[Idr] [job@fastly.com: RFC 9234 route leak prevention in the wild!]

Job Snijders <job@fastly.com> Mon, 02 September 2024 13:35 UTC

Return-Path: <job@fastly.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C18DC1516F3 for <idr@ietfa.amsl.com>; Mon, 2 Sep 2024 06:35:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NjtlY5yfW8Fy for <idr@ietfa.amsl.com>; Mon, 2 Sep 2024 06:35:08 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88C87C151093 for <idr@ietf.org>; Mon, 2 Sep 2024 06:35:08 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a86b46c4831so472363466b.1 for <idr@ietf.org>; Mon, 02 Sep 2024 06:35:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1725284106; x=1725888906; darn=ietf.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=mpQUq58RAU8Eg6L+utB5ieKQnxKQwCxuqAUOtSEA+J4=; b=HOJU5Imvz+mc/bUzle78KWSgR+3QI6KcK71Bcup5pqssYCOC8rtdNg2NNs+a1InXKo jZcUx6r7CBbgN9w19AXfXyei3FR9OpvanXB/krPS4jF/XgsfnfxWj7TVe8qBI+BJD6yC wZoCSakJCd7N3yQ1xK5UdOXN+S/uS2qTz+BHQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725284106; x=1725888906; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mpQUq58RAU8Eg6L+utB5ieKQnxKQwCxuqAUOtSEA+J4=; b=ZHc8XKUAUhjG4iZsXyFqkrt9gcp9jQQ5OaR1Pcb8Sck3oEv+/2Lm+4M7NxY6G1udZA aQzy22OjYKH+rT5sq0JrFGwggf8bTpX08r+fHx5ImBeRVeWHG6jZgBZ7DTJFzSfSgQhT Hv7cV7B9Tx1FuFM63q5X/JeoEYIwOg+XAJGVMiCTKgbshq/DQP91V1ny0AdNV8G1QaXA RTszkXn/zrfmmIBDNktlGE9N/3DAdVtgeoPAXLik5qmwgOYmJXSm22yImsQkTXxs5IQB /98Bv3E01EDn1Krz5QoyP8sT88BGSupQ32p1Yy7At7PDFeJu0KKLS05R3DXpg4AO8Zbb dA1w==
X-Gm-Message-State: AOJu0YyPlfQZLeqJmy866yn8Xj+GNvb/wV1Xw7fgfFAVP/XDiJb5T4uB p2d4MyAKPWaLrMg+7ninUspreh6or7G6FsWzWYgP0+VjIj4MmCcMmRKmaH48s8hwSj7nPPjqJfM a8zX2NqoDWV+soMqUjOJcJzO0KAqCs8rwsgEBmequde/z23DYJ8YjAdjKBQ91WbEUC/2dQdIACR Vj4LiiI9vPet1OqFhN
X-Google-Smtp-Source: AGHT+IF2g8mx1ACOBcnHagaN+ZMu34y3nA6Sj0bdLDt8iobKgEpB60CXue1+6zEBFjgOISZPimTAww==
X-Received: by 2002:a17:907:7e84:b0:a86:8953:e1fe with SMTP id a640c23a62f3a-a89d8849241mr342012166b.47.1725284106091; Mon, 02 Sep 2024 06:35:06 -0700 (PDT)
Received: from fast ([2a10:3781:276:0:4c54:e4e:a1e2:bc6c]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a8988fefb60sm562692066b.43.2024.09.02.06.35.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Sep 2024 06:35:05 -0700 (PDT)
Date: Mon, 02 Sep 2024 13:35:04 +0000
From: Job Snijders <job@fastly.com>
To: idr@ietf.org
Message-ID: <ZtW_CFlJNWCpeSVW@fast>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID-Hash: 67ABYJ5EQXAK45T3QLV33OIXZAS2C5TJ
X-Message-ID-Hash: 67ABYJ5EQXAK45T3QLV33OIXZAS2C5TJ
X-MailFrom: job@fastly.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Idr] [job@fastly.com: RFC 9234 route leak prevention in the wild!]
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Ma6yIKIDvf02O5YGJbqtrv2S1zQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>

Hello IDR,

You might enjoy a report back from the field on route leak blocking
based on RFC 9234. Please see below.

Kind regards,

Job

----- Forwarded message from Job Snijders <job@fastly.com> -----

Date: Mon, 2 Sep 2024 13:33:00 +0000
From: Job Snijders <job@fastly.com>
To: nanog@nanog.org
Subject: RFC 9234 route leak prevention in the wild!

Dear all,

I'd like to share an update on RFC 9234 deployment. RFC 9234 titled
"BGP Open Policy" aka the "Only-To-Customer" (OTC) BGP Path Attribute is
an anti-route-leak mechanism which is *NOT* based on RPKI! (yes ...
routing security is more than just RPKI! :-)

The basic idea of 9234 is that BGP routers (based on their role in the
Gao-Rexford inter-domain routing model) attach a special BGP Path
attribute, or take action based on the presence and contents of this BGP
Path attribute - with the intention to constrain a route's propagation
radius to just the downstream customer cone of the neighboring ASN.

