does not specify a max length."

You may also take a look at 
http://tools.ietf.org/html/draft-ietf-sidr-usecases-02#section-3.3

Sriram

v2.23.0 | Report a Bug | By Email