IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

Russ Housley <housley@vigilsec.com> Thu, 20 April 2023 08:33 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EEDDC1516FF; Thu, 20 Apr 2023 01:33:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQOxx_hPHZg7; Thu, 20 Apr 2023 01:33:49 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA560C1516E2; Thu, 20 Apr 2023 01:33:49 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 179B656737; Thu, 20 Apr 2023 04:33:49 -0400 (EDT)
Received: from [192.168.1.161] (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id E78FD54EDC; Thu, 20 Apr 2023 04:33:48 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <SA1PR09MB81428936A8B2BC30C04C4B2684629@SA1PR09MB8142.namprd09.prod.outlook.com>
Date: Thu, 20 Apr 2023 04:33:48 -0400
Cc: "Lubashev, Igor" <ilubashe@akamai.com>, Claudio Jeker <cjeker@diehard.n-r-g.com>, "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>, "draft-ietf-sidrops-aspa-profile@ietf.org" <draft-ietf-sidrops-aspa-profile@ietf.org>, "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <88D8A314-0D17-4EA7-9E33-424021AF0FFF@vigilsec.com>
References: <SA1PR09MB814241245D01E81BADE3ED0884CF9@SA1PR09MB8142.namprd09.prod.outlook.com> <31FDE1E9-3E87-4011-B65B-C6B3A264303F@vigilsec.com> <SA1PR09MB81427B4A1B126A5D1C1E289C84CF9@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142E41F2D6B537BCAA758F384CC9@SA1PR09MB8142.namprd09.prod.outlook.com> <CAL9jLaYz3OhcwBBcVMqnUseBR9J1ZyktcJo5YLeefQHMoYJu+A@mail.gmail.com> <CAL9jLaZ7eDc+zbhapS8dTYQKnTfgLd=MOPYw97-qcJ4eP6S6Mg@mail.gmail.com> <CAL9jLaYJ4ODfumG9Yk3-yv=_TaTSUeD++U4sGy7S-0xWcGBQPw@mail.gmail.com> <ZBGqSVL9sSqnAiJc@diehard.n-r-g.com> <SA1PR09MB8142E9F71F250B83062C724884869@SA1PR09MB8142.namprd09.prod.outlook.com> <ZCGcYHJ9PyrjgR+V@diehard.n-r-g.com> <SA1PR09MB8142EA7F33880679E9B509D384889@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB81426E1BB66D6DF31860F26984889@SA1PR09MB8142.namprd09.prod.outlook.com> <ed0146b09da346b2b48cb9701240926c@akamai.com> <SA1PR09MB81427D28EF661F9DAB05FB9B84889@SA1PR09MB8142.namprd09.prod.outlook.com> <c62da49ce2a142999260371a0af7b673@akamai.com> <SA1PR09MB81428936A8B2BC30C04C4B2684629@SA1PR09MB8142.namprd09.prod.outlook.com>
To: Sriram Kotikalapudi <kotikalapudi.sriram@nist.gov>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Ny83cquRXIFaAPVzj4igAZLx5n0>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2023 08:33:53 -0000

Sriram:

I do not think that we should tell implementers the reasons for using one table or two.

OLD:

For purposes such as computational efficiency, memory savings, etc.,	
an implementation may make its own choice regarding maintaining a	
single VAP-SPAS table or two separate tables (i.e., one per AFI).

NEW:

Implementations can maintain a single VAP-SPAS table or maintain a
separate table for each AFI.

Russ


> On Apr 19, 2023, at 6:14 PM, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov> wrote:
> 
> Hi Igor, Claudio, Yangyang, Zhibin, and all,
> 
> I just uploaded version-14 of the ASPA verification draft.
> https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification
> Diff: https://author-tools.ietf.org/iddiff?url1=draft-ietf-sidrops-aspa-verification-13&url2=draft-ietf-sidrops-aspa-verification-14&difftype=--html 
> 
> This revision (v-14) takes into consideration the comments shared on the sidrops list since publication of v-13 -- from Claudio, Igor, Dai Zhibin, and Yangyang. 
> 
> Igor read the entire draft (pre-release v-14) and offered many editorial comments and also offered refinements to the Properties in Sec. 8. Thank you, Igor.
> 
> I have also carefully re-read and edited it for any remaining typos and grammatical errors, etc. 
> 
> Many thanks to all who have participated in the WGLC for very helpful suggestions, comments, and the insightful discussions.
> 
> Sriram
> 
> ============================
> -----Original Message-----
> From: Lubashev, Igor <ilubashe@akamai.com> 
> Sent: Tuesday, March 28, 2023 10:43 PM
> To: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov>
> Cc: sidrops@ietf.org; draft-ietf-sidrops-aspa-verification@ietf.org; draft-ietf-sidrops-aspa-profile@ietf.org
> Subject: RE: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
> 
> Thanks, Sriram.  Yes, some additional clarification for the properties would be helpful.
> 
> I think it would be valuable to mention another "mitigation property".  When an AS generates ASPA, it makes it less likely that prefixes belonging to its customers will be hijacked, if the customers also generate ASPA.
> A hijack attack that resists ASPA validation requires the hijacker to prepend its AS_PATH with a prefix containing the shortest possible sequence of ASNs identified as Providers in ASPA (transitively), starting from the hijacked ASN up to the first Provider ASN not in ASPA. When a provider generates ASPA, it forces attacker's AP_PATH to be one ASN longer, which reduces the likelihood of success of such hijack.
> 
> I think this could be a great business driver for ASPA adoption -- customers would be seeking out providers with an ASPA registration (and especially those whose providers also have ASPA registrations), since that would make their prefixes more resistant to hijacks. 
> 
> - Igor
> 
>

v2.23.0 | Report a Bug | By Email