IETF Logo Mail Archive

Re: [GROW] An alternative approach to draft-ietf-grow-route-leak-detection-mitigation

"Jakob Heitz (jheitz)" <jheitz@cisco.com> Wed, 10 March 2021 02:10 UTC

Return-Path: <jheitz@cisco.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B3CF3A1664 for <grow@ietfa.amsl.com>; Tue, 9 Mar 2021 18:10:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=EYSUH/Y2; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=sQVkeZZD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id km8BMw3epUpe for <grow@ietfa.amsl.com>; Tue, 9 Mar 2021 18:10:30 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E95BF3A1666 for <grow@ietf.org>; Tue, 9 Mar 2021 18:10:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4816; q=dns/txt; s=iport; t=1615342230; x=1616551830; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=rUnfbDkFUwzUMSnfziKyKtPI7jR5HjiJ9xeoFDK3qrc=; b=EYSUH/Y2LqFW+dqgZQyAv7xoUajlGe3jGq86b5xtJWcYvB5kD0j0p/oV mHUEbMLR2GAxe2QYVW7Ddn+TRY5iA9xaufTezbmjuDM+5h44Ir0doLqhp 2Eaghi70EWhDhwtLVLvr3Ri7vW+fYh7hKD9NkIktoBXvJJY03UXJ7zDLu M=;
X-IPAS-Result: A0BXAwBFKEhgmJxdJa1agQmDIlF9WjYxiAkDhTmIWQOBBpgVgUKBEQNUCwEBAQ0BAR0LCgIEAQGBEwGDOQKBfgIlOBMCAwEBAQMCAwEBAQEFAQEBAgEGBBQBAQEBAQEBAYY2DYZEAQEBBAEBOAYBASwMCwQCAQgRBAEBHgEQJwsdCAIEARIIDAeCVQGCVQMvAQ6iPAKKHnSBNIMEAQEGhRoYghMDBoE5gnaKTSYcgUlCgRABQ4IjNT6CXAEBgSUgHCSDJIIrgVg/FBkIPCoISy8sIB0qCAEBHAEZAw4CkT6OG5ppCoMAkReLOKQAkhyCT6JEAgQCBAUCDgEBBoFrIYFZcBU7gmlQFwINjjgdgzmFFIVFczgCBgoBAQMJfIwDAQE
IronPort-PHdr: 9a23:vNriEhDhDuygM0ZJAi/IUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qw30A3FWIzB4LRFhvbY9af6Vj9I7ZWAtSUEd5pBH18AhN4NlgMtSMiCFQXgLfHsYiB7eaYKVFJs83yhd0QAHsH4ag7ep3So5ngTFwnxcw1vKbe9Fovblc/i0ee09tXaaBlJgzzoZ7R0IV22oAzdu9NQj5FlL/M6ywDCpT1DfOEFyA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,236,1610409600"; d="scan'208";a="658537061"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 10 Mar 2021 02:10:28 +0000
Received: from mail.cisco.com (xbe-rcd-007.cisco.com [173.37.102.22]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 12A2ASrh000498 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Wed, 10 Mar 2021 02:10:28 GMT
Received: from xfe-rcd-005.cisco.com (173.37.227.253) by xbe-rcd-007.cisco.com (173.37.102.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Tue, 9 Mar 2021 20:10:26 -0600
Received: from xfe-aln-003.cisco.com (173.37.135.123) by xfe-rcd-005.cisco.com (173.37.227.253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Tue, 9 Mar 2021 20:10:26 -0600
