IETF Logo Mail Archive

[sidr] AD Review of sidr-origin-validation-signaling-09

"Alvaro Retana (aretana)" <aretana@cisco.com> Sun, 13 November 2016 06:40 UTC

Return-Path: <aretana@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 503611296BC; Sat, 12 Nov 2016 22:40:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.017
X-Spam-Level:
X-Spam-Status: No, score=-16.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEoXx7EIuTiT; Sat, 12 Nov 2016 22:40:23 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7BCD129621; Sat, 12 Nov 2016 22:40:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11952; q=dns/txt; s=iport; t=1479019223; x=1480228823; h=from:to:cc:subject:date:message-id:mime-version; bh=0/QtHB3zXNH440MS9AVKpfAG9fn8rYg2XIKnnzJ84K0=; b=SlcqxnxRMqELxoWI026vINjwChmQ0lECV5+WP3VnDLV9vF3nRoO4wRUn JAfMeB3/zWSkMWx9q7zBQ8YhpZiQbFAj5FhP/FhEWREZFmXnDxQNW8rcE slMKBI+VzGBxK81jqNmIzYsaodmEiBNnJ+lrjQV/n3ONcp4tosjR9TOk+ A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B0AQA2CihY/5hdJa1cGgEBAQECAQEBAQgBAQEBgnM+AQEBAQEfWIEHjTemTIUcggeGIxyBcj8UAQIBAQEBAQEBYh0LhGgjVhIBSgIEMCcEDhmITa8VgikvixQBAQEBAQEBAQEBAQEBAQEBAQEBAQEchjyBfYopLYIwBZRZhWgBkFyBb4R2iTuRTQEeN4EDhTaGdyuBA4EMAQEB
X-IronPort-AV: E=Sophos;i="5.31,631,1473120000"; d="scan'208,217";a="347837193"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Nov 2016 06:40:22 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id uAD6eMbf003094 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 13 Nov 2016 06:40:22 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 13 Nov 2016 00:40:22 -0600
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1210.000; Sun, 13 Nov 2016 00:40:21 -0600
From: "Alvaro Retana (aretana)" <aretana@cisco.com>
To: "draft-ietf-sidr-origin-validation-signaling@ietf.org" <draft-ietf-sidr-origin-validation-signaling@ietf.org>
Thread-Topic: AD Review of sidr-origin-validation-signaling-09
Thread-Index: AQHSPXjONv4V5/cl2U+lT6vbr4sK2w==
Date: Sun, 13 Nov 2016 06:40:21 +0000
Message-ID: <88A45E79-880B-4F82-9FAA-80C05627A49F@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.70.230.45]
Content-Type: multipart/alternative; boundary="_000_88A45E79880B4F829FAA80C05627A49Fciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/wzdA2oFt0_qcAVsW6DoCZzBbOlo>
Cc: "Sandra L. Murphy" <sandy@tislabs.com>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>
Subject: [sidr] AD Review of sidr-origin-validation-signaling-09
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 06:40:25 -0000

Dear authors:

Hi!

I have a couple of comments about this document (below).  I am going to start the IETF Last Call, and schedule it in the next IESG Telechat, with the expectation that my comments will be addressed before then.

Thanks!

Alvaro.


C1. The reference to rfc7607 should be Informative.

C2. [Major] Security Considerations.  I think that there is one consideration that should be mentioned in this section:  Given that the largest value is preferred (2 = invalid), there is an attack vector where a router in the path (yes, even an internal router) can inject a community indicating that the route is invalid; the communities are not protected.  This action could result in inconsistent routing or in even a DoS.  I know the document is not explicit about what to do with the validation state (which is ok), but the clear intention (from rfc6811 and rfc7115) is that it will be used to make routing decisions.  Please add some text about this potential issue.

v2.23.0 | Report a Bug | By Email