Return-Path: X-Original-To: sidrops@ietfa.amsl.com Delivered-To: sidrops@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A47EFC14F5F5; Tue, 28 May 2024 13:37:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id owzhmAruz91T; Tue, 28 May 2024 13:37:35 -0700 (PDT) Received: from SA9PR09CU002.outbound.protection.outlook.com (mail-southcentralusazon11012008.outbound.protection.outlook.com [40.93.193.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DB17C14F617; Tue, 28 May 2024 13:37:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ie+GdSN0yEv+KD9S1Un7kGKm5Ch0k62RDwnx/LbOygm3RbBarevGfpIhFJUi922hPA9vkWMdauzIduPnAzoVIbps4yCjQ/Ck9JtgqJ6DTTnoBGlw+3J7Fid0EuofKxtqyf06SoCRn/FO6CMdjNKToswQY4SiBR5tSD0LHopKKHBYdbc+4x0MoXO5VZfwfnmAiBcqdR0XjsX51qBN0B7hlOpksHIgDceclPMioH+jfFC2hP05WvFAZmY9fgRnNA6rS9fGI6yfG6k3BDKYT2M5vvwsg4GYKvYYre+tUAqZ0zNbadONVOQSFY9D7WaPnyRUhJfnGtMrbhz9N8i1nxwPmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TZk1hK+u2cf3Zip1eW5IOpKriH9Kar6o+15EHTjV/pc=; b=GIC0nV8RbzbYDMfmT4OnGn2R6WRfXEswD512xTiXilzHDiZ0KVvk6rT9EaMv8escdyAT5WKACgaDXLMcAeRp5t4YmI0wmrZd0+cd7HOkeQobLT9RVNt1KaRNYoeimm6UR1PAi3k71IG9YP1b+YDnYg5X4BGvjXK7Zcyf1tVVyxO0idn6M/KCAz+RLWd1FGGztoyCqphefq4zVNaoKAmR5iShOE2dlZos3wLr9CXN5hvkPjPlOhOarX7jWL/cQEdg+LvncU3KR7651hWiLy7VGmpSdxT5Df7+ZXpZEbDIRwkZx2gFBWJeEiJliOWB73zJQ4BjbU2/Z2ypibJJMp6KRA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TZk1hK+u2cf3Zip1eW5IOpKriH9Kar6o+15EHTjV/pc=; b=cxeMn9mIJ4Hsp1Z05IxWc0ieO3anJa8VrZp28oUbB+vwlpqtePPEkuf0fynHWdl4pNKPDK90ziA3VUVt0vB/EUbQSFgvHNewWSrbVpZuEmT1+Bl93VGR9mIrARFr9u2UzIzZZPdvp+Buy+xLSYDNl8ugM8TZWU7PtHYnS+zk4D8G+CQsdv/gn5JIEVURQcbhriwyOPq/orEiKYMNe9X+x+4hAyKA/ssfs80zxbb7uAf7DENbM3k1jggjjmStHmXnPgVcLnRBjX7F22+Yw2USTIoNPGnkaRxv9XVCD/6Ir3ebOZ/HaTcQ4QnqftLQvNUwI9evdgAyntMBiS/s7/Ljzw== Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by DS0PR09MB10553.namprd09.prod.outlook.com (2603:10b6:8:17b::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.17; Tue, 28 May 2024 20:37:31 +0000 Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7%4]) with mapi id 15.20.7611.030; Tue, 28 May 2024 20:37:31 +0000 From: "Sriram, Kotikalapudi (Fed)" To: Amir Herzberg Thread-Topic: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024) Thread-Index: AQHasTnAcFP43j6AjkKmS47h4yUB6bGtEWCg Date: Tue, 28 May 2024 20:37:31 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|DS0PR09MB10553:EE_ x-ms-office365-filtering-correlation-id: 8332c2c7-46c0-4f18-efc3-08dc7f55ff76 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230031|366007|1800799015|38070700009; x-microsoft-antispam-message-info: =?us-ascii?Q?Mzx+BmJiqVrmfNcMeome4Z/GeBA5K6DZrbDRFjqDxEjCl/BxIixCH5KlGe9q?