IETF Logo Mail Archive

Re: [GROW] call for feedback on draft-ietf-grow-route-leak-detection-mitigation

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Mon, 17 June 2019 18:21 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0F8912004F for <grow@ietfa.amsl.com>; Mon, 17 Jun 2019 11:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.47
X-Spam-Level:
X-Spam-Status: No, score=-0.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, BODY_ENHANCEMENT2=1.541, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzjsCYo8WORd for <grow@ietfa.amsl.com>; Mon, 17 Jun 2019 11:21:25 -0700 (PDT)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-eopbgr830122.outbound.protection.outlook.com [40.107.83.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9BF2120154 for <grow@ietf.org>; Mon, 17 Jun 2019 11:21:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=p7Dkp2FNgiaEENJCgn5/3O9M2nxqnomTPf4m7M2jnII=; b=a1ysrVF8Y7VfG1zV9TbR29LqCZEztQwnEy5b7VDCgnYJuEhrndesHxLICrEh/XhyySuFZpIz5zvExiY9/SJoqBN8w/kUXQqS7Y65VVpi1RLqo7N5yEtjHDLXA1TMB+OWle2XLqdXxEiax6BOtzZpLUCGJdysd4oX4gI2Lk4WbVw=
Received: from SN6PR0901MB2366.namprd09.prod.outlook.com (52.132.115.159) by SN6PR0901MB2464.namprd09.prod.outlook.com (52.132.117.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.11; Mon, 17 Jun 2019 18:21:19 +0000
Received: from SN6PR0901MB2366.namprd09.prod.outlook.com ([fe80::3884:ab1a:63f7:89ee]) by SN6PR0901MB2366.namprd09.prod.outlook.com ([fe80::3884:ab1a:63f7:89ee%4]) with mapi id 15.20.1987.014; Mon, 17 Jun 2019 18:21:19 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Nick Hilliard <nick@foobar.org>, Brian Dickson <brian.peter.dickson@gmail.com>
CC: "grow@ietf.org" <grow@ietf.org>, Ruediger Volk <rv@NIC.DTAG.DE>
Thread-Topic: [GROW] call for feedback on draft-ietf-grow-route-leak-detection-mitigation
Thread-Index: AQHVFXJKk3Jl8tWqc0G/pyWH2vOrQqabyTKAgADUeACAA5pvoA==
Date: Mon, 17 Jun 2019 18:21:18 +0000
Message-ID: <SN6PR0901MB23666177E77D2963597B417684EB0@SN6PR0901MB2366.namprd09.prod.outlook.com>
References: <20190528162707.GD29921@hanna.meerval.net> <CAH1iCip6YmGri9Eq5YvHqs8bqooNMYcY_fPYGQ4v5epcc9oV_w@mail.gmail.com>, <b8d27bb4-32a1-281e-7361-a58da8a28dc7@foobar.org>
In-Reply-To: <b8d27bb4-32a1-281e-7361-a58da8a28dc7@foobar.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [2610:20:6005:222::90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8666e528-9805-4deb-a324-08d6f35097ea
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:SN6PR0901MB2464;
x-ms-traffictypediagnostic: SN6PR0901MB2464:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <SN6PR0901MB2464E450BD9F4A7B25DF514284EB0@SN6PR0901MB2464.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0071BFA85B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(366004)(346002)(376002)(136003)(189003)(199004)(66946007)(73956011)(91956017)(76116006)(33656002)(53936002)(6116002)(446003)(66446008)(66476007)(66556008)(64756008)(8676002)(7736002)(186003)(7696005)(102836004)(4326008)(305945005)(6506007)(53546011)(2906002)(25786009)(99286004)(76176011)(561944003)(5660300002)(8936002)(316002)(52536014)(81156014)(478600001)(6246003)(81166006)(486006)(55016002)(71200400001)(9686003)(476003)(71190400001)(229853002)(6436002)(68736007)(110136005)(54906003)(256004)(86362001)(74316002)(14454004)(46003)(966005)(6306002)(14444005)(11346002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR0901MB2464; H:SN6PR0901MB2366.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: QIMo0JOP4cJCeRcnbVVFcDbkH8BLz01uWISTNYNMOYbzcNyNyplKozabFsNHRZezlr0kUNmYJyIz9W9f/0bmz32FRojw1Pxhv9Gz6pALS2csbcLfcEXcWkbYsUT37YV8ZaHfiX3I3AdRRdCVncLFcNUfQb+Hi8ap50NPBsoC1C10WOU4EQSj/WpLkB1rPS/JrDTtBeSxQdJdWL6Eq4sKCh7jgHWoWU5p7WfRTF0J9SidQ2eM7lSsAwqi0rbXna4MluonYU6UsOrOBfFvdOzwrvStDQLgMw+gzzO9xuKHCUfD0DdNdoionN+glOI4yQZfKVONyD6naQwdLth+OEg3vcvRnQ+aVQ+Ezi6kktKUMpmyJc4aCk9Sb5YV96ZrI2Lo+3YUNzLPe3gr8nZofxvx/PIj9Dg/3bfjmQQsyM2gUdQ=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 8666e528-9805-4deb-a324-08d6f35097ea
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2019 18:21:18.9644 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ksriram@nist.gov
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR0901MB2464
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/6OFr-_rN0zLTXu6IpgciQxv6vx8>
Subject: Re: [GROW] call for feedback on draft-ietf-grow-route-leak-detection-mitigation
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2019 18:21:28 -0000

