IETF Logo Mail Archive

Re: [GROW] call for feedback on draft-ietf-grow-route-leak-detection-mitigation

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 17 June 2019 21:18 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 732BE1202D8 for <grow@ietfa.amsl.com>; Mon, 17 Jun 2019 14:18:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.456
X-Spam-Level:
X-Spam-Status: No, score=-0.456 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, BODY_ENHANCEMENT=0.001, BODY_ENHANCEMENT2=1.541, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWTOK5w8SAkJ for <grow@ietfa.amsl.com>; Mon, 17 Jun 2019 14:18:54 -0700 (PDT)
Received: from mail-qk1-x744.google.com (mail-qk1-x744.google.com [IPv6:2607:f8b0:4864:20::744]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2BC41200D5 for <grow@ietf.org>; Mon, 17 Jun 2019 14:18:53 -0700 (PDT)
Received: by mail-qk1-x744.google.com with SMTP id i125so7174802qkd.6 for <grow@ietf.org>; Mon, 17 Jun 2019 14:18:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xY2qL+ljzJ5KuODS53ShbmeuKtR+nFq6Zmv4phFclpU=; b=seCk8WJWWi9vrnBTjB5KJmS+5hbPDUCdLUBDkr/9jeyI1t9m237hNPmqA4NstTxlX2 CURCPTmIa4jb4sKS6ylas6k6n/u3iRkXYQY7PuaccQMuYrixkzPsOVlQaP9iLIlXt2+V 53MllK9ZTLeMLEAkyp3f0L+n6K4/stY4SUUyeiK7Ypa2hQFXLDNFBpoqr/tPXYU+hZyw wKX45l6j8SbPPFXK3IFzBKYanGy45z4C72IoZ+knUiNg1V7dZRnzkSyjigtMkyzPDfWY Qjuow+/dObU6T3c51xIhF5BRponWYElH3W3vX1O5857Opw/1SLDsUG3oz5jHlqjdQYm/ v6Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xY2qL+ljzJ5KuODS53ShbmeuKtR+nFq6Zmv4phFclpU=; b=sh0Jfz66BfqlfNm/RUu+GsNxgkcyHlw87jtAToeVvkN2Rk4pMr5RfSRgQOho8XEl3u PBaivAFAU20OIp6LxbdaooHvwnqqar6EdlYGFFOgxvJZFcyy8x70+3fPhBvGyySTVinL hUkO4xRbKEXzum8BNU1QCAlRCcSjbTROEFlPRr4Cfc267TtRr1zoTW9kCxDn5nP6I/kI BAYpvCTbf1CnTCSBxE5lB2T1/yXAiuRcZbM/7dYN2/xVWxSYlYTfCjqJ2eG8U2pOim3O iJk17vDvqpx2TqmiU622vb3zd/4l0o8PQX2kKDx5eJ1GwehqA5bT/BMyE3Ykfa2fieng yw4Q==
X-Gm-Message-State: APjAAAUSbYfz8FLskILICkMF6/Jixjva7yUkozwVZtI3eytMOYoolGLT 9d219ggEenHRIs2PlkZyvUsICX+zuZSRn24aBz0=
X-Google-Smtp-Source: APXvYqwlNqQMuRXgeyBTKUI8ORbBkGfQNdg3qqaIlFdxLWNTyGFYdseO5ZZ38twdWV7Bb7ED7x8kbvo5QZRnGNdJq38=
X-Received: by 2002:a37:4ed4:: with SMTP id c203mr47646232qkb.116.1560806333115; Mon, 17 Jun 2019 14:18:53 -0700 (PDT)
MIME-Version: 1.0
References: <20190528162707.GD29921@hanna.meerval.net> <CAH1iCip6YmGri9Eq5YvHqs8bqooNMYcY_fPYGQ4v5epcc9oV_w@mail.gmail.com> <b8d27bb4-32a1-281e-7361-a58da8a28dc7@foobar.org> <SN6PR0901MB23666177E77D2963597B417684EB0@SN6PR0901MB2366.namprd09.prod.outlook.com>
In-Reply-To: <SN6PR0901MB23666177E77D2963597B417684EB0@SN6PR0901MB2366.namprd09.prod.outlook.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 17 Jun 2019 14:18:41 -0700
Message-ID: <CAH1iCio+jgbug7NPCmQj9Ab-zhPY7bE0-YECaamYM3Rk40Bz8Q@mail.gmail.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
Cc: Nick Hilliard <nick@foobar.org>, "grow@ietf.org" <grow@ietf.org>, Ruediger Volk <rv@nic.dtag.de>
Content-Type: multipart/alternative; boundary="0000000000000c71c8058b8b8b83"
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/cXWyhs4pg1UtlsOmAMcmtTi1xYg>
Subject: Re: [GROW] call for feedback on draft-ietf-grow-route-leak-detection-mitigation
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2019 21:18:56 -0000

On Mon, Jun 17, 2019 at 11:21 AM Sriram, Kotikalapudi (Fed) <
kotikalapudi.sriram@nist.gov> wrote:

> Nick,
>
> Thank you for your thoughts on this.
>
> This work has been in GROW / IDR since 2014.
> Initially in GROW where we published a route leak problem definition RFC:
> https://tools.ietf.org/html/rfc7908
>
> The work then moved to IDR for the route leak solution based on BGP
> Attribute.
> It was moved back to GROW lately because IDR Chairs and others (authors +
> Ruediger)
> felt that a solution based on Community would be deployable a lot faster
> -- in months as opposed to years.
>
> First, if you care you may offer your thoughts on Attribute vs. Community.
>

My own (bpd) view on the attribute vs community is:

