[GROW] Route Server ASN stripping hiding considered harmful?
Job Snijders <job@ntt.net> Mon, 18 December 2017 10:50 UTC
Return-Path: <job@instituut.net>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAED5127517 for <grow@ietfa.amsl.com>; Mon, 18 Dec 2017 02:50:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvNncYaVyoAD for <grow@ietfa.amsl.com>; Mon, 18 Dec 2017 02:50:38 -0800 (PST)
Received: from mail-wm0-f43.google.com (mail-wm0-f43.google.com [74.125.82.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A21B3126BFD for <grow@ietf.org>; Mon, 18 Dec 2017 02:50:38 -0800 (PST)
Received: by mail-wm0-f43.google.com with SMTP id f206so28376588wmf.5 for <grow@ietf.org>; Mon, 18 Dec 2017 02:50:38 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=nBx4n05nFU8ZN/cCthKRY0iAhQRBn8mkJXOMa4JtB+o=; b=QqO6KebMvGzCtujIHrg6FUG0yeENQZ88p2RTfjv0fDdMgJ9yH9nu3HgDGABnhT6ioy N5fwdCsEa7GgYBvgwGwm2nmCX2ViS829CxFP+rr34T2e+mGT2Q4nqFOPJQlYJ+jNUjpZ YWdHcZBjirmoLbb8rBKX0i+NhCtWjxLp6OWXgErXqnyVYS7sefhJzM/nBgdFuI5h0wQ0 /Gxw0fMKUvXlDhsYqsjnHDcRylhSmUcY7aqoXT86o0cdqXbSapDJxMBpCrJPJ3xoRH5L w+aQjCuE/zfehtAeqels20bH2qj1Z+vWXLAnX3VBjWuPBYZU3pY3GwIlO4kNm2mDs5wF gUYg==
X-Gm-Message-State: AKGB3mJ5dwjFLUFyedz2vXffBhLJXDQJ7Y3WFCNV+WapWxSdvYMVQg7Z pMuT5T8rKNbwWJqNSPFbk0jzlw==
X-Google-Smtp-Source: ACJfBotGM1IhriujexI8OqGMYMegbj5oyaaUvn4JzdlwTnEb2LSDpTcRFkf+HAJ6Fk9qzoH1tzFFVQ==
X-Received: by 10.80.145.154 with SMTP id g26mr29283105eda.140.1513594236867; Mon, 18 Dec 2017 02:50:36 -0800 (PST)
Received: from vurt.meerval.net (vurt.meerval.net. [192.147.168.22]) by smtp.gmail.com with ESMTPSA id k19sm11184625ede.35.2017.12.18.02.50.35 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 18 Dec 2017 02:50:35 -0800 (PST)
Received: from localhost (vurt.meerval.net [local]) by vurt.meerval.net (OpenSMTPD) with ESMTPA id 37cb14bf; Mon, 18 Dec 2017 10:50:34 +0000 (UTC)
Date: Mon, 18 Dec 2017 10:50:34 +0000
From: Job Snijders <job@ntt.net>
To: grow@ietf.org
Message-ID: <20171218105034.GD43144@vurt.meerval.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.9.2 (2017-12-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/2FApL22TViXFdMvR1itCVHfUZwM>
Subject: [GROW] Route Server ASN stripping hiding considered harmful?
