[Sidrops] Re: New Version Notification for draft-sriram-sidrops-spl-verification-00.txt
"Lubashev, Igor" <ilubashe@akamai.com> Tue, 21 May 2024 20:12 UTC
Return-Path: <ilubashe@akamai.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B8D1C1E7250; Tue, 21 May 2024 13:12:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBGm7EfeFoih; Tue, 21 May 2024 13:12:54 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [67.231.157.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B514C14F5E9; Tue, 21 May 2024 13:12:54 -0700 (PDT)
Received: from pps.filterd (m0409411.ppops.net [127.0.0.1]) by m0409411.ppops.net-00190b01. (8.18.1.2/8.18.1.2) with ESMTP id 44L9tKXE026267; Tue, 21 May 2024 21:12:53 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:content-transfer-encoding:mime-version; s= jan2016.eng; bh=42G3DK7xqHy6tLlm9RiMdIjS4X+Ae3WAcS4rsZdHPg0=; b= Q2ZFRXa/HUcNpacuapKhYgbB/iZ3VGsIWPB1lZQ3HmKeQvkYUnKpFzJ5tWLozsa9 +XF9I5xT91c/Q/QKJ7lEuCt+cHVClU46ta6T+CTkhLat6iAWCKiYJPbRM6yq7hb1 Ir5I0ozF+WIgI4l9CStgujgrT2j5JdLaIHk/h9K9hPmrjoUDmfRBgPnexgW4Jf+o Jtv6AEwsDcQT0xu5ONGPFdl1dsJyTkZLGtsRu7RGHEsoWlwzYhdQDn+TlaZC6qIj bJW1/trWGkqOKix5Ou0SacNGkxZxjlbEOGisWrGOUiAhJc6l2es5Lv0TwokkviL8 ToPs87bXCdhUil/Q+VuDOg==
Received: from prod-mail-ppoint7 (a72-247-45-33.deploy.static.akamaitechnologies.com [72.247.45.33] (may be forged)) by m0409411.ppops.net-00190b01. (PPS) with ESMTPS id 3y8pfwbf2f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 May 2024 21:12:52 +0100 (BST)
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 44LGKHsW030874; Tue, 21 May 2024 16:12:52 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.205]) by prod-mail-ppoint7.akamai.com (PPS) with ESMTPS id 3y6qnx3a0u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 May 2024 16:12:52 -0400
Received: from ustx2ex-dag4mb3.msg.corp.akamai.com (172.27.50.202) by ustx2ex-dag4mb6.msg.corp.akamai.com (172.27.50.205) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Tue, 21 May 2024 13:12:51 -0700
Received: from ustx2ex-dag4mb3.msg.corp.akamai.com ([172.27.50.202]) by ustx2ex-dag4mb3.msg.corp.akamai.com ([172.27.50.202]) with mapi id 15.02.1258.034; Tue, 21 May 2024 13:12:51 -0700
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: New Version Notification for draft-sriram-sidrops-spl-verification-00.txt
Thread-Index: AQHaeH6vmHgmOBuqakG5E4p8x4Z0crE8DLjAgGZ0bfA=
Date: Tue, 21 May 2024 20:12:51 +0000
Message-ID: <acec900085d74c048fe42f7be30d6fdd@akamai.com>
References: <171068884034.30156.2037237149778011860@ietfa.amsl.com> <SA1PR09MB81425CD1E67522C46F27C18A842E2@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB81425CD1E67522C46F27C18A842E2@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.27.118.139]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-21_12,2024-05-21_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 suspectscore=0 spamscore=0 bulkscore=0 malwarescore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405210151
X-Proofpoint-GUID: FGyU8pv0tmmQKVxDF77b4lC3hDA_6poO
X-Proofpoint-ORIG-GUID: FGyU8pv0tmmQKVxDF77b4lC3hDA_6poO
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-21_12,2024-05-21_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 clxscore=1011 adultscore=0 bulkscore=0 suspectscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 priorityscore=1501 impostorscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405010000 definitions=main-2405210152
Message-ID-Hash: NNPCBX5XAKQYPAN3MBLEIZAX7HYMORAY
X-Message-ID-Hash: NNPCBX5XAKQYPAN3MBLEIZAX7HYMORAY
X-MailFrom: ilubashe@akamai.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: New Version Notification for draft-sriram-sidrops-spl-verification-00.txt