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-003.cisco.com (173.37.135.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Tue, 9 Mar 2021 20:10:25 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Weaq3mZLfAl62rbjcyWTpGVH6i0OL81eI3+Ouhn0CARd2Z3nL0DzXLdB+oZYCASIdiMdhu+oTeCV1KVLosGk4IrYfLm98+mgNV4iFKg6SXJX0NVLo6/fqc7Fq6WPFJa0HDLdA4xOt06G30x9qrZxE1ID+VSC22+43DhUO+MGa43ahTg0SEa8Se+CTgxxJjWzGg0bXeTW5d8EaP5PgVr1htRnrB39eiAbPZ+ciyFFs2mHFKFicRQvZniDwaGBufIex9rWIs94hDOJdXqE08L0bB7h2RyXx9ni+JDR7pht4RXqSuVpH/S5aKPhcMIwCQRHRrbRQMT95ybqtBuWL/APog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KnchJCAcPDld6x4eAbd1iSE5uf0wFESRjNrDKS5xixI=; b=WKjvUelmVDQnCSoTwYk9wO1fdQKFN+P7TVE8y2a98RlBpHE5ecHRKtDueLXUdcr2oE9deyNQ7pg0xyKwRiwUfjzrhi77RfRPkzYnIrr8QsrpLej1hSjc9Q8z3qmI6w9RGd8ot45zvGL9AqWBoBsZpOVaGjSK73HwnTxBFnEUKnAMASBDBIae7nAFcN7vvrRUOAA6FotjcymiyCJaDK01gZWHnns+UHlQlPEwBvZCkT43KjdhIoPL/9e+dOLkl7YVHW5qkf0qs7nq3xT6xePPUkl8vlRQAGBNw58Lp+8ZvGVaEcEwwZgrPQ3eUFqye7M2HL9ff/T+/OzpVanJTQZ8BA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KnchJCAcPDld6x4eAbd1iSE5uf0wFESRjNrDKS5xixI=; b=sQVkeZZD0X23Bin0E6YvSXOFfY3RbvTRQwaRdtYzn5MXPgX5pA5gWXON1zdorvMvkPfWvBECTUp5GOS/vw8UAJ1VqMyvrmvIrQOUASSPaUAOwOjFLIYDlaJOFscIb1OxEE7BQUu0KMrC3nvmhTxsK7nHFbEM4B3BXl9qnpCUSIY=
Received: from BYAPR11MB3207.namprd11.prod.outlook.com (2603:10b6:a03:7c::14) by BYAPR11MB3285.namprd11.prod.outlook.com (2603:10b6:a03:7b::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Wed, 10 Mar 2021 02:10:24 +0000
Received: from BYAPR11MB3207.namprd11.prod.outlook.com ([fe80::e084:727e:9608:11c7]) by BYAPR11MB3207.namprd11.prod.outlook.com ([fe80::e084:727e:9608:11c7%7]) with mapi id 15.20.3912.027; Wed, 10 Mar 2021 02:10:24 +0000
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>, "grow@ietf.org" <grow@ietf.org>
Thread-Topic: [GROW] An alternative approach to draft-ietf-grow-route-leak-detection-mitigation
Thread-Index: AQHXFR7c2pHzW1JblEKn9bEfWDsEUap8eQow
Date: Wed, 10 Mar 2021 02:10:24 +0000
Message-ID: <BYAPR11MB3207C48AB9F27BC7E015CCC6C0919@BYAPR11MB3207.namprd11.prod.outlook.com>
References: <YEfTnMNU+taoqzal@snel>
In-Reply-To: <YEfTnMNU+taoqzal@snel>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2601:647:5701:46e0:5951:d330:73f9:48a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 933f4ee0-728b-42e7-a09a-08d8e369aaae
x-ms-traffictypediagnostic: BYAPR11MB3285:
x-microsoft-antispam-prvs: <BYAPR11MB3285CC240718E1C0D4BF58B2C0919@BYAPR11MB3285.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EQCnC1jP2+/49vaLYytrq0czowE2Kw9MWqAvjsd0NTREnb2cH5qNxjF2XQ9savT3RvnqikURxTDCMJX6pVQLzEWPIEwlzZqjcYXQ2hF0EKxxoWi88696kRKYv0Uq5rHAJ42bxTB2qpKrgN+VHjqI0Lx0Rw2RlgQ4tXLv0UI0n1jjFzNwEN//kOSjQzKyJflHT2ck89Szg3VkZ08mW4MOh/C0KmUpyTNyiRBvpod6gdr0kw8dhCWWn4ls+kLt/eUyrZ2ABUMAG9+uDDvQerhwBuwHZhSSScX6vga/7FQTMITjlB/zeHuXALuszomHpFwOKSP/8emBveOUrorfoVxQ20kXE/BN9poYnKiMW9RKWMdOGhZKNonceJLZ+ypG1Tldg1Dpj5HX6AWHtW09E9/EC/3ZJHny0WVXOg2AF54Z37QLetuTGs768Bfvt5akXNC7kJ59Vdb3DM1iuF87EPleYSSjkmDq2CVNkVNo44MXEa17GKXnJtklKReONifqVzow04jqAJuAksspPxgFYSH4MP8Kql4Qw9Osw/HvvoZOIBSvMc3wOlsRfWNC0YIlr2GveTIaQSn9pWwTHxNVm1Bb44Oo6ZExIjyqJ/+Dj1c4sgY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB3207.