[Sidrops] Re: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Mon, 03 June 2024 15:25 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 974FFC1CAF49; Mon, 3 Jun 2024 08:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etvrju8GrUrg; Mon, 3 Jun 2024 08:25:15 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2062.outbound.protection.outlook.com [40.107.91.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78FB1C1CAF35; Mon, 3 Jun 2024 08:25:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QvOwxrwTEv+RPkhIyTPmVlBRcNUgPAsqDoQne9ZgYqvvM69y+KsCPmCYC1WXdyAyaJsd/9YA2cQEL0H9JYkMiy9ikcMR8aVp5yFdRgXYq4m/+DO5uMbKS/X+Hf4Lc8ZkEUxX/VALhW/gTbC6ccCcrFM1WoKtY8WRbkrW4cUukZVbQdikj7rYrM7LWpvXos1QNqHA5cVhlPXDoM8x6hTK4I8ltE5yYiQhTHnDgZfevwKACkICEbEYiQh/dlFPQ6UR6BQWN/zatPUm42O4aiXHIuNSc60ZRUiUD+TkYTiyWCmyISfrgKITHaui1hXMOocV3kWNQSVZJYPYDZ93qj7rtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mcMztarR0zLAgXU3+VPrrctGFHRrYXSaPMDkafRYjlg=; b=WqKAuLdbBaxWGfyZ39O39lt5cbpuHnwPx6Ize222/DFPYTfBss14DXvts860KOB8AGUNAcge5tnvScltpXdzN9gRyjNzAkcFVoiSDaaltFphPun2oteSYJFQC4lX3fpOFl37ng0P5DeLyQpENCPSBm2xHefWGluFPSXh7f+HQ91Oxampm/3Bi22Ig6i4sHy1JS5oj2ygjIS/DoXKxJXmpRy0CBQ9kAVvfvbqkAvmHDYEq0zyd0MSSjQYlT1a47gxPNRJbYKiIaar28Uu73hiyWrza2Wl/8sR3i7vDD3GX+SyOTZd4LCTqTlD3B5JKrUtS3mwomAvlFk6PZEjYJURXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mcMztarR0zLAgXU3+VPrrctGFHRrYXSaPMDkafRYjlg=; b=gCmQxKYqfEVZTGSpLwScNT4b67OgTLFmmhkUb0rhIc5+78HGyfMq+uvHqtnbU0flTrO3GLCeSG+4oEwYDVFHCTlikvCqYiBvtOSCHEKEZDD9uLc+4qrerRMBV4tfCrdhJkOiXtNZgISxsJEq8+nb8nFzmr6V8+0Mih+gadREqlbNfaE1js0DXk/5ydGOj33btMeRgGPCLWzZw44Wi2vsF6oqNUhfke1WKuvXvidyGooYBdNtwTcDqk+1ctHjnjR2NxO7tW/OA+8HuNVWorrFTLuMWZJiVs+jh15gS30GRBzMi6Cf2fk6LB5D/fXaaO8qJcQYIpGtP0+Reuyf3RyinQ==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by SJ0PR09MB11209.namprd09.prod.outlook.com (2603:10b6:a03:50f::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.27; Mon, 3 Jun 2024 15:25:12 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7%5]) with mapi id 15.20.7633.021; Mon, 3 Jun 2024 15:25:12 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Ties de Kock <tdekock@ripe.net>
Thread-Topic: [Sidrops] Re: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)
Thread-Index: AQHatBGjZ7g2mpDx/06CmlAHx6YMprG1q2gAgABgnCA=
Date: Mon, 03 Jun 2024 15:25:12 +0000
