IETF Logo Mail Archive

Re: [Sidrops] WG Adoption call for draft-sriram-sirops-bar-sav-02.txt - ENDS 01/30/2023 (Jan 30 2023)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 31 January 2023 01:02 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A55BC14CEFF for <sidrops@ietfa.amsl.com>; Mon, 30 Jan 2023 17:02:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.101
X-Spam-Level:
X-Spam-Status: No, score=-7.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0N_HTWRhX0z7 for <sidrops@ietfa.amsl.com>; Mon, 30 Jan 2023 17:02:05 -0800 (PST)
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam04on2130.outbound.protection.outlook.com [40.107.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FB0CC17CE92 for <sidrops@ietf.org>; Mon, 30 Jan 2023 17:02:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MA3SJhXbrafHcEtlmvaTvgM4l3vcpf97t+f7wisfNy2nGZb8Jnhpxhr2z3wxAw61agOAW70bGhsYJJ6q3u16O5JZ/WTmUjNYOHYFv3KVd+/1BeyFcmQVfzUifH0oX1Gc3tnO9nW+VVnl/DOWqC2bePAAkNVMUaAN+vIeqSuJX/Y0X/3TTm4x0CEh4thd/ICWdgiR0gKAiWaIyS2z10g7IfDb8noFZuc9uddrLOPHZublUtDbZltoHceCXePWHkUNr0hghRVnAh4RM6WLc11LOR47r9OEruH50/w+raLmyj2mxQeMJxIfb00uDzU5YO/U4f9CqI0+xhANwWTd7XBraw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DI/cBAhvEd0NAeVuF5ypI8kSK+4enVSydC0Vj5KdaQc=; b=YAP7HybcaN8m+/1dURB9jDbunT0zrJXjE5q7bs19PFVarmV9pENgjbZhBGy8XakREbnerOvC3gUa7lHLA497EhS/Gf1MxppcgXMymg7IT1wy8ReuiWN0VNgk7mEiW4pHmLN7Sy5hE8SpLB7oV42i1WKC3QvTTa23Li+CUd5nI5J56OcMVJ93LjVLYTvKnrDy6GjecNqOnaD4ZO2uL49ttLJ4tfqwAerEgTNWrbOiGprWlna8ODxuW+bX7iiF9nmt0vjzhCXh8McxZsBbAu3cE0NL4Dr81LPDOf/xkxnOsB9JV2c2bHwqEF9/wGy44D+djyk0l5/6QXd7geMu74fiGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DI/cBAhvEd0NAeVuF5ypI8kSK+4enVSydC0Vj5KdaQc=; b=g/ti7O1zgQQ+SSApMLBgqvz7PQVy+y9AmmwfMGCR0ypSiHEb+wPYxx06h+PrM9TIb6YZsk6+H1hr/2c7POlBPvomauO9QD271wdAjIskNDzC13QuM3qu9lpWTLhVex9FDMsSzKUbZzwm5gprqi3WPEz4CAdm7xEzBaHIyiqzyDMoyd/bFGlfmHN8GMW5kV52mORTAZb9kANdAgc+vhu6nUqLvoxYjCzP4ZClLXII+NSLEYRcmsupKPlh9oUhNj/oqC15nokcope/OzGJgNMTvZ/J8decpaVuFhrfb0d0xpQ+L/CLlBnnBZhS/QFRp1w/NZcOjbdSO37Ddq4gfgjXkg==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by BY5PR09MB6004.namprd09.prod.outlook.com (2603:10b6:a03:24e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38; Tue, 31 Jan 2023 01:02:01 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::5b68:69d9:e45b:6cfc]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::5b68:69d9:e45b:6cfc%6]) with mapi id 15.20.6043.036; Tue, 31 Jan 2023 01:02:01 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Amreesh Phokeer <amreesh.phokeer@gmail.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: Re: [Sidrops] WG Adoption call for draft-sriram-sirops-bar-sav-02.txt - ENDS 01/30/2023 (Jan 30 2023)
Thread-Index: Adk1BOLpDXuCHlBtSIaN0FeDNZoJFA==
Date: Tue, 31 Jan 2023 01:02:01 +0000
Message-ID: <SA1PR09MB8142A6146637D7AC4E25734A84D09@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|BY5PR09MB6004:EE_
x-ms-office365-filtering-correlation-id: f1e4b3be-0327-44d3-6392-08db0326c2b6