Nick,

Thank you for your thoughts on this.

This work has been in GROW / IDR since 2014.
Initially in GROW where we published a route leak problem definition RFC:
https://tools.ietf.org/html/rfc7908 

The work then moved to IDR for the route leak solution based on BGP Attribute.
It was moved back to GROW lately because IDR Chairs and others (authors + Ruediger)
felt that a solution based on Community would be deployable a lot faster
-- in months as opposed to years.

First, if you care you may offer your thoughts on Attribute vs. Community.

Second, I would appreciate if you can offer concrete examples of the scenarios
that you mention -- some examples where one saw those types of leaks occur in the real world.
As for the basic principles on which the solution is based, we essentially 
decided that we could readily address route-leak Types 1 through 4 of RFC 7908.
That is what the draft does. I don't think addressing route-leak Types 1 through 4
is narrow pigeon holing. As illustrated in RFC 7908, most real-world route leak
incidents seem to fall in the six types identified in the RFC. 
The RFC lists many observed route-leak incidents and categorizes them.
(Note: Types 5 and 6 are addressed by other solutions such as route filtering, RPKI, max prefix, etc.)
The subnet leak that you mention (AS path intact or AS path removed) was discussed in GROW 
and it was decided that was NOT a route leak type -- OTOH subnet leak is only addressable with ROAs 
and/or BGPsec path validation. GROW WG decided not to include it in RFC 7908
(although it was included in earlier versions of the definition draft).

Sriram

________________________________________
From: GROW <grow-bounces@ietf.org> on behalf of Nick Hilliard <nick@foobar.org>
Sent: Saturday, June 15, 2019 6:22 AM
To: Brian Dickson
Cc: grow@ietf.org
Subject: Re: [GROW] call for feedback on draft-ietf-grow-route-leak-detection-mitigation

Brian Dickson wrote on 15/06/2019 00:42:
> Please take a look and, if you think this is an important problem to fix
> (route leaks), add your voice here.

there are two things here: route leaks (important), and the proposal in
draft-ietf-grow-route-leak-detection-mitigation.  We can probably all
agree that route leaks are a persistent threat.

What concerns me about this draft is that it takes an over-simplified
view of real-life networks and there's not a small amount of implied
pigeon-holing going on.  The difficult with the draft is that many
networks don't fall into these neatly defined categories.  There are
back-doors, partial transit configs, PNI arrangements, subnet leaks and
all sorts of weird things out there, none of which are easy to
categorise, but which nevertheless make up an important part of the
routing ecosystem.

Characterisation of these edge cases is a difficult problem.  I'm not
convinced this can be done adequately without an expressive grammar
(note: not rpsl).  I'm also not convinced that the approach taken in
draft-ietf-grow-route-leak-detection-mitigation is generic enough to be
worth deploying.

Nick

v2.23.0 | Report a Bug | By Email