[Sidrops] Re: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Wed, 22 May 2024 20:14 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14802C1B1657; Wed, 22 May 2024 13:14:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LqvkKsBpLrPt; Wed, 22 May 2024 13:14:08 -0700 (PDT)
Received: from BY5PR09CU001.outbound.protection.outlook.com (mail-westusazon11012009.outbound.protection.outlook.com [52.101.85.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F8BFC14F60B; Wed, 22 May 2024 13:14:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C2QJX2k2xElfsfL++fT/siF0cXtNyGfj27kTFCYVfTFdVlUk/l+bmws+DaABpH/G02XJL46z5yYtnM2GN9z+dCSNaXMkqgtNVYFC/rBryKVEoKKCEQAw6DyKardC0d5A8fpmvA+tTLCeTyEzroy6saRsbdNRqVQLkbz0UK9jSNQfbcCaiArdncXlOG2F6EDEIRVQRGgUq+XQWigY62Ii4eFS10DW2OkyOJfs25oCo1V/Uw74PDuvnPpeuYS59Uw4AVgEhafw01IKltKt76l1qreO3ss2kOSdD4+hlbqL+X2IDj0BdIY7Xrluo7Vmo3aerkEN7DUECgGWnDeWZLd6pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KtkSCWqeN/pGg7S6LyC4LZVLDOY1rfp5P/2bh9QnITQ=; b=KORn4FD3WdLsVAMDlGgyK/BVTNktt/SDn4j4riWIygqsbFV0moAmPUBRl+1Um41RLCxY8DsTGt+iV8fUoNE2+tKbZoIfd0hoEWLdKyj6uDY/nlVhJD936OySQ4D7TCTxAQFqRdxqCTh+MzdpPvydEtkfRT23iEQEm37iULc1JF8j13AW187AnW4gkqTNY0GdCtElwgXUHoGyzLlKm2DnLT3jMF8/RVMPxI0wZflxeNpeOsl9AhwGnJ8e63tiEVy0wK8sWVX/lPZYKOKIedM4Dvgp5Hp8qAOAefZVBainUqcL0VywfcgRIYg+hZKlO5+4Qn8l8ObKa9uaWf/2gww8tQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KtkSCWqeN/pGg7S6LyC4LZVLDOY1rfp5P/2bh9QnITQ=; b=vbIdAvUTRFUjRF9ajJ7qHW0R+uO+NWfk9sWwDGV54CAA4ex00+93daZWgwBnd7/+nSJMTbMVhQmV/akgwbif4aDQTNEYRjYQKPRGHRO+STf9teNyvxrcMIjoOppLjNS95x8nTyIm8dDdk4ylqDGSS+FPwtYXkyo/mvZMleyxEcCEBAfADo75IKl08TFrbb5eYJKoeawnJz5Z9DL/rVZreKkDdR87AtWtxr2vXgfydQUDQMmOlrLh72dEhH/A1ECHUgaBygkf/2Gz3Jj866I/TvmdOngzV9b/MssopXrqsOVF7WqkBfs2sogxBnQc132/7cq9X3idF3EXZcisG0NyWA==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by PH0PR09MB11679.namprd09.prod.outlook.com (2603:10b6:510:2c6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7611.18; Wed, 22 May 2024 20:14:05 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7%4]) with mapi id 15.20.7611.016; Wed, 22 May 2024 20:14:05 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "Lubashev, Igor" <ilubashe@akamai.com>
Thread-Topic: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)
Thread-Index: AQHaqm7YngWOUGzeEUmaVQKZf+T99bGjPovQgAAgkBA=
Date: Wed, 22 May 2024 20:14:05 +0000
Message-ID: <SA1PR09MB814244669E2D6231259DA69984EB2@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <D20B81DD-3BAB-41F2-A1B5-5EE9553820E7@arrcus.com> <9d4d099dcdf042538fb92872ce357dd8@akamai.com>
In-Reply-To: <9d4d099dcdf042538fb92872ce357dd8@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|PH0PR09MB11679:EE_
x-ms-office365-filtering-correlation-id: 6d6679ed-0bcf-4fcb-af5d-08dc7a9bbaf2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|1800799015|366007|38070700009;
x-microsoft-antispam-message-info: kZOuNL3QgpjNQ9POhWpjOBewTQ/06VYFsWrRo3WcXPXs14ZsWfTCGmtK31u2udu8vxH/hp4ataMIL+jif1Hg/zsBRlyhjFUV7GF3I8/8j2vnoUdBO0cX9IY5BXRAO/tVq3r7j59gJaHMo49981WvWuk/bj75T1aENbeDDDe0oOr2wy+afz9lpzojzC2cWyuGfhHnq5FmCFOBg4Own76HnDsw3PZtNQUoZ0v3u/WOkPRtq41c3glrS4GdY5h1ysy0LUB7WVKJkXfxs/39rXTlpNm4gMdd3SD2fc5E/ZdauBn2pVF6piEl17QPvvVn4Rt9fD4iXDwIxXVRrcXCLYFLBmeL6DTpaN66dNvVC4KbPGTY0Y9IZbvSeq6WF3KnlRhPnR/oDI5hDbCuEBvQYqej/fPA/oTS48rTFfd7FDgyWwXVKoeynkO0cXJxveky+SFkPghn4VJZtmungYBNN/3RT3H1AiKblq2KzgvgJXc+M0XeaKFu/SYsY+bRCEdWfTEPdEbhFtKmQzyr8srihRTA2FKHP2h+07xcIT7/uEWS9NzK1mcHhu6g1LKQ6v/222Mn3mMAxZJCElEjzUkM8r4ToNQtNpF66d/R2EdEfy1KlS9Fj5oGkrDLmVKXGO6UEfwjENW8CqjYdCTPhNhU3f9FDtsshiav7MUqTgR4yd8yr4SMYFp3b6b96gANraqcqtLs/oqztt0mrRSgjzNVckfqEP2lnTlFsnz/AqPGtTNKa94Yf/N0YVOpNda7nwYw4aG9Hu6mYKjpAh/hGdrs/2sYQbwNM2eDfi11NHoOwQU7mIzWl4Mai2oYCrR7/KMiclKMLOXmEsX0tEGqodBuDwE7JQE1uLMEie5Gbg5qpHHtrq5AtAgwnx0HjWzd/wNwK/Il2/CWpkoUMwTQfkI/EdKpd+MsJcME8pAXPqsC+yV/aWAub+Br21ViJzPBAyCvxj/opx8U167SarkGMemVxPnvdC7HYqSU0lvxMHE5VXHo2c5FQBB6vXZPY87Z8MxmfG8asCnJECPm44zui2A+76zlGk0CBn0w8iw/zoItrQFjIt9oG3LqaUEgv0rqlpgAqHhYhunQfv/bZEWyAj/ed0gKDiY0a1fsrmEWs4S7ffcALJHMT8H9JC6NZwbMPGySYEIHykSd3jdrzUHyoInEYmx0elWYD/5+C32AIex/ll/i2RsCrMIJs32WYsAj80d70LpXRObc9czrB4ltnkXdtI+K7n4qavZlWQaFkBoPCzhF0hfxG0Fq/pQ6fHiLaa+AvGQ4aVSZekgKRutvNOLrGU4XPfD1B6ZT2TLSk7k+S5ub2Sje/DvyISO6fCI7xD3yFl3YX6kNmcR7S3DtCA8eFNCXog==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR09MB8142.namprd09.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(1800799015)(366007)(38070700009);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6z4CtViEUUCfEGIBDrLUGmAwBzvxFBzSPNYcOafcRB/yiN0p73HclXkoyp3rtHimVKx+3F8uIWWUNux9yMbczUj3bZgg5p7OrauXMTkTTYsituXlCSc+Jb4ZvsQ/hIxJterdLktuE7E1T6FGP43NlsV0e2FoZ8oaf9HL+mfHWEHgpi/DKKyuHZltMILTE+UlONSkZ29Xithz5ZrTlqNZ5cNEYN51T3ZFrxvgqaVdyAqh6rBdj2Cj0442/7Hpa1WPO3aFGQgn/CHQ4fUE/vW8mgobq1Ae73IyWCVwrZ9YwAaeIvgzmuAc+HLaxJ+NEi1zxozO6KlqYWkHK1BqyRVPKlXVV5htOGQo9FL55Nb9BAw/h4Q0b2PPL3SJOBtl429vmm7ur/2lzr8Z8b7DVB2sVF1RVwIBI2QeiwlSs8nQgPbAyjm9Sy7F6gjX4UtwKJJyrIdKj7qg4QraVoe+U+q7FBi/cEqHeIDJjpuHGfLjQBVQetDu/79XkuFflckIE6MITDjPSxWbfwPw9Ys7V7wv9Zq/0zKuUodWNbWch2J3bEv5RGpKujdYUq4424ew+U+fvkosc7Ck+aojYT86jXWh7NMAmKD7AODg4IdjQfp23lEaCDVngng/zBwgE0jANLT3PKxdlr6sSO/5JKSinMAGGSuMpJ3WTmq3GJjVGcuKznABOgLcc8fl1DkfQZ9jsiv0ewaeI+9/c6jbZxqVBxycOje2H9NQlB2ESiHejCykpT8vNX5exB+tj8/UL7kPdbYaLrfq7NJg/vv4JiMy0nT9DzMAuSpj6fWvfTmSJD4okAafRvwjIN7j72WvxAWFpF8IS5TnSIQpUPCngBP7fFVKQ5Vs5YVJDJVvEHHUGtQxu6WJU0fgFJdlJUwl+mQXFYlQn73S77znowwfBCxjC/cbZC/VlpkAORLHS8PPnTjHGoeBVj45g1taiuu/SpL+WAQvXZMjIrkCsC5abYNhcxZbAukvRBGM1q63Tp8Zewfk5bF8tTt0J8eQz4n6Mo4ejg8AvxFtogB+oISZUG00j9gEswqeZMDphiFoCfbNoXaB+WPofSpdlcGqvK3VBjfwk+iEOtmN1pAzybEpp7oQCRFBWZ1Xh29kr36fXufKxxDZpMQfm8wC8uVwq6ugPnpDVmJr90l4T6uxVxnj4AyxRjIBLA+jl4QoRYO3XLhS9xbeNn3TmOsUma9HG85DWsdzLtLmsmWIVWYByn5niWMaq/lPoakpjuGmv8HsmqQKDKyfjHaCV1olkhNObXt/P/EKN7Bl46688MWq9NdxT8LZYCRbmhB+fYoWcFjqYLH1tmItq3wfWoKCmEPsrDmLyMrOGXVInwS2j6cauApggG6uWWdoL/tdVWj18U4OeFAuFkj5x/g3XWj4XwqHa1AOtZGjHF8pz1Mm3zcUU1y1lzP2aY6N4RT52zHb96I5Ac+eXGGWIYV5clgCsbsra19Q76oDOdPFoKXFM3PePg/LmQDSfUD7eFmyuScSRRYIqA5gN2tQ0wPnasB0O1+fWyOSjmZ2LjSDEp/QaXfgBA9+lEgELhEIgjLsnsEO+Pg25tbfP+Zq1zI=
Content-Type: multipart/alternative; boundary="_000_SA1PR09MB814244669E2D6231259DA69984EB2SA1PR09MB8142namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6d6679ed-0bcf-4fcb-af5d-08dc7a9bbaf2
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2024 20:14:05.4143 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR09MB11679
Message-ID-Hash: IPYKL32H5QMW3432LOIIGPX3JSPW5XOA
X-Message-ID-Hash: IPYKL32H5QMW3432LOIIGPX3JSPW5XOA
X-MailFrom: kotikalapudi.sriram@nist.gov
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-sriram-sidrops-spl-verification@ietf.org" <draft-sriram-sidrops-spl-verification@ietf.org>, "keyur@arrcus.com" <keyur@arrcus.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Hi Igor,