Message-ID: <SA1PR09MB8142C409643E1ECEF8C3A55F84FF2@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB8142978FC5DFD478E40B54D884F12@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814286463D99E5327EEDF3B184F12@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142749B4309DCBDFFEED34784F12@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814214B4946E15E7296570E984F12@SA1PR09MB8142.namprd09.prod.outlook.com> <F62EB815-FEE2-45EB-8B67-FC93C3667619@ripe.net> <5752698325164c6aafffc131450b2859@huawei.com> <CANPYmgiX10TVGvWGKTaQqyZ_wMA=9ZZ_VS5rZ1-xUVau1+jvZQ@mail.gmail.com>
In-Reply-To: <CANPYmgiX10TVGvWGKTaQqyZ_wMA=9ZZ_VS5rZ1-xUVau1+jvZQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|SJ0PR09MB11209:EE_
x-ms-office365-filtering-correlation-id: 2473020a-777d-4751-bc2f-08dc83e15ca3
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|366007|1800799015|38070700009;
x-microsoft-antispam-message-info: 2fUbZLAavb45wkjeUe836s0shIblK8HDZu3ADptoNjIbrxhZq2iKJl81Cc2hq/riA2kib0fYmXTYWAcqfBxKi9oYyn8Zn+gSKxmUV5d/bG0/tQnR/u7Gv5rbRzMKm2iK/9xfshjNpgrar080Lo8uEDxc5fyWKY+SxDTbmYL//BBP078HdPZuq+XHSxJp2fcq++VG33UDkiFwNxe5DASzb3hHYqYGORcwZvrdE9Y1ThnRhVA31vgSGXT0FtFGw/aiNUxbPLNFlE6iRuIe1jsVmFuOkPoWtKkajQ8Mcah8NyXy6GkXgcBixAGqrViKrLToVKHlVwTzLlLINRTR4mcIeZrsEnMmeaQaf1KsH3+f+HnBRI1IoJrermfytjvbznKbgww191qtOENHbmnW0i4KaXNwB3VVz/WnXW1SNFNQpJ2TAKS+Yp3yiyDSnjzw0OJ3IBFSzEx1emEeaYER8HvoB6AhF2CFPIUhp5WDXHJQIRb4oQH/Rrrx2s/nO/WNKZnJwClVRhowi3JYTDEJU3JvoutbOt0hWG/FcqduS0czboTGzJqOKo1Ays7ssymG4drbrgKAUAjmdchCO+vM2kKRfmlDCt1ErD8CsJthFMpMSxd4Urv14X2y1euNyY+fTOl4i4obZ+Ze5oz7P0RL8s5pUVcSue9jNeMkwFyuyBEcLOGiUz17VdfBc4Of9ngyMy6HrG7Vd7oZEF4UvKQZRVnk4Kld3EmG+/wxLa2CWjLPwHyA/CZ/RYWxina5tYysz0KRx8Du14YX7ulFUSjxkEjC/2AOEn4S0bkK4l3RDMVPEARoU1rV+AiuL9YSEQSEuJVX0KVwBfKexnsuPhG4JwSf1vDtPX/2Wj+dj3mLoDeObJkZONuPZqxlhakXq/2WDXcI7rD+HapVJuTqSR7zYSXqsdxFfrvXaZEVUm6W6ftaB1w57vyQ6/jqH4wSuWAP/JjfAYxPIrS/JPQxVxQx9OMLNvJ4gnhMU9tPCDbgz1pgKzdIcguGdFZJDgeXdLCgZRyfTlG5awsiOnvwM32qpHbufCAM2WN0EjayTrW9stnZKABkuej/+fG364+2tBN5+DRXquyGNu0SmVIFRUD9O5AaPTICikWh3LUnm6hVuX8zqvmsiljrIv4w29t8ilkNN38qL6fEJ62JpASgaweqGre04vOG4NhbSze/D3B8VMS0meeNvFqbs3ncPfdnm95xI7HOwnPtK/CdQM7gqjukwSQ+8LbRW/hNdnOgy0NGOr7Y4Jex9xE7i8QSRtEU6Ktlhz7I+UcljEeG48iASmFSrz4by6aERPLlHA/B0bZyzXAo09lEuk4cFiK3XEZYnt1tqgIvzi9g2UN5dk3Xkz+l/PW9Zxq9ZqsIJcN1pUMrHWIPOtg=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR09MB8142.namprd09.