Re: [GROW] call for feedback on draft-ietf-grow-route-leak-detection-mitigation
Brian Dickson <brian.peter.dickson@gmail.com> Mon, 17 June 2019 21:18 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 732BE1202D8 for <grow@ietfa.amsl.com>; Mon, 17 Jun 2019 14:18:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.456
X-Spam-Level:
X-Spam-Status: No, score=-0.456 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, BODY_ENHANCEMENT=0.001, BODY_ENHANCEMENT2=1.541, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWTOK5w8SAkJ for <grow@ietfa.amsl.com>; Mon, 17 Jun 2019 14:18:54 -0700 (PDT)
Received: from mail-qk1-x744.google.com (mail-qk1-x744.google.com [IPv6:2607:f8b0:4864:20::744]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2BC41200D5 for <grow@ietf.org>; Mon, 17 Jun 2019 14:18:53 -0700 (PDT)
Received: by mail-qk1-x744.google.com with SMTP id i125so7174802qkd.6 for <grow@ietf.org>; Mon, 17 Jun 2019 14:18:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xY2qL+ljzJ5KuODS53ShbmeuKtR+nFq6Zmv4phFclpU=; b=seCk8WJWWi9vrnBTjB5KJmS+5hbPDUCdLUBDkr/9jeyI1t9m237hNPmqA4NstTxlX2 CURCPTmIa4jb4sKS6ylas6k6n/u3iRkXYQY7PuaccQMuYrixkzPsOVlQaP9iLIlXt2+V 53MllK9ZTLeMLEAkyp3f0L+n6K4/stY4SUUyeiK7Ypa2hQFXLDNFBpoqr/tPXYU+hZyw wKX45l6j8SbPPFXK3IFzBKYanGy45z4C72IoZ+knUiNg1V7dZRnzkSyjigtMkyzPDfWY Qjuow+/dObU6T3c51xIhF5BRponWYElH3W3vX1O5857Opw/1SLDsUG3oz5jHlqjdQYm/ v6Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xY2qL+ljzJ5KuODS53ShbmeuKtR+nFq6Zmv4phFclpU=; b=sh0Jfz66BfqlfNm/RUu+GsNxgkcyHlw87jtAToeVvkN2Rk4pMr5RfSRgQOho8XEl3u PBaivAFAU20OIp6LxbdaooHvwnqqar6EdlYGFFOgxvJZFcyy8x70+3fPhBvGyySTVinL hUkO4xRbKEXzum8BNU1QCAlRCcSjbTROEFlPRr4Cfc267TtRr1zoTW9kCxDn5nP6I/kI BAYpvCTbf1CnTCSBxE5lB2T1/yXAiuRcZbM/7dYN2/xVWxSYlYTfCjqJ2eG8U2pOim3O iJk17vDvqpx2TqmiU622vb3zd/4l0o8PQX2kKDx5eJ1GwehqA5bT/BMyE3Ykfa2fieng yw4Q==
X-Gm-Message-State: APjAAAUSbYfz8FLskILICkMF6/Jixjva7yUkozwVZtI3eytMOYoolGLT 9d219ggEenHRIs2PlkZyvUsICX+zuZSRn24aBz0=
X-Google-Smtp-Source: APXvYqwlNqQMuRXgeyBTKUI8ORbBkGfQNdg3qqaIlFdxLWNTyGFYdseO5ZZ38twdWV7Bb7ED7x8kbvo5QZRnGNdJq38=
X-Received: by 2002:a37:4ed4:: with SMTP id c203mr47646232qkb.116.1560806333115; Mon, 17 Jun 2019 14:18:53 -0700 (PDT)
MIME-Version: 1.0
References: <20190528162707.GD29921@hanna.meerval.net> <CAH1iCip6YmGri9Eq5YvHqs8bqooNMYcY_fPYGQ4v5epcc9oV_w@mail.gmail.com> <b8d27bb4-32a1-281e-7361-a58da8a28dc7@foobar.org> <SN6PR0901MB23666177E77D2963597B417684EB0@SN6PR0901MB2366.namprd09.prod.outlook.com>
In-Reply-To: <SN6PR0901MB23666177E77D2963597B417684EB0@SN6PR0901MB2366.namprd09.prod.outlook.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 17 Jun 2019 14:18:41 -0700
Message-ID: <CAH1iCio+jgbug7NPCmQj9Ab-zhPY7bE0-YECaamYM3Rk40Bz8Q@mail.gmail.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
Cc: Nick Hilliard <nick@foobar.org>, "grow@ietf.org" <grow@ietf.org>, Ruediger Volk <rv@nic.dtag.de>
Content-Type: multipart/alternative; boundary="0000000000000c71c8058b8b8b83"
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/cXWyhs4pg1UtlsOmAMcmtTi1xYg>
Subject: Re: [GROW] call for feedback on draft-ietf-grow-route-leak-detection-mitigation
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2019 21:18:56 -0000