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Sriram, I am trying to wrap my head around the set of problems SPL wants to solve that are not solved by ROA and ASPA. I am focusing on section "6. BGP Security Threats Addressed by SPL-ROV". Threats 1, 2, and 5 are "If someone is forging some announcement, do not let them blame it on me". Is this a big concern? Protecting against threats 1 and 5 does not help protect any packets from being misrouted/hijacked (and no IP space is being hijacked in threat 2 to begin with), since the malicious AS can pick any other ASN as the origin. It is just about not letting my AS show up as the "origin", right? Threats 2 and 4 can be mostly solved by ASPA (but only if providers also maintain ASPA entries, transitively, so a tall order). Threat 3 can be solved by ROA. It is really an AS protecting against its own mistakes. I see threat 4 as the real concern here without a widespread ASPA adoption. It is especially important if we are recommending adding ASNs to ROA for direct server return use cases for SAV purposes (for algorithms like BAR-SAV). Of course, we can be recommending using ASPA for these cases instead of ROA -- BAR-SAV would be happy. -Igor -----Original Message----- From: Sidrops <sidrops-bounces@ietf.org> On Behalf Of Sriram, Kotikalapudi (Fed) Sent: Sunday, March 17, 2024 11:39 AM To: sidrops@ietf.org Cc: sidrops-chairs@ietf.org Subject: Re: [Sidrops] New Version Notification for draft-sriram-sidrops-spl-verification-00.txt A new draft on "Signed Prefix List (SPL) Based Route Origin Verification and Operational Considerations" was just uploaded. Please see abstract and links below. Comments welcome. Sriram -----Original Message----- From: internet-drafts@ietf.org <internet-drafts@ietf.org> Sent: Sunday, March 17, 2024 11:21 AM To: Montgomery, Douglas C. (Fed) <dougm@nist.gov>; Job Snijders <job@fastly.com>; Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov> Subject: New Version Notification for draft-sriram-sidrops-spl-verification-00.txt A new version of Internet-Draft draft-sriram-sidrops-spl-verification-00.txt has been successfully submitted by Kotikalapudi Sriram and posted to the IETF repository. Name: draft-sriram-sidrops-spl-verification Revision: 00 Title: Signed Prefix List (SPL) Based Route Origin Verification and Operational Considerations Date: 2024-03-17 Group: Individual Submission Pages: 10 URL: https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-sriram-sidrops-spl-verification-00.txt__;!!GjvTz_vk!Rqtz9SFiM_7mFFSNrFAltMpe8V9CeiBq463vLSTOja1rcNN6FQqy8hQH25vCnkMuBR5qCkR2F1rptUyuL65O5giZTrLKXQ$ Status: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-sriram-sidrops-spl-verification/__;!!GjvTz_vk!Rqtz9SFiM_7mFFSNrFAltMpe8V9CeiBq463vLSTOja1rcNN6FQqy8hQH25vCnkMuBR5qCkR2F1rptUyuL65O5gjYaBU4Og$ HTML: https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-sriram-sidrops-spl-verification-00.html__;!!GjvTz_vk!Rqtz9SFiM_7mFFSNrFAltMpe8V9CeiBq463vLSTOja1rcNN6FQqy8hQH25vCnkMuBR5qCkR2F1rptUyuL65O5gjvbPPYCA$ HTMLized: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-sriram-sidrops-spl-verification__;!!GjvTz_vk!Rqtz9SFiM_7mFFSNrFAltMpe8V9CeiBq463vLSTOja1rcNN6FQqy8hQH25vCnkMuBR5qCkR2F1rptUyuL65O5ggpbYIl9A$ Abstract: The Signed Prefix List (SPL) is an RPKI object that attests to the complete list of prefixes which an Autonomous System (AS) may originate in the Border Gateway Protocol (BGP). This document specifies an SPL-based Route Origin Verification (SPL-ROV) methodology and combines it with the ROA-based ROV (ROA-ROV) to facilitate an integrated mitigation strategy for prefix hijacks and AS forgery. The document also explains the various BGP security threats that SPL can help address and provides operational considerations associated with SPL-ROV deployment. The IETF Secretariat _______________________________________________ Sidrops mailing list Sidrops@ietf.org https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/sidrops__;!!GjvTz_vk!Rqtz9SFiM_7mFFSNrFAltMpe8V9CeiBq463vLSTOja1rcNN6FQqy8hQH25vCnkMuBR5qCkR2F1rptUyuL65O5gj4uCkJWQ$
- Re: [Sidrops] New Version Notification for draft-… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: New Version Notification for draft-… Lubashev, Igor
- [Sidrops] Re: New Version Notification for draft-… Yangyang Wang