Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspec-oid-12
Alvaro Retana <aretana.ietf@gmail.com> Tue, 16 March 2021 18:21 UTC
Return-Path: <aretana.ietf@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CADD23A0C32; Tue, 16 Mar 2021 11:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2OR68W6xSujy; Tue, 16 Mar 2021 11:21:21 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA6263A0C31; Tue, 16 Mar 2021 11:21:20 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id ci14so73626378ejc.7; Tue, 16 Mar 2021 11:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc:content-transfer-encoding; bh=YESlJyjm0hnUT/o/1Wo18Nk78IjZMyM/NJwiASKU/lc=; b=hM0HC148/ht2csninek/xS5v4e5nAsN0OvGLHUISXRRfAtReqWs5kAYnQCTZKK3KUR uNywnFkurnx3qkrSP5g8OT9Bmw7cGYbMcofEhdhKE4Ei4zKi0kuF8iSzkznmoMSApNDl xZYXqrxnqxGj4M2zbYumCztl+cyVB5rLsWBn9B1Tup3hkCu2jUZMy5SKyeNUrPRs5ag2 4T9qDtkm2De7sjiommuamy9UH05VLg880HltQkM3Rg2x0At2HndGpBI0pUkqWqKOQWOx 3ftl77EgjQMBXoCk6o2HuJPIkEgWEYfS5dZZbSArotOw9PsPHWa2Txt6677GkpSr9bzy xt5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc:content-transfer-encoding; bh=YESlJyjm0hnUT/o/1Wo18Nk78IjZMyM/NJwiASKU/lc=; b=Ka/NmPbdee1Cjnu4TlxkECfGWsvodwkLNxoeOtZ2Sgr88WvyqwFIIzFh9t714TUF1A OBUdIywZd7uujdCwe0I3b+hFYEsnLmkDr1h79jdjpqQ9HRBz9dgtJA1yXpTAbDWzcsTr +iTaRXNyx2dOoi+E4KjMRZdAdbpgIariHRfECTic84DjkS71Dx1kdXCEpbOy7wl7ZsQ+ btf9Ub18d7JRZTa6oXnSaKNYKSN4gMRptFbL+ubyZgtXdNO8LSy5Gy5R1bWdcuKk3EL2 SyUfoe8cfTtTEcMX6Bgv1zQQUnUICX8CxfiTZSPt84ejOXaNDzPirbNdUwNHexu5LtEh 3JeQ==
X-Gm-Message-State: AOAM531clL8a8j17xvl7gBL2Y4TEwyvNZkXJyA67y0Vd7hxEsaIc0ohu pjd9PeeW4WicD/YwRm/807hEluGh4lE7x4mOxZa7Zw8T
X-Google-Smtp-Source: ABdhPJx/FkDFQsTvCPCoCwLPDUxbnwbAc5bfLiObDa2V1PhNWkx/rI4WAnoCTqdzxtSG1MrSja5w1k8NcqngNp0sUlI=
X-Received: by 2002:a17:906:d554:: with SMTP id cr20mr31326914ejc.61.1615918877611; Tue, 16 Mar 2021 11:21:17 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Tue, 16 Mar 2021 11:21:16 -0700
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <DM6PR11MB3194D2E820E675E9C1D65639CD6B9@DM6PR11MB3194.namprd11.prod.outlook.com>
References: <CAMMESsxqRWK2vDPyj-0_ruYoW7pkautFc09MoFBUTKxG23=tyA@mail.gmail.com> <DM6PR11MB3194B28B0BD8A3AF913ECB0ECD919@DM6PR11MB3194.namprd11.prod.outlook.com> <CAMMESsyUtogXkjiQGfP=SDXzNdOu-FJ-e1-NbppD_mZcq+yGkQ@mail.gmail.com> <DM6PR11MB3194D2E820E675E9C1D65639CD6B9@DM6PR11MB3194.namprd11.prod.outlook.com>
MIME-Version: 1.0
Date: Tue, 16 Mar 2021 11:21:16 -0700
Message-ID: <CAMMESswZE+2SD_pFnzXC50cVvJf6XuoWf+uGhkvk7hGsrP0G2w@mail.gmail.com>
To: "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>, "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
Cc: Susan Hares <shares@ndzh.com>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>, IDR List <idr@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/7vJIcfYUc0Y8JSq4kk-gNqWze4I>
Subject: Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspec-oid-12
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2021 18:21:23 -0000
On March 15, 2021 at 8:32:06 PM, Juan Alcaide wrote: Juan: > For my dismay, I realized I only had gotten part of your email (till review > line 118). I think a weird problem with my email server. It was more in-deep > review that I thought. Yeah...there seems to be an issue with long messages and Outlook (as far as I can see): the messages are truncated. The IETF archive always gets the whole message. I have also been including an "[End of Review]" signal. :-) > My changes will reflect more or less your suggestions. Ok -- I'll take a look at the details when you post -13. > Before, I have some contentious points I’d like to raise: > > Any alternative naming to ‘ingress border routers’ ? They are just the > routers receiving traffic and far away from FS peering Right -- that is what is confusing: these routers are not at the border or are ingress routers. I don't have a better suggestion. The name is used only 3 times, so perhaps the simply describe where they are... > Around line 311... [It is better if you reply in-line...so we make sure we're both talking about the same thing. ;-)] > ...you mention a new security hole because of the new AS_PATH validation rule. > You are referring to the case of a route-server, right? Let’s say > AS1—(route-server)—AS2. AS1, instead of AS_PATH = 1, could send us AS_PATH = > 100 for the -rogue - FS route. The best-match unicast route could be actually > coming from another route-server client om AS 100 (that is sending -correctly > -the unicast route with AS_PATH=100) This is what I wrote: ==== 306 Redefinition of this AS_PATH validation rule for a Flow 307 Specification does not mean that the original rule in [I-D.ietf- 308 idr-rfc5575bis] cannot be enforced as well. Its enforcement 309 remains optional per [RFC4271] section 6.3. That is, we can 310 enforce the first AS in the AS_PATH to be the same as the neighbor 311 AS for any address-family route (including a Flow