= =?us-ascii?Q?cb6wbUQtXh7BCiuqmXqV7R1U6F2QR54BbZiphJ1CL4207dARhu5ddhwedpqw?= =?us-ascii?Q?L92mEcUlZgdVX2zrWLghxYgY3vShCRfADSRZylkaAwilEqsGk+SWHkkcJ8Xp?= =?us-ascii?Q?yq2Sh8H3ZHkA9v28B8+ewFDU00iLCWuzkc76jkD2yBXuIPA7BxdBBq4JlAz8?= =?us-ascii?Q?86fDF08l0DEGvTO5hzgDR1w+QdyhJx/9bOb4f/zObok0HNYrZqL5NV8Uidub?= =?us-ascii?Q?uz9AB+oSzkh9Zqopm/m7ObMMY7iP6AY690P8R8XUEHmRarPm0Rig/rdmqVpf?= =?us-ascii?Q?fRfHXljDPpLPHz22qO8uU0fnVPBDu2cf+l6Qp/RsuG9XFBZDTuWChzhxKjRC?= =?us-ascii?Q?TfRYTOiaJF79Ds4whk1Vpe54CpLj7+PeSiIrqvD6Bs/23LA5QuApNefdWTyZ?= =?us-ascii?Q?ZWsVBIGV1SbeXblxc/p9R7KqfbvyUsDO3aQuK3NCXuGYq0sUCIAJXK8Pn8Rd?= =?us-ascii?Q?5eJKTuW17E7erjqX/XNWFNPaiZsUEq4BNknW1HLaFJcSmDu8lIbN3ZFP7zX8?= =?us-ascii?Q?MNXA1lRJlRI6pJlsE1XAzLM6QGR6nIczKsFa8MgwoXDO5N5hHZCpZnIJYwkX?= =?us-ascii?Q?lYklE+/xSD+o9sNi701hKChGUpVlL1AxmTv2KduB6vn92KfGvSI+Kl9wiNp8?= =?us-ascii?Q?yINRIr0+ijDktCNKOilk0/J9YtGAOPyKnOHEc/n856JUihpoc33OjkUN3Quq?= =?us-ascii?Q?crdSd1S+8Y4cIdjhYtEainicTnTU1ThIBM4Vs94g0ttIbEi1fbiR6754NbV7?= =?us-ascii?Q?Xb3fIVWuIpbMHUaItK4Y1J7Cm8XPVA4TqYcDj7SiZ5m+WK69DCnfGyAYcLGF?= =?us-ascii?Q?NfrL4ta7Wec3U0R2ST+5KiyUBIBYyFHJkRkXPDox057ZpbJnyweGm1hW4Qdw?= =?us-ascii?Q?FBaA6QHJdMqdl/VmjaTyFtfWAVgmuAYTdgdiNXfY/HLmEQ1d5Mket93eL01u?= =?us-ascii?Q?6biORtBQxWohTq+qhaglq9EgaM6e5sMedjweIASQTQc4M8JqNjABo4Cqcbkz?= =?us-ascii?Q?eJRWJ2Y+q3813cDpUS+gNpp83XYAWBei9/N0EOdsR8VbULkoFYojvOXtIQ3D?= =?us-ascii?Q?2t44b8ygG1nVqftfw1CU1MWymVr7Yk9XxQsRhXIga8JsyI9pUnW7nxLbgJhk?= =?us-ascii?Q?GxNIQsGtPDyym75dbvE0qdFP20NmHMPLVjEyUmNUaf1IjepIBckpdmME4xt/?= =?us-ascii?Q?4z9DHVaKQJl/sY39TbY48HfpRlPc2HqzS2Vm6DvtQECDihTj4R/ABx5CYqX5?= =?us-ascii?Q?TZbPakzcEUQSI18bMXDisLrHILd/3woOQjWVou7O0PGQRg=3D=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR09MB8142.namprd09.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366007)(1800799015)(38070700009);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?s0Cq+T0B7YwnacVgPKmO4ZmsOSbHe1B/v6j3VOYDlfd6TOfjphNmqGqE6elv?= =?us-ascii?Q?mfOg9LsDj+npWsQvEMqIaagdmLqooBUGOlIxPWl9frzJrm+Vhn6ib/HI8yVJ?= =?us-ascii?Q?OCywP6aVHE9+LVVUC9jXR/aQbHkOzCyiauHOgvt5PmQ2cLKlODeX3TZ4+n19?