Re: [Sidrops] Roman Danyliw's Discuss on draft-ietf-sidrops-lta-use-cases-06: (with DISCUSS and COMMENT)

Randy Bush <> Wed, 01 May 2019 20:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2C54A120094; Wed, 1 May 2019 13:58:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 50cb5qehv9lQ; Wed, 1 May 2019 13:58:12 -0700 (PDT)
Received: from ( [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3577B120021; Wed, 1 May 2019 13:58:12 -0700 (PDT)
Received: from localhost ([] by with esmtp (Exim 4.90_1) (envelope-from <>) id 1hLwIr-0007WC-Cf; Wed, 01 May 2019 20:58:09 +0000
Date: Wed, 01 May 2019 13:58:08 -0700
Message-ID: <>
From: Randy Bush <>
To: Roman Danyliw <>
Cc: The IESG <>, SIDR Operations WG <>
In-Reply-To: <>
References: <>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.2 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=ISO-2022-JP
Archived-At: <>
Subject: Re: [Sidrops] Roman Danyliw's Discuss on draft-ietf-sidrops-lta-use-cases-06: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 May 2019 20:58:14 -0000

> (1) I want to discuss what I see as a dissonance between use case #3
> (Section 4, “Alice is responsible for the trusted routing for a large
> organization …”)  and the Security Considerations.  It appears that
> use case #3 is explicitly describing an on-path attack per RFC3552.
> Is use case #3 a use case or an attack against RPKI?

it is using the rpki to facilitate an attack on the internet within a
local scope.

in a sense, all three use cases describe 'attacks' on the rpki.  they
are all about having divergent local views of the rpki content.  like
many tools, they have applications good and bad.

> There seems to me to be an analog between use case #3 and the TLS/web
> MitM discussions where the consensus was not to standardize these
> features despite their existence.  In what way do you see RPKI as
> different?

well, it's not a transport/network layer, so the monkey can not find a
middle :).  but it definitely is an attack.

note that this draft does not describe mechanisms, only use cases.  but,
as i said in response to mirja, i have sympathy for the position and am
willing to go either way.  but this use case is, and will likely
continue to be, the dominant use for tree modification a la slurm.

> (2) Thanks for the additional background in in [1].  More to clarity
> along the lines of Mirja’s DISCUSS, I’m trying to unpack the use case
> #3 text in Section 4.
> Original Text: “Alice is responsible for the trusted routing for a large
> organization, commercial or geo-political, in which management requests to
> redirect their competitors' prefixes to socially acceptable data.”
> If Alice is “(us|china|uk|justabouteverybody)” per [1], who is the
> “management” in the context of a government?

different cultures have different organizational relationships between
political decision making and internet operations.  anybody here
understand the mechanisms by which the USG shuts down a thousand web
sites?  we read in the press about various cultures doing this stuff all
the time, and it is pretty complex.

> Furthermore, “competitor’s” is confusing to me because it seems odd to
> characterize the networks of objectionable content as competitors to
> other governments.  I would have read this text as “Alice is a network
> operator who has been directed to inspect and redirect select prefixes
> to …”.

glad to have a different term which conveys the intent.  we have always
been at war with eastasia.

btw, the use case which is most interesting to operators is that of
carol, the 'dutch court attack.'  while carol or a third party can
easily construct a slurm patch, how is that distributed, authenticated,
and how do third parties decide whether to apply it?

> A few editorial nits:

thanks.  as it is now within 24 of your telechat, i will hold back on a
new draft.