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(396003)(136003)(366004)(346002)(39860400002)(5660300002)(2906002)(76116006)(33656002)(966005)(83380400001)(8676002)(71200400001)(7696005)(53546011)(478600001)(9686003)(186003)(8936002)(110136005)(55016002)(316002)(52536014)(66946007)(64756008)(66556008)(66446008)(6506007)(66476007)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: qoZdqIfMw5oz3XATkKEFDXLuEPjFLUv6FQu8v/Q69kuqJ2PB/BaennCC+93CUGVBvS5DHMyBrg/x7GyFSqLmHrDt6t/zWDGDG+PXO9J4rqs6Ga4WNbCiHTUISl6ExzgNcPn5WHJZ5O4s3jFEwLFDFr89lgxizMvs/abREzZBFqHZ77bOzrFE5t21lua5Xv+bhQ/IebJblkUl0GwCdslH+sGkuDKeiCysVUydq3mC6ZaelPCtN5Q9H852tRRxpYW73Fn0xrDwEMgNOYx9TFRtXOXsTCWjtLAE9MMXntUw8ORmJNB3m/S9uAf5hHEpa/tUy0LGvq9vcCKBfsq6TO43l3VvwmVHPVWlWj3+S4LwBYxZdICkD2McOmRCX+Q/wVAIHRlRxfos5Rx1JsU+pEENgzEW699XBznxT2e3YiN0F0dOEwlB0kPsZcCGFjNqZDKp1MEVZpZ0XQV34JnD9Yf0UfgbXKPtEfKrurna5Y4gYEenr/K/w5v1XXYiLeR+zZp6ueklUsp74Vr03cYTbA3gSqH2b1zhECH4gd30HZp6ZyvwcOOWiGIj2JnRhk1O4MXReVkeQLkYGp1beAxTJOfMC2CSbINnzAr7DG7dbegkflx4Nn2iyrnQ2GkxEyJKMHDfZVEavS1PuUQauMsA9pm+MEoUVSNeBvXwCmgdpc4OcbZNJkXa4/cq3+Mkfz92vUNCl2VTQ0dDFsWkxGve/Mq7qs/7CNh2/2q6LINItGoKlhHSoqBdoFWFLj9DIPeI7NsvLt1btyiE1Vqij45wgk8wf2mImMxGecISqeHIEZYMnQKkmC4V++K12w+0LX3d+na8cOe2J97SKwkv85aMmwJgoxOap0HaoxZLB9WHXIBgpWRg8q0WaEf99JPIu1hB8RRJn1LIDXSbGTmfST2C/vz/cRdXwzUyP62Vrcjmh1vAI9OVMMqvnEjWWGhYUI34gWHNqzn/6XdM7iEUsyyxu1OoxELLYPetQQYHbWWT7E40psr94cOezqcpxv3zaYV/Qv7DKT6B9M7up6DAT66D4Mx9BO9LyusqYwovtoSuWoiLv+TbhqlpTmkp79w78NfJfGdK7tU6jzWTR6bp6tQ5hAA28AUQ0Zwbzbace8qZw1+jgIX/Bmi7fvIe7apK8pbnCui4rBvjeEMZUk4aDjbXvQAdm2yTCXsdJrQiYv24xPrhtsDQTh/Y4BChEjRw5cisDueomeDn4vz0dOqNHj86/knKrpuGMjBzDPXT+Wp7I66CrklpCj5q1Tfu8r5CV0Q8hbNuwwSwk49kxwOTtp1B9VvbI4OL25Y9SdCwDV5FadWrvmtQ3g5YptSpA+sDRBk8/F2b0uQhL9QHoA5oG413NJQ3InkGoQlg305wt8TmYtV+W2StgCzOfvnrGs893JLDDFdK
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3207.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 933f4ee0-728b-42e7-a09a-08d8e369aaae
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2021 02:10:24.6977 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DMYp7zMuQYaXX73FsdrlDILNCXfPml2NJCzaNkLaDEma6cml4vatcM7SSUKcM1ERfx84Hs2GGONbXVTfYCnvgQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3285
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.22, xbe-rcd-007.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/-E__V9jY81VyOYZGRbTFj19ULtw>
Subject: Re: [GROW] An alternative approach to draft-ietf-grow-route-leak-detection-mitigation
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2021 02:10:33 -0000