= =?us-ascii?Q?5HxY0tAjHJryNGDg1DgMXtateRc71iCLV7eSlNNrSabzSnUr5ZZkYEWhEj2u?= =?us-ascii?Q?88zu2dWk1PyIvyGHmYGLyZgtvna7kQOta4Wj+Q71T4KTQ5azHIsSzwCD67OB?= =?us-ascii?Q?5VTyQh8zZNkb/h1ghNnQY9AmD/LTEVjG/AkP7+ASPScVxhAq6YXDTUjmERKr?= =?us-ascii?Q?HngeUXV0RBLbwlum+VyewqrcJZmudpOpYOmyVXUPkYvTKKf4jSHvn9DNaY7+?= =?us-ascii?Q?QRL9wt9Q59ELGS/iaE6p+SGig1nQVENF0JdQeiwgcNjd6jS+N7gz+MeSAoAx?= =?us-ascii?Q?ME4c5EvKXlM8jaUXDQw4jk0fEN8YEuQVV0UK8M3HWEEAiFbkhE09lenqIFpb?= =?us-ascii?Q?u9oSUQWWUGqRy2wXct6ZA8ItXDlvxOdyxIFdAJ9i8WH8QLpqyJeHp2RJrhjD?= =?us-ascii?Q?W/IbH0Ew1BbsbuNOpvCBfaS3SBbslFQAeB+ROpIsVZHH2ljWQ8dV4YMzCwh0?= =?us-ascii?Q?FieRQF7a3eaXcnX10rtfmZW+R4ueaFD1G+djbnKqeACaH19h63ryUHOYmwDr?= =?us-ascii?Q?uKm+s2n4piFJoEzyq4AsQwCMwKTyTG0asNk6uRFx6Ode5y0Zz+TRswnAtK36?= =?us-ascii?Q?XNlNXSGB8fnJBSvnMlopT1m+7kanl4O8WpbQL4pu3wIib43VpcTNgITeL0BR?= =?us-ascii?Q?H8E1zOlVYTr1ZpYFK8VANXbv/AW0IpxHYPog1924CrDur2EWqJjKyoGkfwke?= =?us-ascii?Q?3Pq5D4imbyUz7Y150ty8dazufc96Rxegey4dnyI6Sxed//98yfZyQCIlxawP?= =?us-ascii?Q?hw6qNLtuOkjwmowyhLcGAE2FLCgUcgQyunO61x/FKHwNshd0VXiQY6VWkTXF?= =?us-ascii?Q?JlbKaaKEqdsHOo6zQNx/4wvtExX046jYobhcEZyvbSpWBube5gq9+MuVzDS/?= =?us-ascii?Q?4u5RICquVFLtp+sFd/tD8nFKtSiJhYWiqSpB/UX3MzZod7I9rmLyI9As3JHb?= =?us-ascii?Q?ftZ1gMV8cd9OJOHz4Xf78O46inPWSVHkBXMmT7aK3iLeZiffKEMu/E/xPP6o?= =?us-ascii?Q?Y+69DUgBchlsQihvAlm6ogNJgh6h7P2E/OxMjXml5nJEjh5neOQaW9mb4kg/?= =?us-ascii?Q?tt+EMpn1yvv+8kVz4dLf2Get1ro3xnJxPk2pUl5sgNjOr6TIrobrBbp9DlMh?= =?us-ascii?Q?0fI8YVr6MiOFs0DHiN8BXAHO0++iyTLdczc56ynU3qCY+9+gYsdr6bKanafS?= =?us-ascii?Q?F0Nw9CJNKIhyVDJi+YG3h+BmHql/dDTm36mMpMJNZeIcoGRnOvzEoHN3q5P7?= =?us-ascii?Q?22B+JMQIt6jrrGcCByfuu+y5OvC2h6Ok5WM/Mu1mW7MU9G692Ua0KVRKTCTV?= =?us-ascii?Q?5hnqx3ExiG5BZnJck81JLeVf70Z1S2S1SVD/HOm7LzQZtbTvB/dMocxAiz0m?= =?us-ascii?Q?xGaiArZ1Ep9x0W7633c=3D?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8332c2c7-46c0-4f18-efc3-08dc7f55ff76 X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2024 20:37:31.4330 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR09MB10553 Message-ID-Hash: ZSBOUNAPP6PIAIWOTW7KPIIQYNMONKZM X-Message-ID-Hash: ZSBOUNAPP6PIAIWOTW7KPIIQYNMONKZM X-MailFrom: kotikalapudi.sriram@nist.gov X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: "sidrops@ietf.org" , "draft-sriram-sidrops-spl-verification@ietf.org" X-Mailman-Version: 3.3.9rc4 Precedence: list Subject: =?utf-8?q?