IETF Logo Mail Archive

Re: [Sidrops] draft-sidrops-rpkimaxlen

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Sun, 24 February 2019 03:43 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B9D512D4E9; Sat, 23 Feb 2019 19:43:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKVflCydy0xD; Sat, 23 Feb 2019 19:43:18 -0800 (PST)
Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-eopbgr840104.outbound.protection.outlook.com [40.107.84.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF0E41293B1; Sat, 23 Feb 2019 19:43:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cUYuDKQIBiK6oXDq7ijsUO9wE5a3h3eOsEbvQwbKnts=; b=AHjEJfUQZ68yNpjMwha+AxV/ylJrO7Q9Fjq4mKjGnOnlDw//hOEFVVaU7DpHG6Eoff6e9nFJWRDdIyOqYwIMWoxU23LTaWVkdyl8NPf3wfReksUY2uzMqUJ77ZT8GBwnW+1W/7QvzM6TFBW1407y3pm3FIhUSJSudF/bitBBP2s=
Received: from SN6PR0901MB2366.namprd09.prod.outlook.com (52.132.115.159) by SN6PR0901MB2365.namprd09.prod.outlook.com (52.132.115.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.16; Sun, 24 Feb 2019 03:43:16 +0000
Received: from SN6PR0901MB2366.namprd09.prod.outlook.com ([fe80::5c3a:f8a5:80dd:2d85]) by SN6PR0901MB2366.namprd09.prod.outlook.com ([fe80::5c3a:f8a5:80dd:2d85%5]) with mapi id 15.20.1643.016; Sun, 24 Feb 2019 03:43:16 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Matthias Waehlisch <m.waehlisch@fu-berlin.de>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-rpkimaxlen@ietf.org" <draft-ietf-sidrops-rpkimaxlen@ietf.org>
Thread-Topic: [Sidrops] draft-sidrops-rpkimaxlen
Thread-Index: AQHUy8AmUSoU77RRv0K+rD/l/1dVIqXuHSeAgAAdhqo=
Date: Sun, 24 Feb 2019 03:43:16 +0000
Message-ID: <SN6PR0901MB23662F6907DD092EA0EC988184790@SN6PR0901MB2366.namprd09.prod.outlook.com>
References: <SN6PR0901MB236677B37676FFB11A22B14D84780@SN6PR0901MB2366.namprd09.prod.outlook.com>, <alpine.WNT.2.00.1902240047270.4012@mw-x1>
In-Reply-To: <alpine.WNT.2.00.1902240047270.4012@mw-x1>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.223.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 45ed0002-63ff-4b56-9f41-08d69a0a3601
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:SN6PR0901MB2365;
x-ms-traffictypediagnostic: SN6PR0901MB2365:
x-microsoft-exchange-diagnostics: 1; SN6PR0901MB2365; 23:WnAoJHL4v/gPiddkwjXAp9AKDvii0LCmUX/INPxNKWL1abQE0PComkSEvDBSoJ/MCcUHdDdqnVLC2xvYcTWhkM+6Akyf68CXi9g388fo43ytmPyRsTRzQMPdu+te3DzZ4QWL/RWrDZNNrXVAtrbx6U4kGJ7bwuzANe/6jti3vQobCXVbM8kOhkSZLDzJCZT0QXxI7knp4ipwGSAAgQoLTSKZOOUz/we4AerpMaqdLXjeEF8J3On4rQgUjimChBoEijCP38arsny8ihEf0bx13Rb1wv5jxvVWx57gfiavwQLX5u++MJO0EedjqwUlv8rROnhanzRG7Zij11nMNfzVy+MA1xj3DRFLB/gu+cJKw/2HDp9v5luzhytrpwp3i8duLXelu4hTNvoB4NFqofTEhxaXsDmlsSvjexhZDqcCxR4jcOPVIo3SexSv8qGhIb92t8gvhXyDtR5zvuJhRs2v28nsQXF6Tc2KtyNtoDEc7ktSvPAkCebwUvbHmSD+8SLB4TXrfWtTisd1eAnL7L+MWcrnsC2zahx+SJSk3Yitokh8p6wBPEsq+stX62kVQhmizX+BdVnwdLj7mTtqViJ1G24Yksfnd68pcRDib6mi63vPkf1wrbAQUFnd/WjjaCb9xWYM1Kn8aV3iY42TvtRgSqO/wZzrdf5Pgxjd6UMk/tX80P4BDDmUeF4cpCPFg0HbZnx8EBKH73hk84zQdt6RGrG6+FhxFNwLAThRWzI/xza1NeIUHSuLWf0GU1YARZXFFKra1ZB9QQQ0aadxEQrQXiKNo+qSSNN5Kn5ppgtUYvSTgC90XLQlU7EaUE/lpIdbPxkg+L6eAy9kGnuYIURdDHyPlxPZ09t+KBOqhRTpGmPlA9jf2vGarYB53W1gh1+Q+aTv8B+rKfD2ElvaPdoeMRSkyZGcSWuFvETjJN5bsMXTmah8MXOrFkgP/XvdnAZEmXqbyypsfFhz+5EhqLKGfysOdl1ie4qJCwtMhoMlXUdyrOUTd/HaENptzlQtTLVjWjXrZWdxVEHrs/Oe6gCoYhCfumQdIOZoCv27t09ooVGFwJD+dKlBSx+S0HQM/jXEyUZBDC6182w64ZAcB0OF8UM/5ckIKsagC/HHkZtx/vieF3F+qO8f71YBQuhqcJK1chbafmU05nX3cgEEL8jxMLvU6WymbvBHMw6dXZtVfM0dgNByhDTHlCqZgDfW6YAmraTLj+wQIDh1BAPSF1l18w==
x-microsoft-antispam-prvs: <SN6PR0901MB23650EAE8A27B026A59AEFB884790@SN6PR0901MB2365.namprd09.prod.outlook.com>
x-forefront-prvs: 09583628E0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(136003)(346002)(396003)(376002)(39850400004)(199004)(43544003)(189003)(186003)(66066001)(256004)(33656002)(106356001)(54906003)(105586002)(316002)(9686003)(2906002)(68736007)(8936002)(3846002)(53936002)(76176011)(52536013)(6916009)(478600001)(6116002)(86362001)(99286004)(55016002)(7696005)(26005)(25786009)(14454004)(4326008)(7736002)(6506007)(305945005)(81156014)(81166006)(6246003)(446003)(71200400001)(71190400001)(6436002)(229853002)(74316002)(97736004)(8676002)(486006)(476003)(102836004)(5660300002)(11346002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR0901MB2365; H:SN6PR0901MB2366.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PSd4/4U0ZWybhI9/HR4hac8vmM+XWtfuIN885zFMUeWIucqtFp5JMmWhIFSVXDM0+pEKhJscLbp7vJLwm2pcaQdlP5gtuGlhHAMEWKl+qGvmW2UNtdpGMMs0QlGeAZ7hjo4Q+SKA3JDCnpx1MQ1lL5xDo1nROJ2D00MMzbCAe61HEi/o8cApcq7SWWF1reENeiZdU26VrC0sJP/aEGXN42HQFQxvyQ9Rg95uWfUaT5iSZROOoZhn/W+H7v6+NDp6iR9YgGzZsOO00nM/xN0Lc4uUkiXM/JmCpZdoH/9u8OL0iDf3RPNy96anpwe9odHvH4MMZYKlt38lSfDYTko6C99qti37UMhXR+bexDrrUlun2tLspNJZrLtYknJwSF5oxCJLf0cDD091Gen/8JEMe1VTc32YYPaJNEtGZCHGJ7o=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 45ed0002-63ff-4b56-9f41-08d69a0a3601
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2019 03:43:16.4789 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR0901MB2365
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/hRj7SazZgfMJ7KjHxCc5jnsb6Fc>
Subject: Re: [Sidrops] draft-sidrops-rpkimaxlen
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Feb 2019 03:43:21 -0000

