IETF Logo Mail Archive

Re: [GROW] An alternative approach to draft-ietf-grow-route-leak-detection-mitigation

Job Snijders <job@fastly.com> Tue, 09 March 2021 19:59 UTC

Return-Path: <job@fastly.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7AB03A0934 for <grow@ietfa.amsl.com>; Tue, 9 Mar 2021 11:59:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BCChAAwnVqXi for <grow@ietfa.amsl.com>; Tue, 9 Mar 2021 11:59:38 -0800 (PST)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 473E73A0935 for <grow@ietf.org>; Tue, 9 Mar 2021 11:59:30 -0800 (PST)
Received: by mail-ed1-x535.google.com with SMTP id x9so22765494edd.0 for <grow@ietf.org>; Tue, 09 Mar 2021 11:59:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:subject:message-id:mime-version:content-disposition; bh=qSZp0N06+MXVMvzKkF4GU8d+x5AaDo1G7Y7BvfT4Tk0=; b=asd7MngzvABIZSFHRwmn0XywqOLZw2xvTbCuMf1wiAUcSWPS8qcpZn8H04iloaPekc 9zp1J/1ZkkywLRMs9RiK3AeQAQaSAoA+e4bwnA0JGZj0oGsquwqd0YTo7xgBbMDMpazy sxAb2XLFu+nvwjft6OSH03k4Pn57SXccS5VuM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition; bh=qSZp0N06+MXVMvzKkF4GU8d+x5AaDo1G7Y7BvfT4Tk0=; b=sP3mpI33ql4jUKG1G/kUfOmyv5UdL9eYr4PjFzK7ulmiDBZfjn3IH0gDcHvXn5+dIT YGglU56mtUI5ph4n/UlgTLqBPRimekS3du8YbO6nFmp2bNH3hAM45VhutZ/X0fkyC3xP NjBwDUbgCfwzcq3uG+qP5ms1H4ACtGVie5wd3/C0VMQ97H/zDDq7LkNSCcWh4r+x3mqn dsHGnYh+zIAbXbx96C4/htEqv7SL6Q+zimvKp0JtiRkWneSc9tVKcwiOcxvqUJDVb9ki fzD56yLuA2izCHVEjnm0fRhV1o0WZIltf0F8WHlUaX76jRczZirVJmQP6W6thw7fiSg0 AUSg==
X-Gm-Message-State: AOAM532QDBrZ1HR0NPi9Gaj8GGknKdES9Iwfe5M3L7aUQV8W3DhAVk3J OWfwnItv1FviNvCic3hcdYnxGV6tQuXqVnAzVmwo+31iy4BmL2w1skV9W2+WQGBp3KVre4LWqib BMCAFWfx6tFyINrP+rCnbbJ+wrma9aIApcwUcb47Ui+sCPeOBmgQ=
X-Google-Smtp-Source: ABdhPJzHrErD49i08zmLVIA0cIxIe8MqyDQeUrmP0P61JNq5p+SEKdcX1e313crEpY7tjEaSEkuWXQ==
X-Received: by 2002:aa7:cd54:: with SMTP id v20mr6243251edw.80.1615319966642; Tue, 09 Mar 2021 11:59:26 -0800 (PST)
Received: from snel ([2a10:3781:276:0:21e:c2ff:fefb:f388]) by smtp.gmail.com with ESMTPSA id x17sm8792412ejd.68.2021.03.09.11.59.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Mar 2021 11:59:26 -0800 (PST)
Date: Tue, 09 Mar 2021 20:59:24 +0100
From: Job Snijders <job@fastly.com>
To: grow@ietf.org
Message-ID: <YEfTnMNU+taoqzal@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/uoKEVWrdw4f2QTYSwcU6mKIYMew>
Subject: Re: [GROW] An alternative approach to draft-ietf-grow-route-leak-detection-mitigation
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 19:59:40 -0000

Dear GROW,

(Removed sidrops@ from CC)

*Wearing a Working Group participant hat*

I reviewed draft-ietf-grow-route-leak-detection-mitigation-04 and it
appears to me there is a shortcut possible in the mitigation algorithm.
This shortcut in turn negates the need to specify any ASN in the "DO
Community". Only requiring a single community opens up the path to use
existing well-known RFC 1997 community as signal between BGP nodes.

The section 4.1 leak mitigation algorithm could be revised such that if
a route path present in the Loc-RIB is considered the best path and
eligible for export to EBGP neighbors, an additional verification step
is performed.

The sender could check whether a 'DO community' is present on the route
in the Loc-RIB, and if the to-be-exported-to EBGP neigbhor is configured
as a 'lateral Peer' or as 'Provider', the route is rejected in the PIB
(Policy Information Base) and thus will not be present in Adj-RIB-Out -
thus blocking a leak from happening. This places the route leak
mitigation solution one step earlier in the BGP 'supply chain' process.

There is an existing well-known BGP Community known as 'NOPEER
Community for BGP Route Scope Control', described in RFC 3765.

Similar to how the mitigation does not truly differentiate between
'Providers' and 'Lateral Peers' (if one considers routing policy puzzles
often can be solved through multiple different combinations of policy in
either of EBGP-IN, IBGP-OUT, IBGP-IN, EBGP-OUT.

The recommendation then simplifies to the following three steps:

1/ Recommend network operators to never strip the RFC 3765 Community
   upon receiving a BGP route from either an IBGP or EBGP neighbor.

2/ Recommend network operators to manually configure (or have BGP OPENv2
   speakers automatically) *add* the NOPEER Community (if it wasn't
   already present) to route paths received from a Lateral Peer or
   Provider. Then proceed with whatever Import Policy applies.

3/ Recommend network operators (or have BGP OPENv2 speakers
   automatically) block routes which contain the NOPEER Community from
   propagating towards EBGP neighbor marked as 'Lateral Peer' or
   'Provider'. The procedure stops.

4/ If the EBGP neighbor is *not* a 'Lateral Peer' or 'Provider', the
   route MAY be added to the Adj-RIB-Out specific to that EBGP neighbor.
   The NOPEER community is not removed (see step 1).

As Nick Hilliard pointed out earlier in this thread, there might be
business requirements which require the operator to override the
autnomous system's default policy, but as the NOPEER Community happens
to be 'just a BGP community', operators can do as they wish with the
received routing information. A case can be made that operators - by
default - would benefit from accepting the NOPEER community and based on
its presence prevent routes from propagating further towards EBGP
neighbors in the Peer/Provider class.

The above proposal is slightly different than the implementation
requirements stemming from honoring GRACEFUL_SHUTDOWN (where the
intention is for the inter-domain signal to be honored on EBGP-IN), the
NOPEER community essentially is best honored in EBGP-OUT policies.

Promoting inter-domain use of the NOPEER community by outlining how
correctly adding & scoping based on this community one can help mitigate
BGP route leaks. The NOPEER community being readily available in most
deployed BGP speakers for any operator wishing to use the mitigation
mechanism, this might make for a compelling argument.

In short 'Down Only' is equivalent to 'Not towards Peers & Providers:

  - in EBGP-IN set NOPEER on routes received from Peers/Providers
  - in EBGP-OUT block NOPEER routes from being announced to Peers/Providers

The above appears incrementally deployable, and compliant with the
specification of NOPEER, and can be promoted through Network Operator
Groups by converting draft-ietf-idr-route-leak-detection-mitigation to
target Best Current Practise (BCP).

Kind regards,

Job

v2.23.0 | Report a Bug | By Email