IETF Logo Mail Archive

Re: [sidr] Request for WG Last Call fordraft-ietf-sidr-bogons-02.txt anddraft-ietf-sidr-roa-validation-01.txt

"Pradosh Mohapatra (pmohapat)" <pmohapat@cisco.com> Tue, 02 December 2008 00:06 UTC

Return-Path: <sidr-bounces@ietf.org>
X-Original-To: sidr-archive@megatron.ietf.org
Delivered-To: ietfarch-sidr-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B2DEE3A69E9; Mon, 1 Dec 2008 16:06:32 -0800 (PST)
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE0313A6A8E for <sidr@core3.amsl.com>; Mon, 1 Dec 2008 16:06:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gus-DazTyXEL for <sidr@core3.amsl.com>; Mon, 1 Dec 2008 16:06:30 -0800 (PST)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id D59CB3A697B for <sidr@ietf.org>; Mon, 1 Dec 2008 16:06:30 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.33,698,1220227200"; d="scan'208";a="119928186"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-3.cisco.com with ESMTP; 02 Dec 2008 00:06:27 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id mB206RYo024002; Mon, 1 Dec 2008 16:06:27 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id mB206Rfe029865; Tue, 2 Dec 2008 00:06:27 GMT
Received: from xmb-sjc-215.amer.cisco.com ([171.70.151.169]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 1 Dec 2008 16:06:27 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 01 Dec 2008 16:05:28 -0800
Message-ID: <04CAD96D4C5A3D48B1919248A8FE0D540835895A@xmb-sjc-215.amer.cisco.com>
In-Reply-To: <76720B94-5516-48BB-9D83-F3182969A6DE@apnic.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [sidr] Request for WG Last Call fordraft-ietf-sidr-bogons-02.txt anddraft-ietf-sidr-roa-validation-01.txt
Thread-Index: AclUCKNaftvVswHhSmCUffFvwvIPAgAAbl7w
References: <C542C40B.5166%andy@arin.net><A3751517-D15C-45DD-B530-027758F36B04@apnic.net><FC10BBCC-6144-4420-ACFC-9454F26444BE@tcb.net><6F70023C-57B1-4C8D-8DDF-B9D7D8F139F9@apnic.net><56AFA6B5-BCFB-4CDC-B921-3590F71CCBA0@tcb.net><0072BC84-507D-497C-B8B6-0F26DE804316@apnic.net><19318B76-0E1E-4DC5-8017-D2350352169C@tcb.net><16C1A7B4-C46F-4354-B1F8-4AF8EB5249B9@apnic.net><C4A37FE7-88F1-4DEC-AB81-CC2EC6A96C79@tcb.net><D1AE3911-CBB9-451A-AE47-CB254E403DED@apnic.net><EC1B7F06-4137-4F97-8EE5-7676DB0E7155@tcb.net><BD48FF05-04D0-4B71-AF1B-F074E0199202@apnic.net><A09B46E4-02B0-4825-888C-CA24CD68EF50@tcb.net><CB9CD7AF-8CD3-4636-8D64-E876B9216B47@apnic.net><264FCEF8-3DD1-49AB-B41F-56FD0A1B2870@tcb.net> <76720B94-5516-48BB-9D83-F3182969A6DE@apnic.net>
From: "Pradosh Mohapatra (pmohapat)" <pmohapat@cisco.com>
To: Geoff Huston <gih@apnic.net>, Danny McPherson <danny@tcb.net>
X-OriginalArrivalTime: 02 Dec 2008 00:06:27.0045 (UTC) FILETIME=[D1F52150:01C95411]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4318; t=1228176387; x=1229040387; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pmohapat@cisco.com; z=From:=20=22Pradosh=20Mohapatra=20(pmohapat)=22=20<pmohapat @cisco.com> |Subject:=20RE=3A=20[sidr]=20Request=20for=20WG=20Last=20Ca ll=20fordraft-ietf-sidr-bogons-02.txt=20anddraft-ietf-sidr-r oa-validation-01.txt |Sender:=20; bh=zYJnFUf1zSyHKh/APv5u5MAXkrZumAhRB8TpZebpxMM=; b=MeW2qjm54dKdOb91mbLPEoHSqz/ZViHwbRoB02qOptMLjmSzwXJRBYlr9X HemGmrxR9OFYc/yd5LolBkLDl4yi3/Dzhp14exmL7msx/Ch8toRwBf21q1W4 OY+5OXpnbGhXHGt745RudPx38AD/gqrgt1QgSD++6WB58r0heKII0=;
Authentication-Results: sj-dkim-1; header.From=pmohapat@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: sidr@ietf.org
Subject: Re: [sidr] Request for WG Last Call fordraft-ietf-sidr-bogons-02.txt anddraft-ietf-sidr-roa-validation-01.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sidr-bounces@ietf.org
Errors-To: sidr-bounces@ietf.org