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2017 10:50:41 -0000
Dear GROW, After the gazillionth routing incident in which an IXP route server amplified the problem, I think it is time we explore mechanisms to improve accountability, auditability & make debugging easier. It is common practise for route server operators to configure their route server in such a way that the route server does not append its own ASN to the AS_PATH attribute. Many IXPs view this practise as justifiable because it gives them a competitive advantage over transit providers. RFC 7947 reasons "a route server does not participate in the process of forwarding data between client routers", but meanwhile quite some IXPs have more equipment and layer-2 hops as part of the forwarding path than comparable IP networks for similar distances. [1] [2] [3] Does it even matter that the route server device itself is not part of the forwarding path? For all intents and purposes it is a BGP hop. The route server is not under administrative control of the RS participants. Whenever routing incidents occur, it takes considerable effort to pinpoint which route server BGP speakers amplified the problem. Quite some correlation & verification work is needed to reliably point out which route server at what IXP contributed to the propagation of a hijack or a route leak. If IXP route servers were visible in the AS_PATH (just like normal IP networks), I think we'd see a lot more responsible behavior and the implementations of route filters. Consider the following scenarios. When client A & client B at the same IX have a bilateral session with each other, it doesn't matter whether the route server injects its AS in the AS_PATH: the bilateral session makes the route server control-plane path irrelevant. Since it is common practise to assign a higher local preference to 'peering' routes compared to 'transit' routes, in the case that client A & client B don't have a bilateral session and only see each other via the route server, padding the AS_PATH with the route servers ASN still won't have an negative effect. It is only in corner cases that the AS_PATH becomes the tie-breaker, and I find it hard to use those as justification to sacrifice all of the route server's visibility. Another benefit is that if route servers behave like normal BGP speakers, client's dont need to disable safety checks such as "no bgp enforce-first-as". Or that routing policy to match on prefixes coming from the route server (on devices not connected to the IX) are simpler if the ASN is vislble, and of course the same applies to analysis of MRT dumps or use of BGP data in applications such as spam filtering. Or think of hunting down announcements that became ghost routes, without all ASNs visible in the AS_PATH as operator you'll be going through severe pains to find the ghost route perpetrator. Decades ago some argued that route servers should provide an experience as close to bilateral peering as possible. But fast forward to 2017, we see route servers with hundreds of thousands of paths, thousands of sessions, in essence route servers became partial transit providers. I'd argue that route server operators should assume their fiduciary duty and stop hiding themselves. This will allow both operators & researchers to more easily pinpoint issues, and help fix them. In summary, I think RFC 7947 section 2.2.2.1 & 2.2.2.2 were misguided, should be revisited, perhaps deleted. Thoughts? Kind regards, Job [1]: https://ams-ix.net/technical/ams-ix-infrastructure [2]: https://www.linx.net/tech-info-help/network-topology [3]: https://www.nl-ix.net/network/projected-core-map-2017/
- [GROW] Route Server ASN stripping hiding consider… Job Snijders
- Re: [GROW] Route Server ASN stripping hiding cons… Fredrik Korsbäck
- Re: [GROW] Route Server ASN stripping hiding cons… Nick Hilliard
- Re: [GROW] Route Server ASN stripping hiding cons… Job Snijders
- Re: [GROW] Route Server ASN stripping hiding cons… i3D.net - Martijn Schmidt
- Re: [GROW] Route Server ASN stripping hiding cons… Nick Hilliard
- Re: [GROW] Route Server ASN stripping hiding cons… Job Snijders
- Re: [GROW] Route Server ASN stripping hiding cons… Job Snijders
- Re: [GROW] Route Server ASN stripping hiding cons… Nick Hilliard
- Re: [GROW] Route Server ASN stripping hiding cons… Job Snijders
- Re: [GROW] Route Server ASN stripping hiding cons… Nick Hilliard
- Re: [GROW] Route Server ASN stripping hiding cons… Alexander Azimov
- Re: [GROW] Route Server ASN stripping hiding cons… Jared Mauch
- Re: [GROW] Route Server ASN stripping hiding cons… heasley
- Re: [GROW] Route Server ASN stripping hiding cons… Nick Hilliard
- Re: [GROW] Route Server ASN stripping hiding cons… Gert Doering
- Re: [GROW] Route Server ASN stripping hiding cons… Nick Hilliard
- Re: [GROW] Route Server ASN stripping hiding cons… Gert Doering
- Re: [GROW] Route Server ASN stripping hiding cons… Job Snijders
- Re: [GROW] Route Server ASN stripping hiding cons… Christoph Loibl
- Re: [GROW] Route Server ASN stripping hiding cons… Gert Doering
- Re: [GROW] Route Server ASN stripping hiding cons… Wolfgang Tremmel
- Re: [GROW] Route Server ASN stripping hiding cons… Job Snijders
- Re: [GROW] Route Server ASN stripping hiding cons… Nick Hilliard
- Re: [GROW] Route Server ASN stripping hiding cons… bruno.decraene
- Re: [GROW] Route Server ASN stripping hiding cons… Marco d'Itri
- Re: [GROW] Route Server ASN stripping hiding cons… Jeffrey Haas
- Re: [GROW] Route Server ASN stripping hiding cons… Jeffrey Haas
- Re: [GROW] Route Server ASN stripping hiding cons… Nick Hilliard
- Re: [GROW] Route Server ASN stripping hiding cons… Gert Doering
- Re: [GROW] Route Server ASN stripping hiding cons… UTTARO, JAMES
- Re: [GROW] Route Server ASN stripping hiding cons… Randy Bush