Yes, I agree. On Wed, Apr 18, 2018 at 8:20 AM Sriram, Kotikalapudi (Fed) < [email protected]> wrote:
> Amir, > > >I support the adoption of "draft-sriram-opsec-urpf-improvements" as an > >OPSEC Working Group document. > > Thank you. > > > > >Let me mention that I think the WG should also consider potential use of > >RPKI as a complementary mechanism to improve uRPF. Namely, if there is an > >ROA for the prefix-origin pair, it should be allowed (even if the > >(enhanced/preferred)uRPF check fails. In a future (fantasy?) where RPKI is > > I agree with you here. When you say, "if there is an > ROA for the prefix-origin pair, it should be allowed", I think you mean > ROA for prefix-origin pair with origin AS in the ISP's customer cone. > What you propose can be done even in partial deployment of RPKI, > of course not stand alone but for augmenting the RPF lists > constructed with the methods proposed in the draft. > It helps to add completeness and/or perform additional sanity checks for > the RPF filters. > Of course, the benefit of doing this (as a complementary mechanism) > gets increasing better as the RPKI deployment grows. > > Sriram > > >widely deployed, this solution may have even been better. I'm aware that > >this is, unfortuately, far cry from current situation, hence I definitely > >support moving forward with this draft. My comment can be discussed as > part > >of this or separately (or not at all). > > > >thanks, Amir > > > > > -- -- Amir Herzberg Associate Professor, Dept. of Computer Science, Bar Ilan University http://www.cs.biu.ac.il/~herzbea
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