On Mon, Jun 17, 2019 at 11:21 AM Sriram, Kotikalapudi (Fed) < kotikalapudi.sriram@nist.gov> wrote: > Nick, > > Thank you for your thoughts on this. > > This work has been in GROW / IDR since 2014. > Initially in GROW where we published a route leak problem definition RFC: > https://tools.ietf.org/html/rfc7908 > > The work then moved to IDR for the route leak solution based on BGP > Attribute. > It was moved back to GROW lately because IDR Chairs and others (authors + > Ruediger) > felt that a solution based on Community would be deployable a lot faster > -- in months as opposed to years. > > First, if you care you may offer your thoughts on Attribute vs. Community. > My own (bpd) view on the attribute vs community is: - This is a canonical perfect vs good comparison - Deployment experience on Community would allow operators to reap the benefits with no required code changes - Follow-up work on a corresponding Attribute would be preferred - IFF/when sufficient vendor implementation and operator deployment of the Attribute exists, the Community can (should) be deprecated - Long-term, Attribute has better attributes - Mandatory propagation even if a given AS does not "speak" the Attribute - Distinct prefix attribute (vs overloading Community) - Avoid hitting limits within Community attribute (max number) - Orthogonality enables better/easier tool integration (automation stuff) Second, I would appreciate if you can offer concrete examples of the > scenarios > that you mention -- some examples where one saw those types of leaks occur > in the real world. > As for the basic principles on which the solution is based, we essentially > decided that we could readily address route-leak Types 1 through 4 of RFC > 7908. > That is what the draft does. I don't think addressing route-leak Types 1 > through 4 > is narrow pigeon holing. As illustrated in RFC 7908, most real-world route > leak > incidents seem to fall in the six types identified in the RFC. > The RFC lists many observed route-leak incidents and categorizes them. > (Note: Types 5 and 6 are addressed by other solutions such as route > filtering, RPKI, max prefix, etc.) > The subnet leak that you mention (AS path intact or AS path removed) was > discussed in GROW > and it was decided that was NOT a route leak type -- OTOH subnet leak is > only addressable with ROAs > and/or BGPsec path validation. GROW WG decided not to include it in RFC > 7908 > (although it was included in earlier versions of the definition draft). > > More specifically (pun intended): Type 6 (leaks of more-specifics) are technically possible to handle, with very minor modifications to an AS's advertisement policy for those prefixes. (The assumption here is the more-specifics are advertised to an upstream ISP for traffic-engineering purposes, but are not intended for distribution beyond that ISP.) The ISP's BGP session can be, for the purposes of ONLY THOSE prefixes, as a "peer-only" connection, and the appropriate community ( RPL:DO=MY_ASN:NULL). The ISP would need to have a policy of allowing prefixes from customers whose community set included RLP:CUST_ASN:NULL, but not any other values of RLP:*:*. This would allow the ISP to send the more-specifics only to the ISPs customers, but would block transmission of the more-specifics to peers or transit providers, assuming the ISP implements this draft. Further away than the upstream ISP, any third party receiving these marked prefixes from a customer or peer would detect them as a leak. A third party might be able to detect (and block) reception of leaked prefixes from its own upstream ISP, depending on a variety of factors. The main take-aways are: - The party implementing this on the receive-side (blocking prefixes based on the received community) benefits the receiving party (since it blocks leaks). - The party implementing this on the send-side (towards customers) benefits if/when any of their customers leak (or customers' customers, etc.), and the leak recipient (or upstream thereof) blocks the leak - The marking is a trivial policy: mark all outbound prefixes sent to customers and peers, with a single global (for your ASN) community - You do not mark prefixes sent to transit providers (upstream ISPs), or to "special" neighbors. - The presumption