Re: [Sidrops] draft-sidrops-rpkimaxlen
Matthias Waehlisch <m.waehlisch@fu-berlin.de> Mon, 25 February 2019 10:15 UTC
Return-Path: <m.waehlisch@fu-berlin.de>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 454D212D4E6; Mon, 25 Feb 2019 02:15:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zkmzUuUcZHHK; Mon, 25 Feb 2019 02:15:25 -0800 (PST)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABB56128D52; Mon, 25 Feb 2019 02:15:25 -0800 (PST)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.85) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (envelope-from <m.waehlisch@fu-berlin.de>) id <1gyDIB-002Q0c-CK>; Mon, 25 Feb 2019 11:15:23 +0100
Received: from ze304.pia.fu-berlin.de ([87.77.227.4] helo=mw-x1.zedat.fu-berlin.de) by inpost2.zedat.fu-berlin.de (Exim 4.85) with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (envelope-from <m.waehlisch@fu-berlin.de>) id <1gyDIB-00298S-47>; Mon, 25 Feb 2019 11:15:23 +0100
Date: Mon, 25 Feb 2019 11:15:22 +0100
From: Matthias Waehlisch <m.waehlisch@fu-berlin.de>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
cc: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-rpkimaxlen@ietf.org" <draft-ietf-sidrops-rpkimaxlen@ietf.org>
In-Reply-To: <SN6PR0901MB2366DDDAB75A1619AD5A952E847A0@SN6PR0901MB2366.namprd09.prod.outlook.com>
Message-ID: <alpine.WNT.2.00.1902250951230.4012@mw-x1>
References: <SN6PR0901MB236677B37676FFB11A22B14D84780@SN6PR0901MB2366.namprd09.prod.outlook.com>, <alpine.WNT.2.00.1902240047270.4012@mw-x1> <SN6PR0901MB23662F6907DD092EA0EC988184790@SN6PR0901MB2366.namprd09.prod.outlook.com>, <alpine.WNT.2.00.1902241416230.4012@mw-x1> <SN6PR0901MB2366DDDAB75A1619AD5A952E847A0@SN6PR0901MB2366.namprd09.prod.outlook.com>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
X-X-Sender: waehl@mail.zedat.fu-berlin.de
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="336053415-24579-1551084771=:4012"
Content-ID: <alpine.WNT.2.00.1902250953060.4012@mw-x1>
X-Originating-IP: 87.77.227.4
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/96h_KEk1HOzm5BdHuQ0oBIrT3n4>
Subject: Re: [Sidrops] draft-sidrops-rpkimaxlen
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 10:15:27 -0000
Hi Sriram, On Mon, 25 Feb 2019, Sriram, Kotikalapudi (Fed) wrote: > -- snip -- > >> The draft does not presuppose when the prefixes may need to be > >> announced. The time frame is up to the prefix owner. Once the prefix > >> owner decides what prefixes (currently announced or intended to be > >> announced) should be covered by the ROA (or ROAs), the draft merely > >> offers recommendations for minimizing the attack surface. The example > >> in Section 5.1 illustrates this for the DDoS case. (One more example > >> can be added there to further drive home the point.) The example is > >> agnostic about if/when the DDoS mitigation prefixes may need to be > >> announced. > >> > > sorry but I really don't see how this limits the attack surface, in > >case where the configured more specific prefix is announced very > >occasionally. > > We know that with fully deployed BGPsec (if ever), there is no concern about > forged-origin attacks and no concern for ROAs created for DDoS mitigation. > ;). > But in the absence of BGPsec, there are two options as follow: > > 1. Pre-create ROAs for the DDoS mitigation service and > minimize the attack surface per draft. > > For example, customer announces 168.122.0.0/16 and associated /17s, > also announces 168.122.32.0/24 (for TE), and > and contracted DDoS mitigation service for 168.122.5.0/24. > Their servers are located in 168.122.5.0/24. > The draft recommends the customer should create ROAs as follows: > ROA: {168.122.0.0/16, maxlength = 17}, 168.122.32.0/24, AS 64496 > ROA: 168.122.5.0/24, AS 64500 > Note: AS 64500 is the DDoS mitigation SP > I'm not sure whether this "minimizes" the attack surface. Minimizing probably means that you create the ROAs on demand. > For this example, the draft warns against creating these kinds of ROAs > which would have unnecessarily large attack surface: ROA: > 168.122.0.0/16, maxlength = 24, AS 64496 ROA: 168.122.0.0/16, > maxlength = 24, AS 64500 > Btw, this warning is already noted in RFC 7115. > 2. Create ROAs for DDoS mitigation on demand. Then, the risk is that there > may be long RPKI/ROA propagation delays and the DDoS mitigation > response time suffers. (May be the RIRs and ISPs can be persuaded to > invest to cut this delay down.) > > There are trade-offs associated with the two methods. > If you have other suggestions, we would like to hear. > No other suggestions. My original point was that the draft is misleading because the draft highlights the max length field. > -- snip -- > >> I read the DECIX wiki page. It is not clear to me what you mean by > >> incorrect conclusions on that page with regard to ROA/maxlength . I > >> would appreciate if you can clarify or cite some examples. > >> > > To give one example: Your draft suggests to not use the max length > >field, which means "ROA generation software MUST use the prefix length > >as the max length if the user does not specify a max length." [RFC 7115] > > No, the draft that does not intend to suggest “never use maxlength”. > I have clarified this before, and you replied, “I got this”. > I was not writing "never" ;). Sorry that the text gave the impression. > We can chat about all this some more in Prague. > Will be there. Thanks matthias -- Matthias Waehlisch . Freie Universitaet Berlin, Computer Science .. http://www.cs.fu-berlin.de/~waehl
- [Sidrops] draft-sidrops-rpkimaxlen Matthias Waehlisch
- Re: [Sidrops] draft-sidrops-rpkimaxlen Randy Bush
- Re: [Sidrops] draft-sidrops-rpkimaxlen Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] draft-sidrops-rpkimaxlen Matthias Waehlisch
- Re: [Sidrops] draft-sidrops-rpkimaxlen Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] draft-sidrops-rpkimaxlen Matthias Waehlisch
- Re: [Sidrops] draft-sidrops-rpkimaxlen Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] draft-sidrops-rpkimaxlen Matthias Waehlisch
- Re: [Sidrops] draft-sidrops-rpkimaxlen Jakob Heitz (jheitz)
- Re: [Sidrops] draft-sidrops-rpkimaxlen Randy Bush
- Re: [Sidrops] draft-sidrops-rpkimaxlen Ben Maddison
- Re: [Sidrops] draft-sidrops-rpkimaxlen Di Ma
- Re: [Sidrops] draft-sidrops-rpkimaxlen George Michaelson
- Re: [Sidrops] draft-sidrops-rpkimaxlen Di Ma
- Re: [Sidrops] draft-sidrops-rpkimaxlen Christopher Morrow
- Re: [Sidrops] draft-sidrops-rpkimaxlen Ben Maddison
- Re: [Sidrops] draft-sidrops-rpkimaxlen Christopher Morrow