Re: [Sidrops] Welcome your attention and any comments // FW: New Version Notification for draft-shen-sidrops-region-verification-00.txt
Christopher Morrow <christopher.morrow@gmail.com> Thu, 15 July 2021 19:23 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63E303A060A for <sidrops@ietfa.amsl.com>; Thu, 15 Jul 2021 12:23:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBqyXilXsy4x for <sidrops@ietfa.amsl.com>; Thu, 15 Jul 2021 12:23:11 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 895653A05E2 for <sidrops@ietf.org>; Thu, 15 Jul 2021 12:23:06 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id v14so5337174qtc.8 for <sidrops@ietf.org>; Thu, 15 Jul 2021 12:23:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gLEYkgXBk5yUClYXJ6oZzi2gBF/B9Ff681HhIUufQkw=; b=b+iNTK15mJu/1r34HDOLL8Un3I45TvEDmEV8v1YqaKW238h1gnFKH7zXHrU8iVcD+U 9FN3TMGuRDPdyFUkyxzEDDFrZ9zd05T2MWR9/M5xINYSaBAA05VLiK08xWLlvJFNTPAe 3YA4WjRbz4VXlCF48umvaGWUkcz4hg35U0eWJfGetRlMaqDYguuyAEvx8NCxBNtPC2Vt KS5MWtDcmOrcS4lHc61tkggzVbOpuMfAkAGQIf12zWKt+f9Ld7Nfn4Fud8SRtmXiysdh STkd5rsc5vBsvddLcQVeK2Lhg8b5hRX8MC2UwtOTmT0S/j8wvg4GA6RpD5uiIVSs/jAN ho+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gLEYkgXBk5yUClYXJ6oZzi2gBF/B9Ff681HhIUufQkw=; b=VSRMasUlF3il29OW5uL88ZX9MJo/vj5p09o2XZngMEojZmDhNOxlMl0DuQM7dcF2Gr +g1O1BsITcue2Sj9S8kO7qIopm5fhP1nM8un1nrJgRxwuyB7Xpo/tcAM5SI0Cnb/aWqz XKFqjBCile63A96mGHgJXxG2YEuJXD2nwNYe35ldpLpNQ8L9Ki8aDamDZMxkJqFVlBTo VtB72Vaj+ZQzmso82x96oLxi3oNMON+bCnV9hUcmJ11zboEyy4v0ds0lYcL1ctlBDLKL J4/8au9pMMWLhrqNK7oPobqiptfaav2ndgAFrFNzKK4IcK2cqXUSy7JVCVuTr5I1XBIB /49g==
X-Gm-Message-State: AOAM532WZ1XioJPdGik3q3MpFQuPQ7nqhH9pjVThRj8K+qJHqYCnR5ma evDmJ30v3f0qgcja+fD6HFZDYY+2z6WwDz4y1Jw=
X-Google-Smtp-Source: ABdhPJwO4rvxWmatFekH5u5Sdw27Uo2b9wMNQcJYW6hsItQRB4wMVz3aBBjjDmbz6aItvzsoL0JlA68hoxC2Qzfy1lQ=
X-Received: by 2002:ac8:4706:: with SMTP id f6mr107154qtp.315.1626376984365; Thu, 15 Jul 2021 12:23:04 -0700 (PDT)
MIME-Version: 1.0
References: <90b532bfdef34d1a9769c3d25b24543c@huawei.com> <CAL9jLaYOppTBr78L+fJJ06iJyvnMw_B=eDcHDY+kqDaeQ68TZw@mail.gmail.com>
In-Reply-To: <CAL9jLaYOppTBr78L+fJJ06iJyvnMw_B=eDcHDY+kqDaeQ68TZw@mail.gmail.com>
From: Christopher Morrow <christopher.morrow@gmail.com>
Date: Thu, 15 Jul 2021 15:22:52 -0400
Message-ID: <CAL9jLaYNwNYzFaZf4jt+CeYfeA-6R5rr2zOVb7UgVFdxfocAVw@mail.gmail.com>
To: "Wanghaibo (Rainsword)" <rainsword.wang@huawei.com>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006c8e5e05c72e669d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/niUNZSgk1DEy64f4cxoS8GrmZr8>
Subject: Re: [Sidrops] Welcome your attention and any comments // FW: New Version Notification for draft-shen-sidrops-region-verification-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 19:23:17 -0000
(for clarity, from a reading reader of the written words I wrote) On Thu, Jul 15, 2021 at 1:38 PM Christopher Morrow < christopher.morrow@gmail.com> wrote: > My reading of this, admittedly quickly, is that the draft says basically: > "hey, you can do some leak prevention with ROA and some with ASPA, but > these alone are not sufficient" > > "hey, you can do some leak prevention with RouteOriginValidation (ROV, meaning using the RPKI/ROA data to validate origins of prefixes seen in the bgp stream)..." > I think I agree, except that in all cases so far we've always said: > "You should keep RPKI data updated, and IRR data updated and filter your > bgp peerings" > > So, without filters there's not a clear way to prevent leaks... Does this > draft basically need to say: > "Hey, rpki is cool, but you still must filter!!" > > "Hey, RPKI-based ROV, ASPA are cool, but you still must filter!!" apologies for being less than clear...as much as a complain about other people with their loose words you'd think I'd learn :( and yes aspa may help you get better filters... > > On Thu, Jul 8, 2021 at 10:05 PM Wanghaibo (Rainsword) < > rainsword.wang@huawei.com> wrote: > >> Hi All, >> >> We have published a new draft of region verifcation recently. >> https://datatracker.ietf.org/doc/draft-shen-sidrops-region-verification/ >> >> This is also introduced in the APNIC 50. >> >> https://conference.apnic.net/50/assets/files/APCS790/BGP-Routing-Security-Region-based-Trust-Alliance-Validation.pdf >> >> Welcome your comments and suggestions >> >> >> Abstract: >> BGP routing security is becoming a major issue that affects the >> normal running of Internet services. Currently, there are many >> solutions, including ROA authentication and ASPA authentication, to >> prevent route source hijacking, path hijacking, and route leaking. >> However, on an actual network, large ISPs with multiple ASes can use >> carefully constructed routes to bypass ROA and ASPA authentication to >> attack the target network. >> >> This document defines an region-based authentication method for large >> ISPs with many ASes to prevent traffic hijacking within ISPs. >> >> >> _______________________________________________ >> Sidrops mailing list >> Sidrops@ietf.org >> https://www.ietf.org/mailman/listinfo/sidrops >> >
- [Sidrops] Welcome your attention and any comments… Wanghaibo (Rainsword)
- Re: [Sidrops] Welcome your attention and any comm… Christopher Morrow
- Re: [Sidrops] Welcome your attention and any comm… Christopher Morrow
- Re: [Sidrops] Welcome your attention and any comm… Wanghaibo (Rainsword)