is that any marking that exists is preserved, allowing for treatment of a "cluster" of "special neighbors" as a single entity. - A marked prefix will generally come from an upstream ISP or a peer. - If any "member" of this "cluster" of "special neighbors" announces a marked prefix to an upstream ISP or a peer, that would be detected by the recipient as a leak -- and legitimately so. - No extra logic is required for these "special" connections, beyond whatever is currently in place - The detection policy is equally trivial: don't accept marked prefixes from customers (with the caveat regarding the customer adding RPL:CUST_ASN:NULL, so the prefix can only be sent to your customers), or peers (except required RPL:PEER_ASN:NULL). - This is incrementally deployable, and those deploying gain immediate benefit (when deployed_count >1, obviously) - This is extremely compatible with automated build scripts and the like: a single outbound policy toward customers and peers; a simple two-entry inbound policy towards customers and peers tied to the neighbor ASN. It might be helpful to white-board this, if anyone is interested, we can do some kind of side meeting in Montreal. (We authors have done extensive analysis, too much to present on-list, IMHO.) Brian > ________________________________________ > From: GROW <grow-bounces@ietf.org> on behalf of Nick Hilliard < > nick@foobar.org> > Sent: Saturday, June 15, 2019 6:22 AM > To: Brian Dickson > Cc: grow@ietf.org > Subject: Re: [GROW] call for feedback on > draft-ietf-grow-route-leak-detection-mitigation > > Brian Dickson wrote on 15/06/2019 00:42: > > Please take a look and, if you think this is an important problem to fix > > (route leaks), add your voice here. > > there are two things here: route leaks (important), and the proposal in > draft-ietf-grow-route-leak-detection-mitigation. We can probably all > agree that route leaks are a persistent threat. > > What concerns me about this draft is that it takes an over-simplified > view of real-life networks and there's not a small amount of implied > pigeon-holing going on. The difficult with the draft is that many > networks don't fall into these neatly defined categories. There are > back-doors, partial transit configs, PNI arrangements, subnet leaks and > all sorts of weird things out there, none of which are easy to > categorise, but which nevertheless make up an important part of the > routing ecosystem. > > Characterisation of these edge cases is a difficult problem. I'm not > convinced this can be done adequately without an expressive grammar > (note: not rpsl). I'm also not convinced that the approach taken in > draft-ietf-grow-route-leak-detection-mitigation is generic enough to be > worth deploying. > > Nick >
- [GROW] call for feedback on draft-ietf-grow-route… Job Snijders
- Re: [GROW] call for feedback on draft-ietf-grow-r… Brian Dickson
- Re: [GROW] call for feedback on draft-ietf-grow-r… Randy Bush
- Re: [GROW] call for feedback on draft-ietf-grow-r… Nick Hilliard
- Re: [GROW] call for feedback on draft-ietf-grow-r… Alexander Azimov
- Re: [GROW] call for feedback on draft-ietf-grow-r… Sriram, Kotikalapudi (Fed)
- Re: [GROW] call for feedback on draft-ietf-grow-r… Brian Dickson
- Re: [GROW] call for feedback on draft-ietf-grow-r… Sriram, Kotikalapudi (Fed)
- [GROW] An alternative approach to draft-ietf-grow… Iljitsch van Beijnum
- Re: [GROW] An alternative approach to draft-ietf-… Brian Dickson
- Re: [GROW] An alternative approach to draft-ietf-… Job Snijders
- Re: [GROW] An alternative approach to draft-ietf-… Jakob Heitz (jheitz)
- Re: [GROW] An alternative approach to draft-ietf-… Job Snijders
- Re: [GROW] An alternative approach to draft-ietf-… Jakob Heitz (jheitz)