[Sidrops] Re: New Version Notification for draft-sriram-sidrops-spl-verification-00.txt

Yangyang Wang <wangyy@cernet.edu.cn> Mon, 03 June 2024 16:56 UTC

Return-Path: <wangyy@cernet.edu.cn>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68D5FC1D6202; Mon, 3 Jun 2024 09:56:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_L4=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6b7KbW_wrHy; Mon, 3 Jun 2024 09:56:07 -0700 (PDT)
Received: from zg8tmtyylji0my4xnjeumjiw.icoremail.net (zg8tmtyylji0my4xnjeumjiw.icoremail.net [162.243.161.220]) by ietfa.amsl.com (Postfix) with ESMTP id 8E1BDC1D620E; Mon, 3 Jun 2024 09:56:05 -0700 (PDT)
Received: from LAPTOPL2PP3VPI (unknown [123.112.70.32]) by web1 (Coremail) with SMTP id yAQGZQDXzHyd9V1mcGDVIw--.60513S2; Tue, 04 Jun 2024 00:55:57 +0800 (CST)
From: Yangyang Wang <wangyy@cernet.edu.cn>
To: "'Sriram, Kotikalapudi (Fed)'" <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org>, sidrops@ietf.org
References: <171068884034.30156.2037237149778011860@ietfa.amsl.com> <SA1PR09MB81425CD1E67522C46F27C18A842E2@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB81425CD1E67522C46F27C18A842E2@SA1PR09MB8142.namprd09.prod.outlook.com>
Date: Tue, 04 Jun 2024 00:55:57 +0800
Message-ID: <006d01dab5d6$e82b1fa0$b8815ee0$@cernet.edu.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGUSZ89o9UJVdlqm+a2x5MmyPT5LQEibVCVsjnyGVA=
Content-Language: zh-cn
X-CM-TRANSID: yAQGZQDXzHyd9V1mcGDVIw--.60513S2
X-Coremail-Antispam: 1UD129KBjvJXoWxCFy5XF4kXrWfKF4UAFWkWFg_yoWrGFyfpa 1IgFW5GFn7Jw4xGa4xXw1rGa15uFWkW39rt3sxJ348AFZ8JF18Kr4DKw45Za47Xr98Cr4j qF4IkrWUuw40vFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUyEb7Iv0xC_Zr1lb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Jr0_Gr1l84ACjcxK6I8E87Iv67AKxVWUJVW8JwA2z4x0Y4vEx4 A2jsIEc7CjxVAFwI0_Jr0_Gr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IE w4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMc vjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwCY02Avz4vE14v_JwCF04k20xvY 0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I 0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jrv_JF1lIxkGc2Ij64vIr41lIxAI cVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcV CF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIE c7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43ZEXa7IU0tKsUUUUUU==
X-CM-SenderInfo: 5zdqw5n16fv2xqhwhvlgxou0/
Message-ID-Hash: BQEMSA44RU2QAKDZ26HLXC3SW7A2XUJG
X-Message-ID-Hash: BQEMSA44RU2QAKDZ26HLXC3SW7A2XUJG
X-MailFrom: wangyy@cernet.edu.cn
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: sidrops-chairs@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: New Version Notification for draft-sriram-sidrops-spl-verification-00.txt
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/9wfK4AE9JrMgzzFqK6eLyPQdPeg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

I have read this draft and support adoption.

I also feel that the application of SPL needs more discussion.

My comments and questions are as follows:

In Table 1, the stats of ROA-ROV-state=NotFound and SPL-ROV-state=Valid will
generate the state 'Eligible'. I feel that this 'Eligible' is not so
Eligible and SPL may introduce potential risk easily. An AS A may insert a
prefix not covered by a ROA into its SPL, but AS B is also announce this
prefix and include it in its SPL. Either A or B may make a (malicious)
mistake. Although the operators of AS A and B may find out what's wrong with
it after negotiation, the event could have happened for a while. 

I feel that the state SPL-ROV-state=Invalid is more credible than
SPL-ROV-state=valid, because any AS does not want the prefix  originated by
it legally to be validated as 'invalid' and blocked. The power of SPL is as
a 'invalid' filter for prefixes.

And, it seems that SPL cannot help save on ROA registration. If a prefix is
requested to be included in the SPL, the appropriate ROAs also need to be
registered in advance, as mentioned in 7.4, 7.2 and this recommendation
should be required in 7.1 (the prefix owner may decide to split its prefix,
it should register ROAs for more-specific prefixes). 


Best regards,
Yangyang




> -----Original Message-----
> From: forwardingalgorithm@ietf.org [mailto:forwardingalgorithm@ietf.org]
> On Behalf Of Sriram, Kotikalapudi (Fed)
> Sent: 2024年3月17日 23:39
> To: sidrops@ietf.org
> Cc: sidrops-chairs@ietf.org
> Subject: Re: [Sidrops] New Version Notification for
draft-sriram-sidrops-spl-
> verification-00.txt
> 
> A new draft on "Signed Prefix List (SPL) Based Route Origin Verification
and
> Operational Considerations" was just uploaded.
> Please see abstract and links below. Comments welcome.
> 
> Sriram
> 
> -----Original Message-----
> From: internet-drafts@ietf.org <internet-drafts@ietf.org>
> Sent: Sunday, March 17, 2024 11:21 AM
> To: Montgomery, Douglas C. (Fed) <dougm@nist.gov>; Job Snijders
> <job@fastly.com>; Sriram, Kotikalapudi (Fed)
<kotikalapudi.sriram@nist.gov>
> Subject: New Version Notification for
draft-sriram-sidrops-spl-verification-
> 00.txt
> 
> A new version of Internet-Draft
draft-sriram-sidrops-spl-verification-00.txt
> has been successfully submitted by Kotikalapudi Sriram and posted to the
> IETF repository.
> 
> Name:     draft-sriram-sidrops-spl-verification
> Revision: 00
> Title:    Signed Prefix List (SPL) Based Route Origin Verification and
> Operational Considerations
> Date:     2024-03-17
> Group:    Individual Submission
> Pages:    10
> URL:      https://www.ietf.org/archive/id/draft-sriram-sidrops-spl-
> verification-00.txt
> Status:   https://datatracker.ietf.org/doc/draft-sriram-sidrops-spl-
> verification/
> HTML:     https://www.ietf.org/archive/id/draft-sriram-sidrops-spl-
> verification-00.html
> HTMLized: https://datatracker.ietf.org/doc/html/draft-sriram-sidrops-spl-
> verification
> 
> Abstract:
> 
>    The Signed Prefix List (SPL) is an RPKI object that attests to the
>    complete list of prefixes which an Autonomous System (AS) may
>    originate in the Border Gateway Protocol (BGP).  This document
>    specifies an SPL-based Route Origin Verification (SPL-ROV)
>    methodology and combines it with the ROA-based ROV (ROA-ROV) to
>    facilitate an integrated mitigation strategy for prefix hijacks and
>    AS forgery.  The document also explains the various BGP security
>    threats that SPL can help address and provides operational
>    considerations associated with SPL-ROV deployment.
> 
> 
> The IETF Secretariat
> 
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops