[Sidrops] Re: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 28 May 2024 20:37 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A47EFC14F5F5; Tue, 28 May 2024 13:37:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id owzhmAruz91T; Tue, 28 May 2024 13:37:35 -0700 (PDT)
Received: from SA9PR09CU002.outbound.protection.outlook.com (mail-southcentralusazon11012008.outbound.protection.outlook.com [40.93.193.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DB17C14F617; Tue, 28 May 2024 13:37:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ie+GdSN0yEv+KD9S1Un7kGKm5Ch0k62RDwnx/LbOygm3RbBarevGfpIhFJUi922hPA9vkWMdauzIduPnAzoVIbps4yCjQ/Ck9JtgqJ6DTTnoBGlw+3J7Fid0EuofKxtqyf06SoCRn/FO6CMdjNKToswQY4SiBR5tSD0LHopKKHBYdbc+4x0MoXO5VZfwfnmAiBcqdR0XjsX51qBN0B7hlOpksHIgDceclPMioH+jfFC2hP05WvFAZmY9fgRnNA6rS9fGI6yfG6k3BDKYT2M5vvwsg4GYKvYYre+tUAqZ0zNbadONVOQSFY9D7WaPnyRUhJfnGtMrbhz9N8i1nxwPmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TZk1hK+u2cf3Zip1eW5IOpKriH9Kar6o+15EHTjV/pc=; b=GIC0nV8RbzbYDMfmT4OnGn2R6WRfXEswD512xTiXilzHDiZ0KVvk6rT9EaMv8escdyAT5WKACgaDXLMcAeRp5t4YmI0wmrZd0+cd7HOkeQobLT9RVNt1KaRNYoeimm6UR1PAi3k71IG9YP1b+YDnYg5X4BGvjXK7Zcyf1tVVyxO0idn6M/KCAz+RLWd1FGGztoyCqphefq4zVNaoKAmR5iShOE2dlZos3wLr9CXN5hvkPjPlOhOarX7jWL/cQEdg+LvncU3KR7651hWiLy7VGmpSdxT5Df7+ZXpZEbDIRwkZx2gFBWJeEiJliOWB73zJQ4BjbU2/Z2ypibJJMp6KRA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TZk1hK+u2cf3Zip1eW5IOpKriH9Kar6o+15EHTjV/pc=; b=cxeMn9mIJ4Hsp1Z05IxWc0ieO3anJa8VrZp28oUbB+vwlpqtePPEkuf0fynHWdl4pNKPDK90ziA3VUVt0vB/EUbQSFgvHNewWSrbVpZuEmT1+Bl93VGR9mIrARFr9u2UzIzZZPdvp+Buy+xLSYDNl8ugM8TZWU7PtHYnS+zk4D8G+CQsdv/gn5JIEVURQcbhriwyOPq/orEiKYMNe9X+x+4hAyKA/ssfs80zxbb7uAf7DENbM3k1jggjjmStHmXnPgVcLnRBjX7F22+Yw2USTIoNPGnkaRxv9XVCD/6Ir3ebOZ/HaTcQ4QnqftLQvNUwI9evdgAyntMBiS/s7/Ljzw==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by DS0PR09MB10553.namprd09.prod.outlook.com (2603:10b6:8:17b::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.17; Tue, 28 May 2024 20:37:31 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7%4]) with mapi id 15.20.7611.030; Tue, 28 May 2024 20:37:31 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Amir Herzberg <amir.lists@gmail.com>
Thread-Topic: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)
Thread-Index: AQHasTnAcFP43j6AjkKmS47h4yUB6bGtEWCg
Date: Tue, 28 May 2024 20:37:31 +0000
Message-ID: <SA1PR09MB814214B4946E15E7296570E984F12@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB8142978FC5DFD478E40B54D884F12@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814286463D99E5327EEDF3B184F12@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142749B4309DCBDFFEED34784F12@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB8142749B4309DCBDFFEED34784F12@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|DS0PR09MB10553:EE_
x-ms-office365-filtering-correlation-id: 8332c2c7-46c0-4f18-efc3-08dc7f55ff76
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|366007|1800799015|38070700009;
x-microsoft-antispam-message-info: Mzx+BmJiqVrmfNcMeome4Z/GeBA5K6DZrbDRFjqDxEjCl/BxIixCH5KlGe9qcb6wbUQtXh7BCiuqmXqV7R1U6F2QR54BbZiphJ1CL4207dARhu5ddhwedpqwL92mEcUlZgdVX2zrWLghxYgY3vShCRfADSRZylkaAwilEqsGk+SWHkkcJ8Xpyq2Sh8H3ZHkA9v28B8+ewFDU00iLCWuzkc76jkD2yBXuIPA7BxdBBq4JlAz886fDF08l0DEGvTO5hzgDR1w+QdyhJx/9bOb4f/zObok0HNYrZqL5NV8Uidubuz9AB+oSzkh9Zqopm/m7ObMMY7iP6AY690P8R8XUEHmRarPm0Rig/rdmqVpffRfHXljDPpLPHz22qO8uU0fnVPBDu2cf+l6Qp/RsuG9XFBZDTuWChzhxKjRCTfRYTOiaJF79Ds4whk1Vpe54CpLj7+PeSiIrqvD6Bs/23LA5QuApNefdWTyZZWsVBIGV1SbeXblxc/p9R7KqfbvyUsDO3aQuK3NCXuGYq0sUCIAJXK8Pn8Rd5eJKTuW17E7erjqX/XNWFNPaiZsUEq4BNknW1HLaFJcSmDu8lIbN3ZFP7zX8MNXA1lRJlRI6pJlsE1XAzLM6QGR6nIczKsFa8MgwoXDO5N5hHZCpZnIJYwkXlYklE+/xSD+o9sNi701hKChGUpVlL1AxmTv2KduB6vn92KfGvSI+Kl9wiNp8yINRIr0+ijDktCNKOilk0/J9YtGAOPyKnOHEc/n856JUihpoc33OjkUN3QuqcrdSd1S+8Y4cIdjhYtEainicTnTU1ThIBM4Vs94g0ttIbEi1fbiR6754NbV7Xb3fIVWuIpbMHUaItK4Y1J7Cm8XPVA4TqYcDj7SiZ5m+WK69DCnfGyAYcLGFNfrL4ta7Wec3U0R2ST+5KiyUBIBYyFHJkRkXPDox057ZpbJnyweGm1hW4QdwFBaA6QHJdMqdl/VmjaTyFtfWAVgmuAYTdgdiNXfY/HLmEQ1d5Mket93eL01u6biORtBQxWohTq+qhaglq9EgaM6e5sMedjweIASQTQc4M8JqNjABo4CqcbkzeJRWJ2Y+q3813cDpUS+gNpp83XYAWBei9/N0EOdsR8VbULkoFYojvOXtIQ3D2t44b8ygG1nVqftfw1CU1MWymVr7Yk9XxQsRhXIga8JsyI9pUnW7nxLbgJhkGxNIQsGtPDyym75dbvE0qdFP20NmHMPLVjEyUmNUaf1IjepIBckpdmME4xt/4z9DHVaKQJl/sY39TbY48HfpRlPc2HqzS2Vm6DvtQECDihTj4R/ABx5CYqX5TZbPakzcEUQSI18bMXDisLrHILd/3woOQjWVou7O0PGQRg==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR09MB8142.namprd09.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366007)(1800799015)(38070700009);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: s0Cq+T0B7YwnacVgPKmO4ZmsOSbHe1B/v6j3VOYDlfd6TOfjphNmqGqE6elvmfOg9LsDj+npWsQvEMqIaagdmLqooBUGOlIxPWl9frzJrm+Vhn6ib/HI8yVJOCywP6aVHE9+LVVUC9jXR/aQbHkOzCyiauHOgvt5PmQ2cLKlODeX3TZ4+n195HxY0tAjHJryNGDg1DgMXtateRc71iCLV7eSlNNrSabzSnUr5ZZkYEWhEj2u88zu2dWk1PyIvyGHmYGLyZgtvna7kQOta4Wj+Q71T4KTQ5azHIsSzwCD67OB5VTyQh8zZNkb/h1ghNnQY9AmD/LTEVjG/AkP7+ASPScVxhAq6YXDTUjmERKrHngeUXV0RBLbwlum+VyewqrcJZmudpOpYOmyVXUPkYvTKKf4jSHvn9DNaY7+QRL9wt9Q59ELGS/iaE6p+SGig1nQVENF0JdQeiwgcNjd6jS+N7gz+MeSAoAxME4c5EvKXlM8jaUXDQw4jk0fEN8YEuQVV0UK8M3HWEEAiFbkhE09lenqIFpbu9oSUQWWUGqRy2wXct6ZA8ItXDlvxOdyxIFdAJ9i8WH8QLpqyJeHp2RJrhjDW/IbH0Ew1BbsbuNOpvCBfaS3SBbslFQAeB+ROpIsVZHH2ljWQ8dV4YMzCwh0FieRQF7a3eaXcnX10rtfmZW+R4ueaFD1G+djbnKqeACaH19h63ryUHOYmwDruKm+s2n4piFJoEzyq4AsQwCMwKTyTG0asNk6uRFx6Ode5y0Zz+TRswnAtK36XNlNXSGB8fnJBSvnMlopT1m+7kanl4O8WpbQL4pu3wIib43VpcTNgITeL0BRH8E1zOlVYTr1ZpYFK8VANXbv/AW0IpxHYPog1924CrDur2EWqJjKyoGkfwke3Pq5D4imbyUz7Y150ty8dazufc96Rxegey4dnyI6Sxed//98yfZyQCIlxawPhw6qNLtuOkjwmowyhLcGAE2FLCgUcgQyunO61x/FKHwNshd0VXiQY6VWkTXFJlbKaaKEqdsHOo6zQNx/4wvtExX046jYobhcEZyvbSpWBube5gq9+MuVzDS/4u5RICquVFLtp+sFd/tD8nFKtSiJhYWiqSpB/UX3MzZod7I9rmLyI9As3JHbftZ1gMV8cd9OJOHz4Xf78O46inPWSVHkBXMmT7aK3iLeZiffKEMu/E/xPP6oY+69DUgBchlsQihvAlm6ogNJgh6h7P2E/OxMjXml5nJEjh5neOQaW9mb4kg/tt+EMpn1yvv+8kVz4dLf2Get1ro3xnJxPk2pUl5sgNjOr6TIrobrBbp9DlMh0fI8YVr6MiOFs0DHiN8BXAHO0++iyTLdczc56ynU3qCY+9+gYsdr6bKanafSF0Nw9CJNKIhyVDJi+YG3h+BmHql/dDTm36mMpMJNZeIcoGRnOvzEoHN3q5P722B+JMQIt6jrrGcCByfuu+y5OvC2h6Ok5WM/Mu1mW7MU9G692Ua0KVRKTCTV5hnqx3ExiG5BZnJck81JLeVf70Z1S2S1SVD/HOm7LzQZtbTvB/dMocxAiz0mxGaiArZ1Ep9x0W7633c=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8332c2c7-46c0-4f18-efc3-08dc7f55ff76
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2024 20:37:31.4330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR09MB10553
Message-ID-Hash: ZSBOUNAPP6PIAIWOTW7KPIIQYNMONKZM
X-Message-ID-Hash: ZSBOUNAPP6PIAIWOTW7KPIIQYNMONKZM
X-MailFrom: kotikalapudi.sriram@nist.gov
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-sriram-sidrops-spl-verification@ietf.org" <draft-sriram-sidrops-spl-verification@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/OkgnFIIp7-on8B58hvNIKNejPck>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Hi Amir, Thank you for your review and comments. My responses below. > From: Amir Herzberg <amir.lists@gmail.com> > > 1. I think the draft doesn't clearly distinguish between (intentional) > attacks and unintentional misconfigurations. I think that the authors > really meant, mostly or always, to prevent unintentional > misconfigurations, in which case, their use of the term `attack' is > confusing. Changing the term should be easy. > I think you are right. We'll take a closer look and change 'attack' to 'anomaly' where it is appropriate. I think the term 'attack' can be used when we talk about DoS/DDoS incidents. Also, the term "attack surface" is correctly used in the context of forged-origin prefix hijacks (as you acknowledged below). > > 2. An exception is the 4th reason, i.e., when a prefix owner publishes > ROA for AS 7 and some prefix 1.2.3/24 but AS 7 doesn't announce 1.2.3/24. > In this case, attacker could do origin hijack of 1.2.3/24 by > announcing it with origin AS 7 (and itself as the next AS). I > understand the motivation of supporting direct server return (DSR) > using BAR-SAV, where we want a ROA to exist without announcing the prefix. Yes, SPL helps in the DSR scenario for BAR-SAV. Igor also observed that. > However, is SPV the best mechanism to deal with this? > I think a better alternative would be an extension to the ROA > mechanism. This extension will define a `conditional ROA'. > This conditional ROA will also contain the result of a hash function > h(x) over some random x. You can use the conditional ROA in two ways: > > - without the preimage x: such ROA will not make announcements for AS > 7 and 1.2.3/24 valid. However, it could be used to allow DSR , i.e., > it would be considered for BAR-SAV filtering. > > - with the preimage x, provided as a transitive BGP attribute or otherwise: > this turns the conditional ROA into regular ROA. > Your proposal involves modifying the ROA to add a new field. Perhaps it can be taken up in the future by the WG as new work. I'll be happy to discuss its the pros and cons off-list. Sriram
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Keyur Patel
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Lubashev, Igor
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Borchert, Oliver (Fed)
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Lancheng Qin
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Amir Herzberg
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Tim Bruijnzeels
- [Sidrops] Re: WG Adoption call for draft-sriram-s… junzhang
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: WG Adoption call for draft-sriram-s… gengnan
- [Sidrops] Re: WG Adoption call for draft-sriram-s… gengnan
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Libin Liu
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Yangyang Wang
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: Closed - WG Adoption call for draft… Keyur Patel
- [Sidrops] Re: WG Adoption call for draft-sriram-s… Ties de Kock