Hi Geoff,

| >> 1. I have been allocated 203.10.61.0/24. I do not use it 
| today in any 
| >> public routing context. It should not appear in BGP at 
| all. I do not 
| >> give my authorization to any AS to originate a route for 
| this prefix, 
| >> or any more specific of this prefix. If I generate a BOA for 
| >> 203.10.61.0/24 then my intention of saying that any use of this 
| >> prefix in the public Internet is unauthorized is clear.
| >
| > If you do not give your authorization then do not issue a ROA.
| > With the incremental deployment argument, I'm not sure who would be 
| > looking at BOAs if they're not looking at ROAs.
| 
| I'm sorry, but I cannot see any logic in that response. If I 
| do not give my authorization and I would like to inform 
| everyone else that any use of this address, or this AS is an 
| instance of a hijack then your response seems to be saying to 
| me that I should not do anything.  
| If that is what you are saying then it seems to be a totally 
| ineffectual course of action in my opinion.


What if: when "I have been allocated 203.10.61.0/24", I issue an
ROA for the same with my origin AS? Doesn't that automatically
mean that all the advertisements of the prefix from another origin
AS are automatically invalid? And since I will not be generating
any updates for this prefix, it will not appear in BGP at all!
Doesn't that solve the problem you cited? Are you concerned that
some other AS would also issue an ROA for the same or a more
specific block of the prefix? That can't be!


| >> 2. I have been allocated AS 131074 as an AS number. I do 
| not use it 
| >> today in any public routing context. It should not appear 
| in BGP at 
| >> all either as an origination AS nor as a transit AS in any AS path.
| >> If I generate a BOA for AS131074 then my intention of 
| saying that any 
| >> use of this AS number in the public Internet is unauthorized is 
| >> clear.
| >
| > But the draft currently does not mitigate "nor as a transit AS", 
| > unless I'm missing something.  Specifically:
| >
| > S.5 graf 2:
| >
| > "If a route object has an AS origination that refers to an 
| AS number 
| > that is listed in a valid BOA, then the route object can be 
| regarded 
| > as a Bogon object, and local policies that apply to Bogon 
| AS's can be 
| > applied to the object. This holds whether or not the 
| address prefix of 
| > the route object is described by a valid ROA or not."
| >
| > I see nothing about "or as a transit AS" in there.
| 
| My apologies - we are not allowed to talk about transit yet 
| as its not an agreed requirement coming out of RSPSEC. So if 
| I remove "nor as a transit AS" and sundry words then I trust 
| that the point I was making is amply clear.


How important is the case of "AS protection" as opposed to
"prefix" protection? Doesn't this automatically become a
by-product of ROA level checks?


| >> 3. I have been allocated 203.10.60.0/22. I wish to ensure that any 
| >> more specific advertisement of this prefix is unauthorized. If I 
| >> generate a BOA for 203.10.60.0/23 AND 203.10.62.0/23 then my 
| >> intention is clear.
| >
| > I still don't by it..  As an operator, you tell me who is 
| authorized 
| > to originate and that's the only origin AS I accept.  
| That's easier to 
| > configure in a router, requires less objects in the RPKI, and makes 
| > life much simpler.
| 
| 
| No security at all makes like enormously simpler.  At some 
| point it is  
| necessary to understand what makes a robust security 
| environemnt even  
| in a world of partial use and piecemeal adoptions and then work  
| through the issues related to operational deployment. But you appear  
| to have some other approach in mind.

As others have suggested, when "I have been allocated 203.10.60.0/22",
I issue an ROA for 203.10.60.0/22-22. That automatically means that
there can't be any other advertisements for this prefix or its more
specifics (unless I suballocate a more specific block and a new ROA
gets added to the repository for that]. Is there any case that's not 
handled by doing this?

- Pradosh
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email