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366007)(1800799015)(38070700009);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: AYVmclvEcFZEqG8G4rN28jGF/uAHVHJBjNB4ndz67XDHS95MpDiMWaW1VlXlcbbNf4g22/DIOTuuFaJf1KI0Q1JE6Z3Pyl9oF3N0m7ckrYCVD+pkOFUZ6g6D3/wBCZj3VY8GjvGy9ggwzzXWOWu7sUbcAXyLh92LvB5KvQo1MxmDwfkcDdNCWQt6rEqu5HC0B0aEt16bQ/+UQR/ZpZvt8wzGc4OrUlF8Z0ocYb1j6L2hiBQ42GSh7tDq3O4bcLdhfQ4mf2ZiwGc2Hw/m9YjHKjeEFWriGc3H50g3y7MQT7fj59eVxnNvRJQv/4/VYJACA1kSbMARL4a7VKjXudpFg4GBn5fU7qcEn/bBescw7EKSd6s7mcie45366umd49phDG6Aax2AdMEvy8Kz2NP14TyOcdyoVJ7+LNnjvl7vYwVdch+5zgUtdwbq2M5odQPPMJG+f8DKXVZIPgCwfM6AG0Oz7RYE5+SrYuzMrRAlv8OEXxlp5u2yKvW4IAiDvv/mFKOFY6ptg0lLWuezaXKlwCqYJ6RUGLDmBfA1Xlv2rRKxA/kpEjxeHPo3Rw227D2fuPk5JKsaZLxfyh6XwS7sMlQDAyQ1UALc7IL3S6o1uNyS2JMI7NW4nYdxCAqVI2WbALtob2S7PLS7X3s6EqPu5fVee5nnm0B1HuFWkbvPSxZ7BKYEZn800v5ugqObqfQ2Po9hJQVD+6v6XxgwxX2WKTJwIPRCGd2+mzuQTcab8EB3G+RVyot3IlSlcBJ2KbdrPOG+M+s97df5WdLaSGrYNH5rdEi6ifVypoLJe4AW0udWIMm/nJF9pIQuEALoFEauAmZpDoL/D418J305PeJVqgi5Fsig+DGSzRZ4bangyyCoeSzG7maM8DJgBNulz0inyRRSfMdY/5KOKtsF3VlIY9JI0MYt9HqBmIw7MCB6JnstnPyMmlzEXluHNTAwgFvEAMkGkzzxo5AedWp1DyLbARm/u2hWdrncAJlx1SUVyvmeQ3cpAs+ETpdC6qTXMGiVU1psbm6vHohkE55CETox+uBn+8l7pBPKe1RDmLhCz7aPbWuFyev+/lV3MJfX64l95nks7iE+dJWIx+qaFS0uXGv+H1iDJNt8gNh6gDhzhCapICokJ03DMWX3ifwLZJNKd4QKlfxvCusDe/254gJpiPo1fm49R1cgqZlcRSRLOvJbXhEXe6wDsFBR/O4vYOaYKj5by4Hnl42M8JjZdBRaNnluHydJgle5WYk2JPIJVl/afTU3GEnnebADGFZE4kq7O8/FdQKiQZxHCNQ8aVCd72dKRl1xcKWLiVaXzIyx9tz966H213sSY1FqyQzxK+xSSEa5ucdvdfIeilE21iySjAwuu77tB5/djDqQ19+uRd2Hsdc5oNNZMFxbf8QMA6ap5TDzOb5O2ArD42nZhtRSGQ+NbZvaUoOmzybXF3ZklSiTsHHnNlv1Vo5XT4gbCubQTtotJwusNJiNQCBrCLhTQAwLFLdCu9hqIXTMxhQffNlevx+iF7nRVVgfEMSpJKgpHmHD2Rq+v3z/t8JMQ9VOVB8mkWfs/NkkLItVHuGBVm0=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2473020a-777d-4751-bc2f-08dc83e15ca3
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jun 2024 15:25:12.4517 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR09MB11209
Message-ID-Hash: WQELMCVDJFRWR5VXQ646ICYCGPJNQH6G
X-Message-ID-Hash: WQELMCVDJFRWR5VXQ646ICYCGPJNQH6G
X-MailFrom: kotikalapudi.sriram@nist.gov
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-sriram-sidrops-spl-verification@ietf.org" <draft-sriram-sidrops-spl-verification@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/LcE2RNPR8ie6ELv-ORLLMv3r9CU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Hi Ties,