Hi Matthias,

>> A minimal ROA is one which includes prefixes that are currently
>> announced or are intended to be announced. Use of maxlength can be
>> avoided or it should be used judiciously so that more specific
>> prefixes that are not intended to be announced are not covered by the
>> ROA. The idea is to minimize the attack surface corresponding to
>> forged-origin subprefix hijacking.
>>
>  I got this, see below.

OK. Good.

--- snip ----

>> A better definition of minimal ROA as outlined above will take care of
>> the misunderstanding. The draft did recognize that the IP prefixes
>> planned to be announced in the future or intermittently (when needed)
>> may be included in the ROA. Please see the following paragraph from
>> Section 5.1:
>>
>  This is not very helpful. "when needed" is fuzzy. Needed in six month?
>Do you know when a DDoS occurs? The draft supposes that needed is very
>short-term.

The draft does not presuppose when the prefixes may need to be announced.
The time frame is up to the prefix owner.
Once the prefix owner decides what prefixes (currently announced or
intended to be announced) should be covered by the ROA (or ROAs),
the draft merely offers recommendations for minimizing the attack surface. 
The example in Section 5.1 illustrates this for the DDoS case.
(One more example can be added there to further drive home the point.)
The example is agnostic about if/when the DDoS mitigation prefixes 
may need to be announced.    

--- snip ----

>  What I tried to say is that the authors of the wiki page draw
>incorrect conclusions, probably based on misleading insights from the
>draft.

I read the DECIX wiki page.  It is not clear to me what you mean by 
incorrect conclusions on that page with regard to ROA/maxlength . 
I would appreciate if you can clarify or cite some examples.

Thanks.  

Sriram

v2.23.0 | Report a Bug | By Email