Return-Path: X-Original-To: sidrops@ietfa.amsl.com Delivered-To: sidrops@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B8D1C1E7250; Tue, 21 May 2024 13:12:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.093 X-Spam-Level: X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBGm7EfeFoih; Tue, 21 May 2024 13:12:54 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [67.231.157.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B514C14F5E9; Tue, 21 May 2024 13:12:54 -0700 (PDT) Received: from pps.filterd (m0409411.ppops.net [127.0.0.1]) by m0409411.ppops.net-00190b01. (8.18.1.2/8.18.1.2) with ESMTP id 44L9tKXE026267; Tue, 21 May 2024 21:12:53 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:content-transfer-encoding:mime-version; s= jan2016.eng; bh=42G3DK7xqHy6tLlm9RiMdIjS4X+Ae3WAcS4rsZdHPg0=; b= Q2ZFRXa/HUcNpacuapKhYgbB/iZ3VGsIWPB1lZQ3HmKeQvkYUnKpFzJ5tWLozsa9 +XF9I5xT91c/Q/QKJ7lEuCt+cHVClU46ta6T+CTkhLat6iAWCKiYJPbRM6yq7hb1 Ir5I0ozF+WIgI4l9CStgujgrT2j5JdLaIHk/h9K9hPmrjoUDmfRBgPnexgW4Jf+o Jtv6AEwsDcQT0xu5ONGPFdl1dsJyTkZLGtsRu7RGHEsoWlwzYhdQDn+TlaZC6qIj bJW1/trWGkqOKix5Ou0SacNGkxZxjlbEOGisWrGOUiAhJc6l2es5Lv0TwokkviL8 ToPs87bXCdhUil/Q+VuDOg== Received: from prod-mail-ppoint7 (a72-247-45-33.deploy.static.akamaitechnologies.com [72.247.45.33] (may be forged)) by m0409411.ppops.net-00190b01. (PPS) with ESMTPS id 3y8pfwbf2f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 May 2024 21:12:52 +0100 (BST) Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 44LGKHsW030874; Tue, 21 May 2024 16:12:52 -0400 Received: from email.msg.corp.akamai.com ([172.27.50.205]) by prod-mail-ppoint7.akamai.com (PPS) with ESMTPS id 3y6qnx3a0u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 May 2024 16:12:52 -0400 Received: from ustx2ex-dag4mb3.msg.corp.akamai.com (172.27.50.202) by ustx2ex-dag4mb6.msg.corp.akamai.com (172.27.50.205) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Tue, 21 May 2024 13:12:51 -0700 Received: from ustx2ex-dag4mb3.msg.corp.akamai.com ([172.27.50.202]) by ustx2ex-dag4mb3.msg.corp.akamai.com ([172.27.50.202]) with mapi id 15.02.1258.034; Tue, 21 May 2024 13:12:51 -0700 From: "Lubashev, Igor" To: "Sriram, Kotikalapudi (Fed)" , "sidrops@ietf.org" Thread-Topic: New Version Notification for draft-sriram-sidrops-spl-verification-00.txt Thread-Index: AQHaeH6vmHgmOBuqakG5E4p8x4Z0crE8DLjAgGZ0bfA= Date: Tue, 21 May 2024 20:12:51 +0000 Message-ID: References: <171068884034.30156.2037237149778011860@ietfa.amsl.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.27.118.139] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-21_12,2024-05-21_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 suspectscore=0 spamscore=0 bulkscore=0 malwarescore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405210151 X-Proofpoint-GUID: FGyU8pv0tmmQKVxDF77b4lC3hDA_6poO X-Proofpoint-ORIG-GUID: FGyU8pv0tmmQKVxDF77b4lC3hDA_6poO X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-21_12,2024-05-21_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 clxscore=1011 adultscore=0 bulkscore=0 suspectscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 priorityscore=1501 impostorscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405010000 definitions=main-2405210152 Message-ID-Hash: NNPCBX5XAKQYPAN3MBLEIZAX7HYMORAY X-Message-ID-Hash: NNPCBX5XAKQYPAN3MBLEIZAX7HYMORAY X-MailFrom: ilubashe@akamai.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9rc4 Precedence: list Subject: =?utf-8?q?=5BSidrops=5D_Re=3A_New_Version_Notification_for_draft-sriram-sidr?= =?utf-8?q?ops-spl-verification-00=2Etxt?