Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-verification-15.txt
gengnan <gengnan@huawei.com> Mon, 17 July 2023 10:46 UTC
Return-Path: <gengnan@huawei.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6B3FC15153F for <sidrops@ietfa.amsl.com>; Mon, 17 Jul 2023 03:46:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.895
X-Spam-Level:
X-Spam-Status: No, score=-6.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8gCmucuKWpMh for <sidrops@ietfa.amsl.com>; Mon, 17 Jul 2023 03:46:40 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20CECC151556 for <sidrops@ietf.org>; Mon, 17 Jul 2023 03:46:40 -0700 (PDT)
Received: from lhrpeml500001.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4R4JZy2wm3z67y8R for <sidrops@ietf.org>; Mon, 17 Jul 2023 18:43:22 +0800 (CST)
Received: from dggpemm100007.china.huawei.com (7.185.36.116) by lhrpeml500001.china.huawei.com (7.191.163.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Mon, 17 Jul 2023 11:46:36 +0100
Received: from kwepemm600009.china.huawei.com (7.193.23.164) by dggpemm100007.china.huawei.com (7.185.36.116) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Mon, 17 Jul 2023 18:46:34 +0800
Received: from kwepemm600009.china.huawei.com ([7.193.23.164]) by kwepemm600009.china.huawei.com ([7.193.23.164]) with mapi id 15.01.2507.027; Mon, 17 Jul 2023 18:46:34 +0800
From: gengnan <gengnan@huawei.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-verification-15.txt
Thread-Index: Admz/4LOnhctbpAIT7uTOreuUz1YKQElUGfg
Date: Mon, 17 Jul 2023 10:46:34 +0000
Message-ID: <8d87478693d94febaa886f32b7dedc80@huawei.com>
References: <SA1PR09MB8142DC7FB44633058F1CE3598431A@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB8142DC7FB44633058F1CE3598431A@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.112.40.101]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/vXm_ocaaZyp2s5yg_K35EjrU4-Q>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-verification-15.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2023 10:46:42 -0000
Hi Sriram, Thanks for the v-15 draft. Some small suggestions: 1) For easy understanding, there can be more descriptions on how the BGP roles are used in verification. For path verification purposes, BGP roles are introduced, while they are not used in section 6. Also, the Verification at Egress eBGP Router should be taken from the perspective of the next-hop AS's BGP Role. 2) RFC9234 should also be an existing technology in sec. 10. I am interested that whether RFC9234 for preventing and detecting route leaks is necessary if ASPA is deployed. There are overlaps of them. Best, Nan > -----Original Message----- > From: Sidrops <sidrops-bounces@ietf.org> On Behalf Of Sriram, Kotikalapudi > (Fed) > Sent: Tuesday, July 11, 2023 11:06 PM > To: sidrops@ietf.org > Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-verification-15.txt > > Hi all, > > An updated version 15 has been uploaded. > https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification-15 > > The changes in v-15 are: > > 1. Updates due to the removal of afiLimit from the ASPA profile. > > 2. Incorporates comments (very helpful) that continued to come after the > formal WGLC period. > > 3. Sections 7 and 8 are better organized. > > 4. New Section 7.2 "Verification and Mitigation at Egress eBGP Router". This > section extends what RFC 8893 did for RPKI-ROV to ASPA-based AS_PATH > verification. > > 5. New Section 9.4 "DoS/DDoS Mitigation Service Provider". > > 6. Other edits for text improvements. > > Thank you. > > Sriram > > ------------------------ > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This Internet-Draft is a work item of the SIDR Operations > (SIDROPS) WG of the IETF. > > Title : BGP AS_PATH Verification Based on Autonomous System > Provider Authorization (ASPA) Objects > Authors : Alexander Azimov > Eugene Bogomazov > Randy Bush > Keyur Patel > Job Snijders > Kotikalapudi Sriram > Filename : draft-ietf-sidrops-aspa-verification-15.txt > Pages : 23 > Date : 2023-07-10 > > Abstract: > This document describes procedures that make use of Autonomous System > Provider Authorization (ASPA) objects in the Resource Public Key > Infrastructure (RPKI) to verify the Border Gateway Protocol (BGP) > AS_PATH attribute of advertised routes. This type of AS_PATH > verification provides detection and mitigation of route leaks and > improbable AS paths. It also to some degree provides protection > against prefix hijacks with forged-origin or forged-path-segment. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/ > > There is also an htmlized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification-15 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-sidrops-aspa-verification-15 > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] I-D Action: draft-ietf-sidrops-aspa-ver… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… gengnan
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Sriram, Kotikalapudi (Fed)