IETF Logo Mail Archive

Re: [Sidrops] RTR version 3 (Signed Prefix Lists PDUs)

Yangyang Wang <wangyy@cernet.edu.cn> Thu, 04 April 2024 09:10 UTC

Return-Path: <wangyy@cernet.edu.cn>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4D8FC14F6A9 for <sidrops@ietfa.amsl.com>; Thu, 4 Apr 2024 02:10:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjOAwv2-gzlH for <sidrops@ietfa.amsl.com>; Thu, 4 Apr 2024 02:09:58 -0700 (PDT)
Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [20.231.56.155]) by ietfa.amsl.com (Postfix) with ESMTP id A6D58C14F684 for <sidrops@ietf.org>; Thu, 4 Apr 2024 02:09:56 -0700 (PDT)
Received: from LAPTOPL2PP3VPI (unknown [123.112.66.180]) by web2 (Coremail) with SMTP id yQQGZQDnlV9dbg5mgfJ7CQ--.63285S2; Thu, 04 Apr 2024 17:09:49 +0800 (CST)
From: Yangyang Wang <wangyy@cernet.edu.cn>
To: sidrops@ietf.org
References: <SA1PR09MB8142D5DEF5F6B673E9B8B1EA84212@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814204BC2E0FA2F5B3D610A684212@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB814204BC2E0FA2F5B3D610A684212@SA1PR09MB8142.namprd09.prod.outlook.com>
Date: Thu, 04 Apr 2024 17:09:50 +0800
Message-ID: <00ad01da866f$d9956770$8cc03650$@cernet.edu.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Content-Language: zh-cn
Thread-Index: AQIf9ktKq1bID6ss4k/VdKGBOmOuEAHZ6lr2sL4Ma9A=
X-CM-TRANSID: yQQGZQDnlV9dbg5mgfJ7CQ--.63285S2
X-Coremail-Antispam: 1UD129KBjvJXoW7WFW3Jr1ruF47Wr43WryrtFb_yoW8ur1Up3 40gFZrGr4DJ3yfta40vw15Gr4UKrZ7GwnFqr98Xr1UursxJr1xArW7G3Z8XayIgw1DC3yY v342vry7CFZxWaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkFb7Iv0xC_Kw4lb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Jr0_Gr1l84ACjcxK6I8E87Iv67AKxVWxJVW8Jr1l84ACjcxK6I 8E87Iv6xkF7I0E14v26r4UJVWxJr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xv F2IEw4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r 4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwCY02Avz4vE14v_GFWl42xK 82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGw C20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1j6r15MIIYrxkI7VAKI48J MIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r1j6r4UMI IF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E 87Iv6xkF7I0E14v26r1j6r4UYxBIdaVFxhVjvjDU0xZFpf9x07bFBM_UUUUU=
X-CM-SenderInfo: 5zdqw5n16fv2xqhwhvlgxou0/
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/2H5VUGSBwgeEuGU35IkvowiZYnU>
Subject: Re: [Sidrops] RTR version 3 (Signed Prefix Lists PDUs)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 09:10:01 -0000

> -----Original Message-----
> From: forwardingalgorithm@ietf.org [mailto:forwardingalgorithm@ietf.org]
> On Behalf Of Sriram, Kotikalapudi (Fed)
> Sent: 2024年3月6日 12:20
> To: Job Snijders <job@fastly.com>; Geoff Huston <gih@apnic.net>
> Cc: sidrops@ietf.org; Randy Bush <randy@psg.com>
> Subject: Re: [Sidrops] RTR version 3 (Signed Prefix Lists PDUs)
> 
> Job wrote:
> 
> >Take this example:
> >
> >ROAs exist:
> >  10.0.0.0/24 Origin AS 65535
> >  10.0.1.0/24 Origin AS 65535
> >
> >SPL exists:
> >  Origin AS 65535: 10.0.0.0/24
> >
> >In BGP is announced:
>   10.0.2.0/24 Origin AS 65535
> >
> >Indeed, VRP 10.0.1.0/24 AS65535 doesn't need to be signalled from cache
> >to the routers, ...
> 
> Even this is not true. AS 65535 does not announce 10.0.1.0/24 but included
> 10.0.1.0/24 in its ROA to perhaps protect it from squatting attacks.
Consider
> AS 64511 announces 10.0.1.0/24 (squatting attempt). This update is
received
> at AS 64496 which does ROV but not upgraded to do SPL. AS 64496 requires
> the RTR PDU (IPv4 Prefix) that contains {10.0.1.0/24 Origin AS 65535} in
order
> to block the squatting attempt.
> 
> So, there may be extra prefixes in a ROA (whether just explicitly included
or
> via maxlength) that are not announced and are also not included in the
AS's
> SPL. But still they are required to be delivered to ASes that do ROV but
do not
> yet do SPL-based verification.
> 
> Sriram


Based on this case, I feel a regulation is needed here.
If the case "AS 65535 does not announce 10.0.1.0/24 but included 10.0.1.0/24
in its ROA to perhaps protect it from squatting attacks" is true, I think AS
65535 should include 10.0.1.0/24 in its SPL. If not included in its SPL, the
ROA of 10.0.1.0/24 should be considered a malicious registration. Without
this regulation, it is difficult to determine that 10.0.1.0/24 ROA is
registered for a malicious purpose, unintentional misconfiguration, or
useful prevention of squatting attack, and the effect of "handshake" or
"house-cleaning" of SPL for ROA does not work.


Regards,

Yangyang

v2.23.0 | Report a Bug | By Email