Re: [Sidrops] draft-sidrops-rpkimaxlen

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Mon, 25 February 2019 03:10 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DBDB129619; Sun, 24 Feb 2019 19:10:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id psOZP3K_eCJl; Sun, 24 Feb 2019 19:10:15 -0800 (PST)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-eopbgr830109.outbound.protection.outlook.com [40.107.83.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A23FE129508; Sun, 24 Feb 2019 19:10:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tOQEB4OaIS7S0vBS6KI5do9168HeVyWzQWopO3f2pU4=; b=fX9xBPdQcAC3/9JIN11/quYT/hO04zjkUCcgNPBGmpWYka0x3/bo1gB1F5SEGTDyLNt2Thncz+aVEs/3vHkgw5Q0HCEhMA+QQhk5LMFCYZ3lvAexryWwy+x5rmu4PZAI26jJwBkku6A2sbt+96PTfN0wnOGwUh3JP0nuvIolTMw=
Received: from SN6PR0901MB2366.namprd09.prod.outlook.com (52.132.115.159) by SN6PR0901MB2366.namprd09.prod.outlook.com (52.132.115.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.16; Mon, 25 Feb 2019 03:10:13 +0000
Received: from SN6PR0901MB2366.namprd09.prod.outlook.com ([fe80::5c3a:f8a5:80dd:2d85]) by SN6PR0901MB2366.namprd09.prod.outlook.com ([fe80::5c3a:f8a5:80dd:2d85%5]) with mapi id 15.20.1643.019; Mon, 25 Feb 2019 03:10:13 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Matthias Waehlisch <m.waehlisch@fu-berlin.de>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-rpkimaxlen@ietf.org" <draft-ietf-sidrops-rpkimaxlen@ietf.org>
Thread-Topic: [Sidrops] draft-sidrops-rpkimaxlen
Thread-Index: AQHUy8AmUSoU77RRv0K+rD/l/1dVIqXuHSeAgAAdhqqAAL2XgIAA2cTA
Date: Mon, 25 Feb 2019 03:10:12 +0000
Message-ID: <SN6PR0901MB2366DDDAB75A1619AD5A952E847A0@SN6PR0901MB2366.namprd09.prod.outlook.com>
References: <SN6PR0901MB236677B37676FFB11A22B14D84780@SN6PR0901MB2366.namprd09.prod.outlook.com>, <alpine.WNT.2.00.1902240047270.4012@mw-x1> <SN6PR0901MB23662F6907DD092EA0EC988184790@SN6PR0901MB2366.namprd09.prod.outlook.com>, <alpine.WNT.2.00.1902241416230.4012@mw-x1>
In-Reply-To: <alpine.WNT.2.00.1902241416230.4012@mw-x1>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.222.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ec219b2d-f4c6-4d44-630b-08d69acec229
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:SN6PR0901MB2366;
x-ms-traffictypediagnostic: SN6PR0901MB2366:
x-microsoft-exchange-diagnostics: 1; SN6PR0901MB2366; 23:7KPRUYI0QjHF4VQmkOT5Ktxv9tgQxwl9Mi7b6OOL6cML+uaTgCRFaKAQR9AFU7H1jX5Pj+cOIeaPyl27ZiH9VPNW6H4M+fVScFLmlrCxjOdi3KXZsQ9/eyJJoend7oVh7UroQshgVNzuWOIU+vweQ24rU/Wbyt57ZOMWgIfyg+hPBLplfopU+BDaEhT37E1zwDGV5Pz8vOS1WYa4zOEtQA0a5c9aS0rXeWH2bG5q2izIvuZA8OQZAoSmAq1yFJZE1ki4//rbW4Oep9gdeMEraYNBoiRMjrDempzxuPoW9gy3xu2az9t9DNurNAbu5HhuAjvv+udP6FWO1cA1WkKVLU+vvkNkE0dqAwqPG4fwsnVKZrHuh47d/vsoN3ubT8UivigBw8iuaEdkPlRqKluVKKdc5hDGsDXQrP6otb5+bmTRbgKnOgT74zf/LDM95KbdP1sgKfmSn1rp2IsejCEvpQUcQ+nO7PMd46IPPph0Zn1QiWjKL8NKHGb445hq7GumXKMHhAsShH7fCxZUeE0D4DiXGvrapH7c9uPM7mQEIqavegOi0p1D5RICDZjED+WH0HQRqolto9fuhMFB+dR/jrO+xX/cgVgFaG7JdwdRegXZoCojY8PAVpYvgV8/ncT3uqsturu+UU5t7iZ3cIoABAXMe8jYG/Gt4FU2YXEwXmwgTuSDIf7aI1NnHlwVvYxLHdjlMwRniXBOIHFH43s4Mk9+dS+epe0/CMhQTMlezussAovY1io3x0dbr2ClPCU+aMKRbze7ARkb27EEY/3eVWc3G8IaYwFIDg39oZ4oKwfq4yxa9van+Wbr+xRgFJA9iJr7kD6FFAgW5gzxLto9AG3lLlW+iiIcdZrX4mF9XDPuaTs1XATepc3/OonuQW5jGL9g+Ep50m/NZv8lw2sHP1UiiCT40HBp9xIlAa83a8wy5tw7iwadcm4gky5Be2khxjGlf4tlqdgSqXGJ+XxKQwHfFq7ZFdDC+Se89KRMNRZCIfic9X/J9Hdw4KP1vo08naJj/zDnJzf5iwdMaP6JukyWUjSvvaaxLKVhqEpMufPOuJXOKTtnvp/uzNQHe3t9e5lvnTeVF8wgv/sLQR7Z0Ghw5IuMmd8k7WsCF1wDwspDXQLT2ws6LUl1NpdR7BDiAtxSaUW9Y0l4heOAgrGnhvdd+h2f+PNpCyyfZC8Tc9GRiNjRScM8SFS/04JNV/rg0I8yIz/YVc3cAONgA7lRueKL//252HMZT4TPY0HNUgkXMCaXzgNBSChTZ8B+lOxE
x-microsoft-antispam-prvs: <SN6PR0901MB236608FCCA627D426F1B160B847A0@SN6PR0901MB2366.namprd09.prod.outlook.com>
x-forefront-prvs: 095972DF2F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(136003)(366004)(396003)(39850400004)(189003)(199004)(33656002)(7736002)(68736007)(102836004)(8676002)(2906002)(81156014)(81166006)(256004)(561944003)(6506007)(76176011)(229853002)(86362001)(11346002)(316002)(446003)(486006)(66066001)(476003)(54906003)(305945005)(52536013)(5660300002)(6436002)(74316002)(93886005)(6246003)(55016002)(14444005)(9686003)(71200400001)(71190400001)(7696005)(99286004)(6116002)(3846002)(26005)(186003)(14454004)(478600001)(106356001)(4326008)(53936002)(8936002)(105586002)(25786009)(6916009)(97736004); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR0901MB2366; H:SN6PR0901MB2366.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: YJfzbm2lctvnc86o5yndt80WM30l9FHQgK7248OSGhcu7eB7Wb+iCR4j9MHB0hp3zqcGQ2CqeJKto6J2cdz/8mvLezMgGZSX9jXtxPl0GjnKAnxhmriHdFicSUmvOH62uEw35+O6823UwhfS/PGviN7fKZoH5fg6RiQMU8c0aGV38cKYTgv6gMgH3B4BhuGRU0AwywEnOmO9bF57cF9VJv3Kh0sfhHBg9/tIiBBYbuhjYB6fkCmJq2dgLEvftvcI+K146tzwn1qtRAkiaXiXNe9kd4DRH5pNQtgXLrdjsLyeX2JKrYUXMkDOuCWoIpV6UsS8K9jEv4+eV+W9JbNfGXyYshEeFB+JDaPhjIzVKz0v2d/nYmDWzlKOB0H5osQ7atD/w1M6H2YLG1LVg5gw0368Ew870UVnIWJY9hlbQM8=
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: ec219b2d-f4c6-4d44-630b-08d69acec229
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2019 03:10:12.9205 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR0901MB2366
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/oXn33Cnwr827ybuvwiZ5pRh5OQc>
Subject: Re: [Sidrops] draft-sidrops-rpkimaxlen
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 03:10:19 -0000