   - This is a canonical perfect vs good comparison
   - Deployment experience on Community would allow operators to reap the
   benefits with no required code changes
   - Follow-up work on a corresponding Attribute would be preferred
   - IFF/when sufficient vendor implementation and operator deployment of
   the Attribute exists, the Community can (should) be deprecated
   - Long-term, Attribute has better attributes
      - Mandatory propagation even if a given AS does not "speak" the
      Attribute
      - Distinct prefix attribute (vs overloading Community)
      - Avoid hitting limits within Community attribute (max number)
      - Orthogonality enables better/easier tool integration (automation
      stuff)

Second, I would appreciate if you can offer concrete examples of the
> scenarios
> that you mention -- some examples where one saw those types of leaks occur
> in the real world.
> As for the basic principles on which the solution is based, we essentially
> decided that we could readily address route-leak Types 1 through 4 of RFC
> 7908.
> That is what the draft does. I don't think addressing route-leak Types 1
> through 4
> is narrow pigeon holing. As illustrated in RFC 7908, most real-world route
> leak
> incidents seem to fall in the six types identified in the RFC.
> The RFC lists many observed route-leak incidents and categorizes them.
> (Note: Types 5 and 6 are addressed by other solutions such as route
> filtering, RPKI, max prefix, etc.)
> The subnet leak that you mention (AS path intact or AS path removed) was
> discussed in GROW
> and it was decided that was NOT a route leak type -- OTOH subnet leak is
> only addressable with ROAs
> and/or BGPsec path validation. GROW WG decided not to include it in RFC
> 7908
> (although it was included in earlier versions of the definition draft).
>
>
More specifically (pun intended):
Type 6 (leaks of more-specifics) are technically possible to handle, with
very minor modifications to an AS's advertisement policy for those prefixes.

(The assumption here is the more-specifics are advertised to an upstream
ISP for traffic-engineering purposes, but are not intended for distribution
beyond that ISP.)

The ISP's BGP session can be, for the purposes of ONLY THOSE prefixes, as a
"peer-only" connection, and the appropriate community ( RPL:DO=MY_ASN:NULL).
The ISP would need to have a policy of allowing prefixes from customers
whose community set included RLP:CUST_ASN:NULL, but not any other values of
RLP:*:*.
This would allow the ISP to send the more-specifics only to the ISPs
customers, but would block transmission of the more-specifics to peers or
transit providers, assuming the ISP implements this draft.
Further away than the upstream ISP, any third party receiving these marked
prefixes from a customer or peer would detect them as a leak. A third party
might be able to detect (and block) reception of leaked prefixes from its
own upstream ISP, depending on a variety of factors.

The main take-aways are:

   - The party implementing this on the receive-side (blocking prefixes
   based on the received community) benefits the receiving party (since it
   blocks leaks).
   - The party implementing this on the send-side (towards customers)
   benefits if/when any of their customers leak (or customers' customers,
   etc.), and the leak recipient (or upstream thereof) blocks the leak
   - The marking is a trivial policy: mark all outbound prefixes sent to
   customers and peers, with a single global (for your ASN) community
   - You do not mark prefixes sent to transit providers (upstream ISPs), or
   to "special" neighbors.
      - The presumption is that any marking that exists is preserved,
      allowing for treatment of a "cluster" of "special neighbors" as a single
      entity.
      - A marked prefix will generally come from an upstream ISP or a peer.
      - If any "member" of this "cluster" of "special neighbors" announces
      a marked prefix to an upstream ISP or a peer, that would be
detected by the
      recipient as a leak -- and legitimately so.
      - No extra logic is required for these "special" connections, beyond
      whatever is currently in place
   - The detection policy is equally trivial: don't accept marked prefixes
   from customers (with the caveat regarding the customer adding
   RPL:CUST_ASN:NULL, so the prefix can only be sent to your customers), or
   peers (except required RPL:PEER_ASN:NULL).
   - This is incrementally deployable, and those deploying gain immediate
   benefit (when deployed_count >1, obviously)
   - This is extremely compatible with automated build scripts and the
   like: a single outbound policy toward customers and peers; a simple
   two-entry inbound policy towards customers and peers tied to the neighbor
   ASN.

It might be helpful to white-board this, if anyone is interested, we can do
some kind of side meeting in Montreal.
(We authors have done extensive analysis, too much to present on-list,
IMHO.)

Brian


> ________________________________________
> From: GROW <grow-bounces@ietf.org> on behalf of Nick Hilliard <
> nick@foobar.org>
> Sent: Saturday, June 15, 2019 6:22 AM
> To: Brian Dickson
> Cc: grow@ietf.org
> Subject: Re: [GROW] call for feedback on
> draft-ietf-grow-route-leak-detection-mitigation
>
> Brian Dickson wrote on 15/06/2019 00:42:
> > Please take a look and, if you think this is an important problem to fix
> > (route leaks), add your voice here.
>
> there are two things here: route leaks (important), and the proposal in
> draft-ietf-grow-route-leak-detection-mitigation.  We can probably all
> agree that route leaks are a persistent threat.
>
> What concerns me about this draft is that it takes an over-simplified
> view of real-life networks and there's not a small amount of implied
> pigeon-holing going on.  The difficult with the draft is that many
> networks don't fall into these neatly defined categories.  There are
> back-doors, partial transit configs, PNI arrangements, subnet leaks and
> all sorts of weird things out there, none of which are easy to
> categorise, but which nevertheless make up an important part of the
> routing ecosystem.
>
> Characterisation of these edge cases is a difficult problem.  I'm not
> convinced this can be done adequately without an expressive grammar
> (note: not rpsl).  I'm also not convinced that the approach taken in
> draft-ietf-grow-route-leak-detection-mitigation is generic enough to be
> worth deploying.
>
> Nick
>

v2.23.0 | Report a Bug | By Email