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Gl9fJ4x5nucrsZIwdAg7O9F9qIkqb8oyUYE6HOBQ/6CJC0Qec+MCW3KBFr7d9KKe2N/gy1u2NFS8GhqeAYktOd58jEhbgdN6CuQMGdCvU9IVRwtui5RO3a9dNTBmf6WGByq06FlAyiB3+oWxtL1SWLrBEiQ/Xu+ATKZj+qrvjekGiE5687L5x5oFVmOqPJwN7mur8mwbXh73Wd/uHiq8GPjwWtuN0f8BlfUBwgJ+AvCxcWqTTI/MqE5ptZfI4IaLq71v5lf+JNVbSYsk/dH48cPSMoNibgJRCst/+tVcAV1dsPfAvKrkugNv9nuP9nP8gYC9tMEMTCA/Bvt1xmuN+cb1JQ1U5l+6fbh2oQOa7ej6CFuy0FG/rQ6E3Ff00In95K0SAeysgiX7gjOmRgiYRA8rOZ0LfvZpQxM1Kw0RGOm4yjWPnF0spKRCJ3XznrvyZBXp2x48vC1NLann6JIbOrjFvcqwj3qWSOVlSTV3+U0UJiKkOlMCqCq+9qQzH8URBFfHWLFKWFF7kQMTENMIulEU1V4mvuNB8Hp2j5bVZVssng8gFmA2UOfXqIRRKQUa1PyXmJF63ti6tUggEeE1FVfU6Wp6tUwPEKObZah8dbqPKkNg9JDiV2eVzrgNNZ6GNmdDwcv+EgUP69qk4qeNDeXf220sihC9OdjKWc5W6qf6tr1PmmDk1WUq/if+6LADX78bgTlYwxYCcWsdhajzIA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(366004)(451199018)(8676002)(64756008)(66556008)(66476007)(6916009)(66446008)(76116006)(66946007)(83380400001)(498600001)(6506007)(186003)(33656002)(7696005)(26005)(71200400001)(9686003)(38100700002)(122000001)(86362001)(66899018)(38070700005)(2906002)(55016003)(4326008)(52536014)(82960400001)(5660300002)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: OYn1M9hgfsntmsqTO0YsvNc7jwADDbkIkMV6Yqdk4YvFbbadRsAY6Ma6GyYVWMa+7d+2OpNR3WhrJxdano5cVCnK06Okc4TZtmHbZePn93Toaq8xoddRe6rLu1F6Hf+X45+lP4aXtegdKXyogURgkF/bXW6/DEBgsqTLWOZ5hAs9iLHuZtr/50xWPIzzaXzbmWYyS5oaZlqG9c25cGpAGlSeDtkXmuDx15TUGjEkkrh+BZol5LtT1FsoZW0XoC0Ev2EnFQrHySYXuR4a8di8GC/PfdBhndbXQmKeMYuMZX/LUIMfkgfclkIACIqNReYdOPFCGU/HVMa0A0CmS23j8muLQvVZTZTvXdWGHcgU5oChI92zPhuw1DdZ34LNCMteq6IuLKZENQkvwvzmY/gOk9e9govF090Pn44ALyDDIVwljB0SnSZXxMH80yn8uuKEmGOtg6bj9C+HtC/ogisLKotl08pGfYicVHzyR6swPdY/7VVbDuZTiRNY5gy3fuyHa/U4I04CGhonQ2ucbyfaQSyxZknnfwpFPs8+nLUYolOP6Fepuje6fH6PNwYn9YSMRtFzcCXOgq0OclzIN6PIooPUKvpzA93BBhLKuTx5F2NW8OVfOwWwr5p23KKGDo+i8f9Y4Q7vsnt6+xHVlpNKdCb1XRl9Tdgz/zsiPL/+gV3MGPrtck0G/1ftmRms2LZJ1TxJHb7MFbm1mQYIIDXfeWKnGv7DPpTaRHm+vMDkG8/Iao6SmB3TXyx7O22r+k6r5HOz8JTnLtAs4SkOTb4L7k3wcGa4S0FYv3lMmhifEpFzdFd7R/H7tGM3FjTm6iJJhaDTCAuGg+ouvBAUAh5WiTSXdIIM3vfBlWRCV+i2V9/sFzOkzb+/8fY7yl8P8Ec56rNOzmlE5mJWYIFudp0Oq5VgE/ecxw+u4G0zQqyRQbF/K1ym3SrqxCb/Zhvb1R92fQCfwnvVnZWWFWlaYV1IqOJg5WfmHQrO4HtDwxd+yS4ipoXtbO9C2RbOltRdTsPtJZETOp0NBUhVIim5MC8OXh3oztIhYiPNR06qAKFJM4pfxG9+3IGOUuzId06utOUyxqaMyrtp8Ws9BigeIzg/R/9QxXuKCYkE3I6XlcMe98drsGro2zW4CcDAq+YNWa83X8r7jcqua0l63cEEaF5nsTqhVfoT05HbZO+6Lxz1Pwu3kz8Bd2aSo+9MA0+BnsvMYOgscZgk/87s4l+IlMtEX8OI4s4cLfBF0vCQxfMfwemiSmqFumRwryDcq1MUZrLFPaHHZiz4sFykje/DegeTHb+bsFrkH+ScMXv7U5w6W0tNOczKiWPuBwIb8Olr5Anh7ahwQhUhkPRNw0fW1As+LP9t5y01GfKMOIJ+TQFG8hPaLlGP+k2Pjy4v/tf3bbwTLFQhj+Ut/m5uV5X77XUAVnwNirRF2nkySHVFdUtDwM8d5/hpSkppOh/RaQLMYG4UYKyU7qpXKh8Dut2CCne/ic0jXsg4RZskiig++m5eyOYmKmaAjYuMLjR0RV+l7zGHuKhu8GGJ5cYXqpBorEu07HF0C81AW3kCNMIV74vGYRM=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f1e4b3be-0327-44d3-6392-08db0326c2b6
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jan 2023 01:02:01.3274 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR09MB6004
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/KY0Ce-AtlH9aIMpSxaVftQ2Tdx8>
Subject: Re: [Sidrops] WG Adoption call for draft-sriram-sirops-bar-sav-02.txt - ENDS 01/30/2023 (Jan 30 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 01:02:10 -0000