Hi Matthias,

-- snip --
>> The draft does not presuppose when the prefixes may need to be 
>> announced. The time frame is up to the prefix owner. Once the prefix 
>> owner decides what prefixes (currently announced or intended to be 
>> announced) should be covered by the ROA (or ROAs), the draft merely 
>> offers recommendations for minimizing the attack surface. The example 
>> in Section 5.1 illustrates this for the DDoS case. (One more example 
>> can be added there to further drive home the point.) The example is 
>> agnostic about if/when the DDoS mitigation prefixes may need to be 
>> announced.
>> 
>  sorry but I really don't see how this limits the attack surface, in 
>case where the configured more specific prefix is announced very 
>occasionally.

We know that with fully deployed BGPsec (if ever), there is no concern about 
forged-origin attacks and no concern for ROAs created for DDoS mitigation.
But in the absence of BGPsec, there are two options as follow:

1. Pre-create ROAs for the DDoS mitigation service and 
minimize the attack surface per draft. 

For example, customer announces 168.122.0.0/16 and associated /17s,
also announces 168.122.32.0/24 (for TE), and   
and contracted DDoS mitigation service for 168.122.5.0/24.
Their servers are located in 168.122.5.0/24. 
The draft recommends the customer should create ROAs as follows:
ROA: {168.122.0.0/16, maxlength = 17}, 168.122.32.0/24, AS 64496
ROA: 168.122.5.0/24, AS 64500      
Note: AS 64500 is the DDoS mitigation SP

For this example, the draft warns against creating these kinds of ROAs 
which would have unnecessarily large attack surface:
ROA: 168.122.0.0/16, maxlength = 24, AS 64496
ROA: 168.122.0.0/16, maxlength = 24, AS 64500 
  
2. Create ROAs for DDoS mitigation on demand. Then, the risk is that there 
may be long RPKI/ROA propagation delays and the DDoS mitigation 
response time suffers. (May be the RIRs and ISPs can be persuaded to 
invest to cut this delay down.)

There are trade-offs associated with the two methods.
If you have other suggestions, we would like to hear. 

-- snip --  
>> I read the DECIX wiki page.  It is not clear to me what you mean by 
>> incorrect conclusions on that page with regard to ROA/maxlength . I 
>> would appreciate if you can clarify or cite some examples.
>> 
>  To give one example: Your draft suggests to not use the max length 
>field, which means "ROA generation software MUST use the prefix length 
>as the max length if the user does not specify a max length." [RFC 7115]

No, the draft that does not intend to suggest “never use maxlength”.
I have clarified this before, and you replied, “I got this”.
Also, see the example above which includes judicious use of maxlength. 
  
>  Option 3 in the wiki page, they will set the max length to the max 
>length of the IP version (e.g., /32 for v4). This is different to your 
>proposal.

Yep, this is not relevant to the draft. The DECIX effort is about how 
the IXP can validate Blackhole messages from customers.

>
>  Based on what you wrote, each member that intends to send a 
>blackholing announcement would need to create a corresponding ROA. 
>Option 3, actually, tries to solve the problem when members forget to do 
>this.

This again has really nothing to do with the draft’s recommendations. 
The draft doesn’t even mention ROAs with  > /24 IPv4 and > /48 IPv6.
In general, I would say, IXP/ISP should not require ROAs for the 
more specific Blackhole prefixes. They can be loosely validated without
requiring ROAs (for those more specific prefixes) 
as DECIX seems to be doing (option 3). 

We can chat about all this some more in Prague.

I will speak with my co-authors about making the draft a bit more general
per your suggestion.

Thanks.

Regards,
Sriram