= List-Id: A list for the SIDR Operations WG List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Sriram, I am trying to wrap my head around the set of problems SPL wants to= solve that are not solved by ROA and ASPA. I am focusing on section "6. BGP Security Threats Addressed by SPL-ROV". Threats 1, 2, and 5 are "If someone is forging some announcement, do not le= t them blame it on me". Is this a big concern? Protecting against threats= 1 and 5 does not help protect any packets from being misrouted/hijacked (a= nd no IP space is being hijacked in threat 2 to begin with), since the mali= cious AS can pick any other ASN as the origin. It is just about not lettin= g my AS show up as the "origin", right? Threats 2 and 4 can be mostly solved by ASPA (but only if providers also ma= intain ASPA entries, transitively, so a tall order). Threat 3 can be solved by ROA. It is really an AS protecting against its o= wn mistakes. I see threat 4 as the real concern here without a widespread ASPA adoption.= It is especially important if we are recommending adding ASNs to ROA for = direct server return use cases for SAV purposes (for algorithms like BAR-SA= V). Of course, we can be recommending using ASPA for these cases instead o= f ROA -- BAR-SAV would be happy. -Igor -----Original Message----- From: Sidrops On Behalf Of Sriram, Kotikalapudi = (Fed) Sent: Sunday, March 17, 2024 11:39 AM To: sidrops@ietf.org Cc: sidrops-chairs@ietf.org Subject: Re: [Sidrops] New Version Notification for draft-sriram-sidrops-sp= l-verification-00.txt A new draft on "Signed Prefix List (SPL) Based Route Origin Verification an= d Operational Considerations" was just uploaded. Please see abstract and links below. Comments welcome. Sriram -----Original Message----- From: internet-drafts@ietf.org =20 Sent: Sunday, March 17, 2024 11:21 AM To: Montgomery, Douglas C. (Fed) ; Job Snijders ; Sriram, Kotikalapudi (Fed) Subject: New Version Notification for draft-sriram-sidrops-spl-verification= -00.txt A new version of Internet-Draft draft-sriram-sidrops-spl-verification-00.tx= t has been successfully submitted by Kotikalapudi Sriram and posted to the IE= TF repository. Name: draft-sriram-sidrops-spl-verification Revision: 00 Title: Signed Prefix List (SPL) Based Route Origin Verification and Oper= ational Considerations Date: 2024-03-17 Group: Individual Submission Pages: 10 URL: https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft= -sriram-sidrops-spl-verification-00.txt__;!!GjvTz_vk!Rqtz9SFiM_7mFFSNrFAltM= pe8V9CeiBq463vLSTOja1rcNN6FQqy8hQH25vCnkMuBR5qCkR2F1rptUyuL65O5giZTrLKXQ$ = =20 Status: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draf= t-sriram-sidrops-spl-verification/__;!!GjvTz_vk!Rqtz9SFiM_7mFFSNrFAltMpe8V9= CeiBq463vLSTOja1rcNN6FQqy8hQH25vCnkMuBR5qCkR2F1rptUyuL65O5gjYaBU4Og$ =20 HTML: https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft= -sriram-sidrops-spl-verification-00.html__;!!GjvTz_vk!Rqtz9SFiM_7mFFSNrFAlt= Mpe8V9CeiBq463vLSTOja1rcNN6FQqy8hQH25vCnkMuBR5qCkR2F1rptUyuL65O5gjvbPPYCA$ = =20 HTMLized: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html= /draft-sriram-sidrops-spl-verification__;!!GjvTz_vk!Rqtz9SFiM_7mFFSNrFAltMp= e8V9CeiBq463vLSTOja1rcNN6FQqy8hQH25vCnkMuBR5qCkR2F1rptUyuL65O5ggpbYIl9A$ =20 Abstract: The Signed Prefix List (SPL) is an RPKI object that attests to the complete list of prefixes which an Autonomous System (AS) may originate in the Border Gateway Protocol (BGP). This document specifies an SPL-based Route Origin Verification (SPL-ROV) methodology and combines it with the ROA-based ROV (ROA-ROV) to facilitate an integrated mitigation strategy for prefix hijacks and AS forgery. The document also explains the various BGP security threats that SPL can help address and provides operational considerations associated with SPL-ROV deployment. The IETF Secretariat _______________________________________________ Sidrops mailing list Sidrops@ietf.org https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/sidrops__= ;!!GjvTz_vk!Rqtz9SFiM_7mFFSNrFAltMpe8V9CeiBq463vLSTOja1rcNN6FQqy8hQH25vCnkM= uBR5qCkR2F1rptUyuL65O5gj4uCkJWQ$=20