Re: [sidr] ROA management recommendations for users
"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Thu, 15 September 2011 23:25 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 464A821F8B4E for <sidr@ietfa.amsl.com>; Thu, 15 Sep 2011 16:25:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.799
X-Spam-Level:
X-Spam-Status: No, score=-5.799 tagged_above=-999 required=5 tests=[AWL=0.800, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLxuMXw8-oz5 for <sidr@ietfa.amsl.com>; Thu, 15 Sep 2011 16:25:24 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 7788D21F8B4C for <sidr@ietf.org>; Thu, 15 Sep 2011 16:25:16 -0700 (PDT)
Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.323.0; Thu, 15 Sep 2011 19:29:01 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Thu, 15 Sep 2011 19:26:51 -0400
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: "carlos@lacnic.net" <carlos@lacnic.net>, "sidr@ietf.org" <sidr@ietf.org>
Date: Thu, 15 Sep 2011 19:27:21 -0400
Thread-Topic: [sidr] ROA management recommendations for users
Thread-Index: Acxz836i0KlQWNGXR1uFeXlIj20QjgACQvoA
Message-ID: <D7A0423E5E193F40BE6E94126930C49308E09C0F50@MBCLUSTER.xchange.nist.gov>
References: <CA+z-_EViJv72KMbZNhAodftYBhJWdWXLBFZvD8uGB+Avh-Ae1A@mail.gmail.com>
In-Reply-To: <CA+z-_EViJv72KMbZNhAodftYBhJWdWXLBFZvD8uGB+Avh-Ae1A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Subject: Re: [sidr] ROA management recommendations for users
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2011 23:25:25 -0000
Please see comments below. Sriram > -----Original Message----- > From: sidr-bounces@ietf.org [mailto:sidr-bounces@ietf.org] On Behalf Of Carlos > > Broadly speaking, and looking at what people have created in the > repositories so far, there seem to be two different views on the > matter: > > - ROAs that mirror BGP announcements and/or block de-aggregation within networks > For example, an organization with as 100 holding 10.1/16 and having > sub-allocated 10.1.128/18 to as 200 creates something like this: > > ROA #1: 10.1.0/17-18, 10.1.192/18-18 origin-as 100 > ROA #2: 10.1.128/18-18 origin-as 200 > > - ROAs that protect all the way to /32 (in IPv4) > > Using the same example as above, they would have: > ROA #1: 10.1/16-32 origin-as 100 > ROA #2: 10.1.128/18-32 origin-as 200 The first approach (minimal maxLength in the ROA) is recommended. Please see Section 3 of http://tools.ietf.org/html/draft-ietf-sidr-origin-ops-10 where it says: "One advantage of minimal ROA length is that the forged origin attack does not work for sub-prefixes that are not covered by overly long max length. E.g. if, instead of 10.0.0.0/16-24, one issues 10.0.0.0/16 and 10.0.42.0/24, a forged origin attack can not succeed against 10.0.66.0/24. They must attack the whole /16, which is more likely to be noticed. Therefore, ROA generation software MUST use the prefix length as the max length if the user does not specify a max length." You may also take a look at http://tools.ietf.org/html/draft-ietf-sidr-usecases-02#section-3.3 Sriram
- [sidr] ROA management recommendations for users Carlos Martinez-Cagnazzo
- Re: [sidr] ROA management recommendations for use… Sriram, Kotikalapudi
- Re: [sidr] ROA management recommendations for use… Byron Ellacott
- Re: [sidr] ROA management recommendations for use… Randy Bush