Re: [Sidrops] draft-sidrops-rpkimaxlen

Matthias Waehlisch <m.waehlisch@fu-berlin.de> Mon, 25 February 2019 10:15 UTC

Return-Path: <m.waehlisch@fu-berlin.de>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 454D212D4E6; Mon, 25 Feb 2019 02:15:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zkmzUuUcZHHK; Mon, 25 Feb 2019 02:15:25 -0800 (PST)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABB56128D52; Mon, 25 Feb 2019 02:15:25 -0800 (PST)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.85) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (envelope-from <m.waehlisch@fu-berlin.de>) id <1gyDIB-002Q0c-CK>; Mon, 25 Feb 2019 11:15:23 +0100
Received: from ze304.pia.fu-berlin.de ([87.77.227.4] helo=mw-x1.zedat.fu-berlin.de) by inpost2.zedat.fu-berlin.de (Exim 4.85) with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (envelope-from <m.waehlisch@fu-berlin.de>) id <1gyDIB-00298S-47>; Mon, 25 Feb 2019 11:15:23 +0100
Date: Mon, 25 Feb 2019 11:15:22 +0100
From: Matthias Waehlisch <m.waehlisch@fu-berlin.de>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
cc: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-rpkimaxlen@ietf.org" <draft-ietf-sidrops-rpkimaxlen@ietf.org>
In-Reply-To: <SN6PR0901MB2366DDDAB75A1619AD5A952E847A0@SN6PR0901MB2366.namprd09.prod.outlook.com>
Message-ID: <alpine.WNT.2.00.1902250951230.4012@mw-x1>
References: <SN6PR0901MB236677B37676FFB11A22B14D84780@SN6PR0901MB2366.namprd09.prod.outlook.com>, <alpine.WNT.2.00.1902240047270.4012@mw-x1> <SN6PR0901MB23662F6907DD092EA0EC988184790@SN6PR0901MB2366.namprd09.prod.outlook.com>, <alpine.WNT.2.00.1902241416230.4012@mw-x1> <SN6PR0901MB2366DDDAB75A1619AD5A952E847A0@SN6PR0901MB2366.namprd09.prod.outlook.com>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
X-X-Sender: waehl@mail.zedat.fu-berlin.de
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="336053415-24579-1551084771=:4012"
Content-ID: <alpine.WNT.2.00.1902250953060.4012@mw-x1>
X-Originating-IP: 87.77.227.4
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/96h_KEk1HOzm5BdHuQ0oBIrT3n4>
Subject: Re: [Sidrops] draft-sidrops-rpkimaxlen
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 10:15:27 -0000

Hi Sriram,

On Mon, 25 Feb 2019, Sriram, Kotikalapudi (Fed) wrote:

> -- snip --
> >> The draft does not presuppose when the prefixes may need to be 
> >> announced. The time frame is up to the prefix owner. Once the prefix 
> >> owner decides what prefixes (currently announced or intended to be 
> >> announced) should be covered by the ROA (or ROAs), the draft merely 
> >> offers recommendations for minimizing the attack surface. The example 
> >> in Section 5.1 illustrates this for the DDoS case. (One more example 
> >> can be added there to further drive home the point.) The example is 
> >> agnostic about if/when the DDoS mitigation prefixes may need to be 
> >> announced.
> >> 
> >  sorry but I really don't see how this limits the attack surface, in 
> >case where the configured more specific prefix is announced very 
> >occasionally.
> 
> We know that with fully deployed BGPsec (if ever), there is no concern about 
> forged-origin attacks and no concern for ROAs created for DDoS mitigation.
>
  ;).

> But in the absence of BGPsec, there are two options as follow:
> 
> 1. Pre-create ROAs for the DDoS mitigation service and 
> minimize the attack surface per draft. 
> 
> For example, customer announces 168.122.0.0/16 and associated /17s,
> also announces 168.122.32.0/24 (for TE), and   
> and contracted DDoS mitigation service for 168.122.5.0/24.
> Their servers are located in 168.122.5.0/24. 
> The draft recommends the customer should create ROAs as follows:
> ROA: {168.122.0.0/16, maxlength = 17}, 168.122.32.0/24, AS 64496
> ROA: 168.122.5.0/24, AS 64500      
> Note: AS 64500 is the DDoS mitigation SP
> 
  I'm not sure whether this "minimizes" the attack surface.

  Minimizing probably means that you create the ROAs on demand.

> For this example, the draft warns against creating these kinds of ROAs 
> which would have unnecessarily large attack surface: ROA: 
> 168.122.0.0/16, maxlength = 24, AS 64496 ROA: 168.122.0.0/16, 
> maxlength = 24, AS 64500
>   
  Btw, this warning is already noted in RFC 7115.

> 2. Create ROAs for DDoS mitigation on demand. Then, the risk is that there 
> may be long RPKI/ROA propagation delays and the DDoS mitigation 
> response time suffers. (May be the RIRs and ISPs can be persuaded to 
> invest to cut this delay down.)
> 
> There are trade-offs associated with the two methods.
> If you have other suggestions, we would like to hear. 
> 
  No other suggestions. My original point was that the draft is 
misleading because the draft highlights the max length field.

> -- snip --  
> >> I read the DECIX wiki page.  It is not clear to me what you mean by 
> >> incorrect conclusions on that page with regard to ROA/maxlength . I 
> >> would appreciate if you can clarify or cite some examples.
> >> 
> >  To give one example: Your draft suggests to not use the max length 
> >field, which means "ROA generation software MUST use the prefix length 
> >as the max length if the user does not specify a max length." [RFC 7115]
> 
> No, the draft that does not intend to suggest “never use maxlength”.
> I have clarified this before, and you replied, “I got this”.
>
  I was not writing "never" ;). Sorry that the text gave the impression.


> We can chat about all this some more in Prague.
> 
  Will be there.



Thanks
  matthias

-- 
Matthias Waehlisch
.  Freie Universitaet Berlin, Computer Science
.. http://www.cs.fu-berlin.de/~waehl