Job, your suggestion kicks a different goal than
draft-ietf-grow-route-leak-detection-mitigation does.

draft-ietf-grow-route-leak-detection-mitigation tries to determine
if your neighbor leaked the route to you.
To do that, you need to know how your neighbor received the route
before he sent it to you.
That's what the ASN in the LC is for.

Regards,
Jakob.

-----Original Message-----
From: GROW <grow-bounces@ietf.org> On Behalf Of Job Snijders
Sent: Tuesday, March 9, 2021 11:59 AM
To: grow@ietf.org
Subject: Re: [GROW] An alternative approach to draft-ietf-grow-route-leak-detection-mitigation

Dear GROW,

(Removed sidrops@ from CC)

*Wearing a Working Group participant hat*

I reviewed draft-ietf-grow-route-leak-detection-mitigation-04 and it
appears to me there is a shortcut possible in the mitigation algorithm.
This shortcut in turn negates the need to specify any ASN in the "DO
Community". Only requiring a single community opens up the path to use
existing well-known RFC 1997 community as signal between BGP nodes.

The section 4.1 leak mitigation algorithm could be revised such that if
a route path present in the Loc-RIB is considered the best path and
eligible for export to EBGP neighbors, an additional verification step
is performed.

The sender could check whether a 'DO community' is present on the route
in the Loc-RIB, and if the to-be-exported-to EBGP neigbhor is configured
as a 'lateral Peer' or as 'Provider', the route is rejected in the PIB
(Policy Information Base) and thus will not be present in Adj-RIB-Out -
thus blocking a leak from happening. This places the route leak
mitigation solution one step earlier in the BGP 'supply chain' process.

There is an existing well-known BGP Community known as 'NOPEER
Community for BGP Route Scope Control', described in RFC 3765.

Similar to how the mitigation does not truly differentiate between
'Providers' and 'Lateral Peers' (if one considers routing policy puzzles
often can be solved through multiple different combinations of policy in
either of EBGP-IN, IBGP-OUT, IBGP-IN, EBGP-OUT.

The recommendation then simplifies to the following three steps:

1/ Recommend network operators to never strip the RFC 3765 Community
   upon receiving a BGP route from either an IBGP or EBGP neighbor.

2/ Recommend network operators to manually configure (or have BGP OPENv2
   speakers automatically) *add* the NOPEER Community (if it wasn't
   already present) to route paths received from a Lateral Peer or
   Provider. Then proceed with whatever Import Policy applies.

3/ Recommend network operators (or have BGP OPENv2 speakers
   automatically) block routes which contain the NOPEER Community from
   propagating towards EBGP neighbor marked as 'Lateral Peer' or
   'Provider'. The procedure stops.

4/ If the EBGP neighbor is *not* a 'Lateral Peer' or 'Provider', the
   route MAY be added to the Adj-RIB-Out specific to that EBGP neighbor.
   The NOPEER community is not removed (see step 1).

As Nick Hilliard pointed out earlier in this thread, there might be
business requirements which require the operator to override the
autnomous system's default policy, but as the NOPEER Community happens
to be 'just a BGP community', operators can do as they wish with the
received routing information. A case can be made that operators - by
default - would benefit from accepting the NOPEER community and based on
its presence prevent routes from propagating further towards EBGP
neighbors in the Peer/Provider class.

The above proposal is slightly different than the implementation
requirements stemming from honoring GRACEFUL_SHUTDOWN (where the
intention is for the inter-domain signal to be honored on EBGP-IN), the
NOPEER community essentially is best honored in EBGP-OUT policies.

Promoting inter-domain use of the NOPEER community by outlining how
correctly adding & scoping based on this community one can help mitigate
BGP route leaks. The NOPEER community being readily available in most
deployed BGP speakers for any operator wishing to use the mitigation
mechanism, this might make for a compelling argument.

In short 'Down Only' is equivalent to 'Not towards Peers & Providers:

  - in EBGP-IN set NOPEER on routes received from Peers/Providers
  - in EBGP-OUT block NOPEER routes from being announced to Peers/Providers

The above appears incrementally deployable, and compliant with the
specification of NOPEER, and can be promoted through Network Operator
Groups by converting draft-ietf-idr-route-leak-detection-mitigation to
target Best Current Practise (BCP).

Kind regards,

Job

_______________________________________________
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

v2.23.0 | Report a Bug | By Email