=5BSidrops=5D_Re=3A_WG_Adoption_call_for_draft-sriram-sidrops-spl-?= =?utf-8?q?verification_-_ENDS_06/03/2024_=28June_3_2024=29?= List-Id: A list for the SIDR Operations WG Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi Amir, Thank you for your review and comments. My responses below. > From: Amir Herzberg > > 1. I think the draft doesn't clearly distinguish between (intentional)=20 > attacks and unintentional misconfigurations. I think that the authors=20 > really meant, mostly or always, to prevent unintentional=20 > misconfigurations, in which case, their use of the term `attack' is=20 > confusing. Changing the term should be easy. > I think you are right. We'll take a closer look and change 'attack' to 'ano= maly' where it is appropriate. I think the term 'attack' can be used when = we talk about DoS/DDoS incidents. Also, the term "attack surface" is correc= tly used in the context of forged-origin prefix hijacks (as you acknowledge= d below). =20 > > 2. An exception is the 4th reason, i.e., when a prefix owner publishes=20 > ROA for AS 7 and some prefix 1.2.3/24 but AS 7 doesn't announce 1.2.3/24. > In this case, attacker could do origin hijack of 1.2.3/24 by=20 > announcing it with origin AS 7 (and itself as the next AS). I=20 > understand the motivation of supporting direct server return (DSR)=20 > using BAR-SAV, where we want a ROA to exist without announcing the prefix= . Yes, SPL helps in the DSR scenario for BAR-SAV. Igor also observed that. =20 > However, is SPV the best mechanism to deal with this? > I think a better alternative would be an extension to the ROA=20 > mechanism. This extension will define a `conditional ROA'. > This conditional ROA will also contain the result of a hash function=20 > h(x) over some random x. You can use the conditional ROA in two ways: > > - without the preimage x: such ROA will not make announcements for AS > 7 and 1.2.3/24 valid. However, it could be used to allow DSR , i.e.,=20 > it would be considered for BAR-SAV filtering. > > - with the preimage x, provided as a transitive BGP attribute or otherwis= e: > this turns the conditional ROA into regular ROA. > Your proposal involves modifying the ROA to add a new field. Perhaps it can= be taken up in the future by the WG as new work. I'll be happy to discuss= its the pros and cons off-list. Sriram =20 =20