Specification). [major] Both rfc5575 and rfc8955 mentioned that the enforcement is required "for security reasons". I'm sure the question will come up about the potential security holes that are now opened if the enforcement is not performed. Please add (preferably in the Security Considerations section) text including any recommendations on when the enforcement can/should be performed. For the general eBGP case, for example, there is the possibility that the left-most ASN matches for both the FS/unicast routes, but that it doesn't correspond to the peer AS. I believe this is a case where an additional vulnerability is introduced --- but also one that can be mitigated by recommending/requiring the enforcement in this type of cases (with appropriate caveats). ==== Yes. The route-server case is a subcase of the "general eBGP case". > Around line 322, you mention we could use the new AS_PATH check for > eBGP-confed routes as well. If we did, then we should also extend it for iBGP > peers. But I don’t see much of a point to it, as long as we do the right > check of the eBGP received routes any further check is redundant. Same > concept that checking on AS_PATH loops only for eBGP received routes. === 318 Using the new rule to validate a Flow Specification route received 319 from an External Border Gateway Protocol (eBGP) peer belonging to 320 the same local domain (in the case that the local AS belongs to a 321 confederation of ASes) is out of the scope of this document. Note 322 that although it's possible, its utility is dubious. ... [minor] Why can't the same check be applied? The text above doesn't talk about segments so it should be able to apply. [minor] As for the value, you seem to be assuming that just because the confederation is in the same administrative domain than there won't be configuration errors or rogue routers. I believe that is a dangerous assumption. === The "normal" iBGP case is different than the confederation case where we do find an eBGP relationship. > Around line 324, you mention we should suppress ‘Other RFC5575bis > Considerations.’. This section had more points that were trimmed when > rfc8995 included those points. Only references left are about 2byte AS old > speakers. Not sure if those references were ever considered for rfc8995. I > guess the meaning of AS_PATH could be inferred w/o these references. rfc8955 > already seems to infer them (although it is basically a copy of the old > rfc4271 rule). Is it assumed that the meaning of AS_PATH is also inferred for > any rfc after rfc6793? In short, yes. rfc6793 formally Updated rfc4271, so any interpretation of the AS_PATH has to consider what rfc6793 says. > In the security section, you mention ‘ibgp are not trusted’. That’s strictly > true, but in the sense of rfc8955 it would seem they are (rfc8955 is only > concerned about trust for eBGP peerings). I can add a note, but is anything > else is required? ==== 412 BGP updates learned from iBGP peers are trusted so the Traffic Flow 413 Specifications contained in BGP updates are trusted. Therefore it is 414 not required to validate that the originator of an intra-domain 415 Traffic Flow Specification matches the originator of the best-match 416 unicast route for the flow destination prefix. This proposal 417 continues to enforce the validation Procedure for eBGP learned 418 Traffic Flow Specifications, as per [I-D.ietf-idr-rfc5575bis] rules. 419 In this way, the security properties of [I-D.ietf-idr-rfc5575bis] are 420 maintained such that an EBGP peer cannot cause a denial-of-service 421 attack by advertising an inter-domain Flow Specification for a 422 destination prefix that it does not provide reachability information 423 for. [major] "iBGP peers are trusted" This is a flawed assumption because it doesn't take into account the possibility of a rogue iBGP speaker. Consider the case where an attacker takes control of a router and creates (or limits) Flow Specifications -- not checking would open the network up to any router becoming an attack point. Yes, I understand that this is not a new vulnerability introduced in this draft. However, the type of risk (creating a Flow Specification) is new to this work and a direct result. Because the origin check won't happen for iBGP, you should mention the risk clearly. ==== As you mention, rfc8955 considers eBGP. The fact that it doesn't say anything about iBGP shouldn't be interpreted as trusting those peers. Even if that was the intent in rfc8955, this document deals directly with iBGP so it makes it the best place to call the risk out. Thanks! Alvaro.
- [Idr] AD Review of draft-ietf-idr-bgp-flowspec-oi… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Susan Hares
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… David Smith (djsmith)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Susan Hares
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)