Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF)
draft-ietf-opsec-blackhole-urpf-04

[Ballot comment]
I was looking in the Security Section for something about the risk associated with source-based RTBH announcements received from customers.

Giving up, I paged up and found immediately above...
  As a matter of policy, operators SHOULD NOT accept source-based RTBH
  announcements from their peers or customers, they should only be
  installed by local or attack management systems within their
  administrative domain.

Would it be possible either to echo this in the Security section, or provide the reason in the previous section?

[Ballot comment]
I'm not real keen on using 1918 private address space for this. It is hard enough to debug when private address leak into public space and this will just make it even more confusing. Could we just allocate a /24 for this?

[Ballot comment]
In the first line of the next to last paragraph of the Introduction:

  By coupling unicast reverse path forwarding (RPF) [RFC3704]

I suggest s/RPF/uRPF/, as "uRPF" is the acronym used throughout this doc, although RPF is used in RFC 3704.

[Ballot comment]
Section 3.2., paragraph 4:
>    Step 1. Select your Discard Address schema. An address is chosen to
>    become the "discard address". This is often chosen from 192.0.2.0/24
>    (TEST-NET [RFC3330]), or from RFC 1918 [RFC1918] space.

  Given that both RFC1918 and RFC3330 address space comes with the note
  that "addresses in this block should not be used on the public
  Internet", it may make sense to at least also mention if not recommend
  the option of using a chunk of the operator's assigned public address
  space for this purpose.

1a. Joel Jaeggli is the shepherd for document. The shepherd believes
that this document is of sufficient quality to bring to the IESG
Ron Bonica is the shepherding AD.

1b. The document has received review in the working group
as well as input from the creators of the method and operator
community that is the intended audience for this draft.

1c. The reservation of default communities, previously a feature of
this draft was removed between 01 and 02 leaving only
operational practice.

1d. None

1e. Working group consensus has consistently favored this work item.
Community reservation had significant detractors as current
practice has operators select their own communities based on
what they are willing to support and the use of such signaling
requires significant coordination.

1f. No

1g. ID Nits have been passed. There are three examples located in
Appendix A and B where RFC 3330 addresses cannot solely be used
for the purposes of clarity RFC 1918 addresses are used to
supplement them.

1h. There are no downwardly referential normative references.

1i. With the removal of the community reservation there are no IANA
considerations.

1j. No such formal validation is required.

1k. included

Document Announcement Write-Up for

draft-ietf-opsec-blackhole-urpf currently in draft 04 having
completed WG last call and AD Evaluation.

Technical Summary

Remote Triggered Black Hole (RTBH) filtering is a popular and
effective technique for the mitigation of denial-of-service
attacks. This document expands upon destination-based RTBH
filtering by outlining a method to enable filtering by source
address as well.

Working Group Summary

The WG last call period for draft-ietf-opsec-blackhole-urpf-03
was completed without opposition. Commentary on the draft
in the current and prior revision at IETF 74 and before would
indicate that the WG believes that the document is in suitable
form to advance. AD Review revealed insufficient warning on the
implications of using strict RPF. 04 revision is believed
to satisfy both AD concerns and WG participants.

Document Quality

As it documents existing current practice both in router
implementation and in operational practice and expands upon but
does not obsolete rfc 3882 we believe that it is suitable to
advance towards the goal of BCP status.

Personnel

Review by both industry peers (NANOG security BOF), and one of
the originators of the method (Barry Greene) was solicited, and
their input is noted in the contributions section. Joel Jaeggli
Shepherded this document through the working group process. AD
review was provide by R. Boninca.

1a. Joel Jaeggli is the shepherd for document. The shepherd believes
that this document is of sufficient quality to bring to the IESG
Ron Bonica is the shepherding AD.

1b. The document has received review in the working group
as well as input from the creators of the method and operator
community that is the intended audience for this draft.

1c. The reservation of default communities, previously a feature of
this draft was removed between 01 and 02 leaving only
operational practice.

1d. None

1e. Working group consensus has consistently favored this work item.
Community reservation had significant detractors as current
practice has operators select their own communities based on
what they are willing to support and the use of such signaling
requires significant coordination.

1f. No

1g. ID Nits have been passed. There are three examples located in
Appendix A and B where RFC 3330 addresses cannot solely be used
for the purposes of clarity RFC 1918 addresses are used to
supplement them.

1h. There are no downwardly referential normative references.

1i. With the removal of the community reservation there are no IANA
considerations.

1j. No such formal validation is required.

1k. included

Document Announcement Write-Up for

draft-ietf-opsec-blackhole-urpf currently in draft 04 having
completed WG last call and AD Evaluation.

Technical Summary

Remote Triggered Black Hole (RTBH) filtering is a popular and
effective technique for the mitigation of denial-of-service
attacks. This document expands upon destination-based RTBH
filtering by outlining a method to enable filtering by source
address as well.

Working Group Summary

The WG last call period for draft-ietf-opsec-blackhole-urpf-03
was completed without opposition. Commentary on the draft
in the current and prior revision at IETF 74 and before would
indicate that the WG believes that the document is in suitable
form to advance. AD Review revealed insufficient warning on the
implications of using strict RPF. 04 revision is believed
to satisfy both AD concerns and WG participants.

Document Quality

As it documents existing current practice both in router
implementation and in operational practice and expands upon but
does not obsolete rfc 3882 we believe that it is suitable to
advance towards the goal of BCP status.

Personnel

Review by both industry peers (NANOG security BOF), and one of
the originators of the method (Barry Greene) was solicited, and
their input is noted in the contributions section. Joel Jaeggli
Shepherded this document through the working group process. AD
review was provide by R. Boninca.

1a. Joel Jaeggli is the shepherd for document. The shepherd believes
that this document is of sufficient quality to bring to the IESG
Ron Bonica is the shepherding AD.

1b. The document has received review in the working group
as well as input from the creators of the method and operator
community that is the intended audience for this draft.

1c. The reservation of default communities, previously a feature of
this draft was removed between 01 and 02 leaving only
operational practice.

1d. None

1e. Working group consensus has consistently favored this work item.
Community reservation had significant detractors as current
practice has operators select their own communities based on
what they are willing to support and the use of such signaling
requires significant coordination.

1f. No

1g. ID Nits have been passed. There are three examples located in
Appendix A and B where RFC 3330 addresses cannot solely be used
for the purposes of clarity RFC 1918 addresses are used to
supplement them.

1h. There are no downwardly referential normative references.

1i. With the removal of the community reservation there are no IANA
considerations.

1j. No such formal validation is required.

1k. included

Document Announcement Write-Up for

draft-ietf-opsec-blackhole-urpf currently in draft 03 having
completed WG last call.

Technical Summary

Remote Triggered Black Hole (RTBH) filtering is a popular and
effective technique for the mitigation of denial-of-service
attacks. This document expands upon destination-based RTBH
filtering by outlining a method to enable filtering by source
address as well.

Working Group Summary

The WG last call period for draft-ietf-opsec-blackhole-urpf-03
has been completed without opposition. Commentary on the draft
in the current and prior revision at IETF 74 and before would
indicate that the WG believes that the document is in suitable
form to advance.

Document Quality

As it documents existing current practice both in router
implementation and in operational practice and expands upon but
does not obsolete rfc 3882 we believe that it is suitable to
advance towards the goal of BCP status.

Personnel

Review by both industry peers (NANOG security BOF), and one of
the originators of the method (Barry Greene) was solicited, and
their input is noted in the contributions section. Joel Jaeggli
Shepherded this document through the working group process.