Hi Amreesh,

Thank you for the review and comments.

>As BAR-SAV relies on BGP Update AS_PATH data, I would like the authors to
>provide a little more information on how it deals with manipulated AS_PATH
>information.

The BAR-SAV algorithm requires excluding BGP Updates that are considered Invalid by the ASPA-based path verification algorithm. From Sec. 4, page 6:

   As a measure of security, validation of the AS_PATH data in Adj-RIBs-
   In [RFC4271] SHOULD be performed using the procedures in
   [I-D.ietf-sidrops-aspa-verification] and any Invalid AS_PATHs must be
   excluded from inputs to the BAR-SAV procedure.  This ensures that BGP
   UPDATEs containing route leaks are not considered for BAR-SAV filter
   design.

>Finally, just a thought, can BAR-SAV use BGPSEC data instead of or in
>combination with ASPA data?

BGPsec path validation is an assurance that the Update actually traveled the path shown in the BGPsec_PATH Attribute. However, it does not detect route leaks (valley-free violations). ASPA path validation on the other hand can offer assurance that the path appearing in the AS_PATH attribute is route-leak free but it cannot assure that the Update actually traveled that path. Nevertheless, we can think of the ASPA valid paths as feasible.  That is a trade-off between the BGPsec and ASPA methods. People generally seem to agree that wide deployment of ASPA is more likely and possibly in a much shorter time frame than wide deployment of BGPsec. Additionally, ASPA data in combination with ROA data helps significantly in uncovering any hidden prefixes for SAV filter design and that in turn significantly lowers the probability of false positives for BAR-SAV.

Having said that, your suggestion makes sense for the future. If BGPsec deployment comes into play, it can be another means for eliminating "manipulated AS_PATH
information" from being considered. 

Sriram

-----------------------------------------------
From: Amreesh Phokeer <amreesh.phokeer@gmail.com> Mon, 30 January 2023

Hello all,

I support the adoption of the draft "Source Address Validation Using BGP
UPDATEs, ASPA, and ROA (BAR-SAV)", as I believe it tries to solve a
real-world problem.
I like the fact that it uses information from existing objects i.e. ASPA
and ROA but I also share the concern that ASPA is not an RFC yet (hopefully
soon).

As BAR-SAV relies on BGP Update AS_PATH data, I would like the authors to
provide a little more information on how it deals with manipulated AS_PATH
information.

Finally, just a thought, can BAR-SAV use BGPSEC data instead of or in
combination with ASPA data?

Regards,
Amreesh

v2.23.0 | Report a Bug | By Email