IETF Logo Mail Archive

Re: [GROW] WGLC: draft-ietf-grow-route-leak-problem-definition (ends: 8/24/2015 - Aug 24)

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Sun, 01 November 2015 21:40 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53A561B2E08; Sun, 1 Nov 2015 13:40:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mm_qF4FThU5Y; Sun, 1 Nov 2015 13:40:03 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0111.outbound.protection.outlook.com [65.55.169.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB0421B2E07; Sun, 1 Nov 2015 13:40:02 -0800 (PST)
Received: from CY1PR09MB0793.namprd09.prod.outlook.com (10.163.43.143) by CY1PR09MB0793.namprd09.prod.outlook.com (10.163.43.143) with Microsoft SMTP Server (TLS) id 15.1.312.18; Sun, 1 Nov 2015 21:39:59 +0000
Received: from CY1PR09MB0793.namprd09.prod.outlook.com ([10.163.43.143]) by CY1PR09MB0793.namprd09.prod.outlook.com ([10.163.43.143]) with mapi id 15.01.0312.014; Sun, 1 Nov 2015 21:39:59 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Job Snijders <job@instituut.net>, Christopher Morrow <christopher.morrow@gmail.com>
Thread-Topic: [GROW] WGLC: draft-ietf-grow-route-leak-problem-definition (ends: 8/24/2015 - Aug 24)
Thread-Index: AQHQ05ItvN1UiXCCvECA/Msg9UXDnZ6Ek6wAgAOctck=
Date: Sun, 01 Nov 2015 21:39:59 +0000
Message-ID: <CY1PR09MB07938963D816C6D05464AAFC842D0@CY1PR09MB0793.namprd09.prod.outlook.com>
References: <CAL9jLaaOPvY2WZtunCOkuuCDV5-Do+cpHBfa8eEhquGdzSLVuA@mail.gmail.com>, <20151030141520.GF1334@22.rev.meerval.net>
In-Reply-To: <20151030141520.GF1334@22.rev.meerval.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [2001:c40:0:3080:9d31:145c:77e2:d09a]
x-microsoft-exchange-diagnostics: 1; CY1PR09MB0793; 5:RJEGQhlj4ezN3BGNnU8/KOy3dfP/4MLKGZ1UJ3NMvvKQtlNIr4943Q0E1Uu9D2T7wC6ksI1IU/cCwayIm4QtV4UmrxAHmagOPNYLX/UWm591kJATzMcxP3H1Z8xSb2D46TdChM9w9UthGM3wGXNcsw==; 24:WfLNL/KAHQF0OlucLzFFb6YXbzbL8XezEE4zyq3M5yHx8xmVRy/tnSQpV8j9JCqdZIQXsfheGjVkutaYQpQtQsayJAoHC00Fd924ayS2lJw=; 20:iaT5uNAnU1pwSAEXDhCO0DhW1EIPCDq7udHbAOoiwyaGz8JK7GVGD2Y+arrb9nVLgWGeyd+taaCfWgPCB+UTvg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR09MB0793;
x-microsoft-antispam-prvs: <CY1PR09MB07932B381A2BFD5A68530E10842D0@CY1PR09MB0793.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(520078)(3002001)(10201501046); SRVR:CY1PR09MB0793; BCL:0; PCL:0; RULEID:; SRVR:CY1PR09MB0793;
x-forefront-prvs: 07473990A5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(5423002)(199003)(43784003)(5003600100002)(92566002)(87936001)(106116001)(5001960100002)(74316001)(33656002)(77096005)(122556002)(2900100001)(5002640100001)(15975445007)(189998001)(76576001)(105586002)(101416001)(10400500002)(97736004)(11100500001)(106356001)(5001920100001)(99286002)(19580395003)(5008740100001)(5007970100001)(5001770100001)(86362001)(2950100001)(40100003)(50986999)(76176999)(81156007)(5004730100002)(102836002)(54356999)(230783001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR09MB0793; H:CY1PR09MB0793.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Nov 2015 21:39:59.4945 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR09MB0793
Archived-At: <http://mailarchive.ietf.org/arch/msg/grow/YDTMpEuVhofJAXJznb_uwg5BKkU>
Cc: "grow-chairs@ietf.org" <grow-chairs@ietf.org>, "grow@ietf.org grow@ietf.org" <grow@ietf.org>, "grow-ads@tools.ietf.org" <grow-ads@tools.ietf.org>
Subject: Re: [GROW] WGLC: draft-ietf-grow-route-leak-problem-definition (ends: 8/24/2015 - Aug 24)
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Nov 2015 21:40:05 -0000

Job,
Thanks for your comments. My responses below.

>I think "type 5: U-Shaped Turn with More Specific Prefix" should be
>removed from the document.
>Given the description:
>    "A multi-homed AS learns a route from one upstream ISP and announces
>    a subprefix (subsumed in the prefix) to another upstream ISP."
>I'd classify this type of announcement a "hijack" or "attack", not a
>route leak.

There are a few things to note here:
* A route leak can be either accidental or attack (i.e. deliberate).  
(We have said earlier – may be 99% are accidental and 1% deliberate.
see slide 13: https://www.ietf.org/proceedings/93/slides/slides-93-sidr-5.pdf )
* Type 1 (U-Shaped Turn with Full Prefix) can be a deliberate attack as well.
* Type 5 is same as Type 1 except it has a more specific.
In both cases, the update is “propagated” by offending AS with the AS path left intact
(i.e. takes advantage of loop detection).
A hijack (or accidental mis-origination) is different because there the offending AS 
removes the AS path in essence and “re-originates”  (so data path to 
legitimate destination is not preserved in a hijack unlike Type 1 or Type 5). 
* If someone is being deliberate, they may prefer to use Type 5 over Type 1 
because Type (with more specific) is far more effective.

Please let me know if the above clarification helps.
 
>Also, the two mentioned examples are at odds with each other, in the
>first example an artificially crafted AS_PATH is used to exploit AS-PATH
>loop detection, in the second example, the more specifics observed by
>[Toonk2015-B] were more specifics not crafted by the offending ASN but
>by peers of the offending ASN for traffic engineering purposes. Those
>peers consciously deaggregated, assuming a limited, regionalized
>visibility of said prefixes.

The way I read [Toonk2015-B] is different. It says:
“One explanation for this could be that these are more specific prefixes 
announced by peers of Telekom Malaysia to Telekom Malaysia and 
are normally supposed to stay regional and not visible via transit.”
So the customers of Telekom Malaysia normally announce these more specifics to 
their transit but it is the transit Telekom Malaysia who is responsible
to keep them regional but failed to do so.
Let me know if you feel that is not the correct interpretation of [Toonk2015-B].

Thanks again.

Sriram

v2.23.0 | Report a Bug | By Email