Thank you for the detailed review and comments. 

Glad to know that you see threats/scenarios #1, #2, and #5 (Section 6) pointing to beneficial use cases of SPL. 

All your comments will be carefully taken into consideration to revise the draft going forward.  Please see my other responses inline below.

> -----Original Message-----
> From: Ties de Kock <tdekock@ripe.net>
> Sent: Monday, June 3, 2024 3:44 AM
>
> I have read the draft and support adoption.
>
> I think the use cases and deployment considerations for SPL need more discussion.
> SPL is the minimal proposal for this problem space so far. I feel that adopting this document is the way to continue this discussion.
>
> We are introducing multiple objects that can serve the same goal. SPLs overlaps with both ROAs and ASPAs. To me, this is a downside, since each partial mitigation makes perfect deployment of any other mitigation less likely.

May be -- s/multiple objects that can serve the same goal/multiple objects that serve varying but somewhat overlapping goals/.  

>
> Threats 1 and 2 will help prevent misattribution (and add non-repudiation for legitimate announcements) for networks that actively participate in the internet. That is a real benefit.
>
> Scenario 5 slightly improves over an empty provider set for ASPA and will make reclaiming unused ASNs easier.
>
> However, I have questions about the other scenarios mentioned.
>
> As I understand it, scenario 3 is mitigated if the originating AS has a ROA for the original announcements.
>

You are right. My thoughts:  Typically, there would be many prefixes affected in this anomaly (scenario 3) and originated by possibly different ASes.  SPL offers additional protection in case some of those (prefix, origin AS) pairs have ROAs and others don't (partial deployment).   

> Scenario 4 describes how minimal SPLs improve the situation where overly permissive ROAs exist (or not all space is announced). I think that the underlying assumption that operators will maintain a strict SPL while the ROAs are overly permissive is unrealistic (e.g. it is likely operators would create permissive SPLs). Section 7.4 also assumes the permissive pre-positioned ROA+SPL for DDOS mitigation, contradicting this premise.

Good observations.  Yes, the DDOS mitigation scenario in Sec. 7.4 is an exception to the premise in Scenario 4 (Sec. 6).  The DDoS mitigation client (prefix owner) may consider the permissive SPL (along with a permissive ROA) an acceptable trade-off: benefit of quick responsiveness of DDoS mitigation vs. increased attack surface for forged-origin hijack.  Of course, in this situation, the ASPA offers a reasonable partial protection (i.e., protected when the bad BGP Update is received from a customer or lateral peer).  

If prefix owners use maxlength or include unannounced prefixes in their ROAs for preventing prefix squatting, SPL can be protective by being less permissive.

>
> Minor comments:
>   * Section 3: "For a given asID, ... does not originate any prefixes": This
>     needs to be described on the level of validated SPL payload (which is the union over
>     1..n SPLs for an AS).
>
>     The behaviour in the non-recommended case (multiple SPL) needs to be unambiguously defined.

Yes, will revise the wording per your suggestions above.

>
>   * Section 6: It is implicit that SPL-ROV is valid for the described effects
>     to exist. I would clarify this in the text.

Your question is not very clear.  The SPL-ROV must give Invalid result to detect the anomaly or attack, such as forged-origin hijacks.  We can clarify this in the text.

Thanks!

Sriram