IETF Logo Mail Archive

Re: [GROW] draft-ss-grow-rpki-as-cones-00

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 23 May 2018 23:41 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B98312785F for <grow@ietfa.amsl.com>; Wed, 23 May 2018 16:41:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trkktZqkhQvy for <grow@ietfa.amsl.com>; Wed, 23 May 2018 16:41:02 -0700 (PDT)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F42131273B1 for <grow@ietf.org>; Wed, 23 May 2018 16:41:01 -0700 (PDT)
Received: by mail-wr0-x233.google.com with SMTP id a15-v6so22182773wrm.0 for <grow@ietf.org>; Wed, 23 May 2018 16:41:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jb1yyuqVAiL41NYHROyIqjsvhirE7FKE2IsiwQo587Q=; b=IrWGLLAyG5iKQ9VBNWm86kZtLJwJ9aQfUAtydKERfiJJDkBLG5tRzNJFvVmy1O3vcM USq+yU4lSrq+WYW8ZkFpQeCrd5s6TzEwIlnnboNpKl5VdkFhflYZSVZCD5x8Rtks2Wgg lF3RZH6Qc6fb5tG/VqzkcoKRYAIl1EciYl2y5OuC3MIvTeGxRV2BV6jrW1YMSjEXDs1W IX9gHp8h9lv03QMMXe5DvyKB5yLlRcO74a97Hspu1tbfChNhOUkfKzepdDcvDLNn6NrC OwvqfrcqM7LfcC/JDCcgokEeRFZhpgQxMmEDwelOV+EE+iXGZKvYO4XYl0kgGsjLQU3/ UC/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jb1yyuqVAiL41NYHROyIqjsvhirE7FKE2IsiwQo587Q=; b=BCDkCuhT4EelUH0hlQ+CIAiOXnNdwe5I7DvaN5j8f85ip3afkmJy5YxnY/tysWTVbQ tDIrQUmgDzDi7MDQzVzo2ssDzJRKvvUQDq3/Y685mdg6LluciNTB/DHH/vBlRmiOv2K8 FQCthn5AYaN0zV4j9erRjQ8MprMdSIeum+/aHOhbqeqjHcHn5FBROREB4TS7YxrupART wAeuSb40DsCeIMk5kMIwTrQ/Une+uH4GsT/kV0r93MyPrQyCb4mZVfOWyJpGC9ujngOJ 5Ikw7lQt0IIX/Bm66jSQACgo1BJQncFi898Mz5gH3EmeDN/2Nzj/w2/3B3BKXCZkM9k4 WIBg==
X-Gm-Message-State: ALKqPwfqpNIJC1TbfPZZ0nJD0rkhhQn5C1Q4/XQcKgLh8MFYWfJZx2h1 nFs0A6XhUi9eXRkhx7PSt8kbLyTIJFpFERSJy4U=
X-Google-Smtp-Source: AB8JxZoIaauuWtVRtybiwof7eLoIvL47BiE/eLmiRmkowcGhHrb3m9QGFT+QX5zoq8GBxrTY/M4kgz8axQR61WD/OTE=
X-Received: by 2002:adf:9502:: with SMTP id 2-v6mr3821624wrs.241.1527118860422; Wed, 23 May 2018 16:41:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a1c:6144:0:0:0:0:0 with HTTP; Wed, 23 May 2018 16:40:59 -0700 (PDT)
In-Reply-To: <CACWOCC8NvWZQYN9b1y65C_s4J8VATRWmUkKDR-n8CL9J1QY-_g@mail.gmail.com>
References: <8c2da168-af67-9463-adbc-d6a0b778f24d@stucchi.ch> <m2tvr0eq0f.wl-randy@psg.com> <20180523134849.GV56139@hanna.meerval.net> <m2h8mybei6.wl-randy@psg.com> <20180523170728.GW73966@vurt.meerval.net> <CAH1iCir7_oddkaeJGJ-qNyUgwumd55R-0AC8CMPrKmNKGiaxqQ@mail.gmail.com> <CACWOCC8NvWZQYN9b1y65C_s4J8VATRWmUkKDR-n8CL9J1QY-_g@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 23 May 2018 16:40:59 -0700
Message-ID: <CAH1iCiq47xAr21EMa1Kf0shnEgn15Fxq7xDNEEP6-ckkyQacJQ@mail.gmail.com>
To: Job Snijders <job@ntt.net>
Cc: Randy Bush <randy@psg.com>, "grow@ietf.org" <grow@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000349181056ce81106"
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/loIz6j_iHvb3USb13aWytSkZyhE>
Subject: Re: [GROW] draft-ss-grow-rpki-as-cones-00
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 23:41:05 -0000

On Wed, May 23, 2018 at 10:46 AM, Job Snijders <job@ntt.net> wrote:

> On Wed, 23 May 2018 at 19:25, Brian Dickson <brian.peter.dickson@gmail.com>
> wrote:
>
>> Sorry for the top-reply:
>>
>> I think the fundamental problem with AS-SETs in IRR is the unilateral
>> aspect of "control" of what amounts to assertion of a relationship.
>>
>
>
> I believe the fundamental problem is (1) the same AS-SET name can exist in
> multiple databases (duplication), (2) you don’t know which as-set belongs
> to which ASN (ownership), and which as-set to use (discovery).
>
> What you describe is quite low on the wish list from my perspective. Are
> you using as-sets for filter generation today?
>


So, the question about what I do, is irrelevant (bordering on ad-hominem).
The relevant questions, IMHO, are:

   - Is anyone using as-sets for filter generation?
   - Are there limitations on the semantics of as-sets, that prevent the
   generation of filters that can stop all classes of route-leaks?
   - Are there ways to fix this, if we go down the RPKI path?

The answers are "yes", "yes", and IMHO, "yes". While they might not be high
on your list, the solution is relatively easy to define and implement, and
to do so in a way that won't block the things you propose already.

It's an addition, optional but recommended, with slightly stronger controls
and semantics.

The "cone" draft allows an AS to assert the "customer-of" relationship to
its transit provider(s).
That's good, and prevents many kinds of route-leaks (presuming
registrations are done and filters built, etc.)
E.g.: leaf AS leaking full tables upstream would be blocked (if transit
providers filter their customers); peer-peer-peer leakage would be blocked
(if peers filter); peer-peer-transit would be blocked (if transit providers
filter their customers).
All of those are where only customer routes should be announced (to
upstreams or peers), limiting the announcements to the "cone".

(Aside: everyone is also building as-path filters from this data too,
right? Because without that, as-path shortening can be done...)

There is one category of leaks, or leak-like attacks, that won't be
prevented using the transit cone, which is what I'm suggesting adding: the
explicit peering sets (for validating the as-paths received from transit
providers).

There currently is no mechanism to detect (or prevent) anyone from claiming
a particular peering (or transit) relationship with any other AS, to their
customers.

Adding explicit peering declarations would enable that, and facilitate
blocking improper announcements by transit providers.

I don't want to give particular named examples, but I believe this is a
problem in places with authoritarian regimes and mandated transit
providers. Anyone peering with such entities, or getting transit from them,
may end up sending traffic over a path that would be ill-advised, if they
were aware of the as-path manipulation.

It is an (extreme) corner case, but I think this is the place to address it
with technology.

By all means, this should not block the primary stuff (unilateral
parent-identification with signatures).

Brian

P.S. I was wrong about the bilateral signing being needed for the transit
path stuff, please forgive that oversight.




>
> Job
>
>>

v2.23.0 | Report a Bug | By Email