My responses are inline below.



>I’ve read the draft, focusing mostly on section "6. BGP Security Threats Addressed by SPL-ROV" -- the problems SPL wants to solve that are not solved by ROA and ASPA.



>I see threat 4 as the real concern here without a widespread ASPA adoption.  Just for that I support the adoption.



Thank you. See comments about the complementary nature of ASPA and SPL below.



>It is especially important to solve threat 4 if we are recommending adding ASNs to ROA for direct server return cases for SAV purposes (for algorithms like BAR-SAV).



Yes, the DSR scenario benefits from SPL’s reduction of attack surface (threat 4).



>I do have questions about the rest of the threats mentioned.



>Threats 1, 2, and 5 are "If someone is forging some announcements, do not let them blame it on my AS".  Is this “AS reputation” a big concern? Protecting against threats 1 and 5 does not help protect any packets from being misrouted/hijacked (and no IP space is being hijacked in threat 2 to begin with), since the malicious AS can pick any other ASN as the origin.  It is just about not letting my AS show up as the "origin", right?



If someone’s unprotected prefix or subprefix is not reachable (hijacked) and your AS is made to appear to be the origin AS (accidentally or intentionally), then that route is rejected (considered ineligible) due to the assertion by your SPL. One may call it prevention of AS abuse.



>Threats 2 and 4 can be mostly solved by ASPA (but only if providers also maintain ASPA entries, transitively, so it is a tall order).



SPL and ASPA are complementary. Threats 2 and 4 can be mostly solved by a combination of ASPA and adherence to RFC 9319. But RFC 9319 is not very well adopted so far.  Also, ASPA solves the forged-origin hijack only in the upstream direction (i.e., routes received from customer or lateral peer), but not for routes received from a provider.  Assuming that there are generous or loose ROAs, SPL-ROV reduces the attack surface without the directionality limitation mentioned above. There may exist loose/generous ROAs out of necessity (e.g., DSR, DDoS mitigation [RFC9319]. Sometimes it may be due to unwise use of maxlength.



>Threat 3 can be solved by ROA, but that may be not under AS’s control.  It is really an AS protecting against its own mistakes.


Yes, true. Just in case some or all the needed ROAs are absent, SPL-ROV provides the added protection.



Sriram