Most operators will intuitively understand that any route propagating
through multiple IX route servers operated by different IXPs is a route
leak:

```
                 IXP_1         IXP_2
                /     \       /     \
               /       \     /       \
          ISP_A         ISP_B         ISP_C
        (receives)    (leaker)     (originates)
``` (figure 1. propagation from right to left; leak scenario)

In the above example, ISP_A originates a route towards IXP_1's route
servers, IXP_1 propagates the route to ISP_B (so far so good); but for
one reason or another ISP_B subsequently continues propagation of the
route towards IXP_2's route servers, who in turn propagate it to ISP_C.
ISP_B is forwarding IP traffic between ISP_A and ISP_C for zero revenue.
ISP_A and ISP_C are probably not expecting ISP_B to be in the middle.
This situation can happen as a result of a misconfiguration in ISP_B's
equipment, even when all participants use IRR & RPKI ROV to attempt to
mitigate the worst routing incidents.

What does it matter / impact
============================

Calgary-based YYCIX deployed RFC9234 support in late 2022/early 2023
using OpenBGPD; and FranceIX deployed support using BIRD in Q2 2024.
Both IXPs configured their route servers to reject BGP routes that have
an OTC attribute attached, and to attach an OTC attribute when
propagating routes to the Route Server's peers.

As it happens to be, currently (Mon Sep 2 12:26:50 UTC 2024) a small route leak
is happening involving both YYCIX and FranceIX Route Servers via an ISP
connected to both IXP's Route Servers; with the leak being stopped at YYCIX
thanks to RFC 9234! Appendix A contains a table of leaked IPv4 routes.

Let's zoom in on 1 entry:

```
    $ bgpctl show rib 157.185.154.0/24 detail
    
    BGP routing table entry for 157.185.154.0/24
        6939 38040 54994
        Nexthop 206.126.225.20 (via 206.126.225.20) Neighbor 206.126.225.20 (216.218.252.194)
        Origin IGP, metric 1911, localpref 100, weight 0, ovs not-found, avs unknown, external, otc leak
        Last update: 11:58:08 ago
        Communities: 0:2906 0:16265 0:16276 0:18638 0:41690 0:48641 0:49029
        Ext. Communities: ovs not-found
        Large Communities: 53339:11:1 53339:11:3
        Aggregator: 54994 [163.171.131.254]
        OTC: 51706
``` (figure 2. inspecting an leaked route using OpenBGPD's CLI)

In figure 2. one can see the route is marked as 'otc leak', this was
made possible because FranceIX's route server's attached the OTC
attribute with the ASN value set to their Route Server's ASN (51706).

```
                 YYCIX              FranceIX
                .     x         <adds OTC>  \
               .       \          /          \
          ISP_A         6939_38040            54994
``` (figure 3. right to left: real world example of blocked leak)

In figure 3 AS 54994 originates 157.185.154.0/24 and propagates a route
towards the FranceIX route servers. FranceIX accepts this route
(probably because an IRR route object exists) and propagates it onward
with the "Only-To-Customer" attribute set to 51706. The route is
received by AS 38040, who appear to propagate the route to their
upstream 6939. << An AS 38040 router is likely misconfigured! >>
Then 6939 sends its customer's routes to the YYCIX route server, but the
YYCIX route server recognizes that the route already passed through a
'valley' and thus considers this a leak; and blocks further propagation
towards ISP_A.

Impact with partial deployment
==============================

RFC 9234 is an easy mechanism to configure and debug for both small &
large network operators and IXP route server operators. In the above
scenario YYCIX and FranceIX are likely the only 2 entities in the entire
AS path which support RFC 9234; but we're already seeing leaks being
blocked despite partial deployment!

It's not hard to imagine that many IX-to-IX route leaks can be blocked
with only the IXP operators themselves enabling RFC 9234 support.
The world's most populair RS implementations (BIRD and OpenBGPD)
already support RFC 9234! Tens of thousands of IX customers would enjoy
the benefits of a few hundred IXPs taking action. RFC 9234 has no
dependency on the RPKI, this means tha

What can you do?
================

Just ask your vendors (your hardware routers and IXPs) to implement and
deploy RFC 9234! :-) The more people ask, the more it'll bubble to the
top of the priority list. The cost of implementing & deploying RFC 9234
is excellent bang for buck.

Closing words
=============

Shout out to our friends at FranceIX and MSK-IX for being amongst the
first IXPs to deploy RFC 9234! Your effort helped reduce the potential
impact of today's route leak!

Kind regards,

Job
(YYCIX volunteer)

Appendix A:
-----------

Vantage point: YYCIX Route Server 1 (rs1.yycix.ca)
Timestamp: Mon Sep  2 12:31:50 UTC 2024

Destination Prefix  AS_PATH
102.164.129.0/24    6939 37613 6758 37649 i
102.164.139.0/24    6939 37613 6758 37649 37649 37649 37649 37649 i
102.164.140.0/24    6939 37613 6758 37649 i
102.164.141.0/24    6939 37613 6758 37649 i
102.164.182.0/24    6939 37613 6758 37649 i
154.65.33.0/24      6939 37613 6758 37649 i
154.65.34.0/24      6939 37613 6758 37649 i
154.65.35.0/24      6939 37613 6758 37649 i
154.65.36.0/24      6939 37613 6758 37649 i
154.65.37.0/24      6939 37613 6758 37649 i
154.65.38.0/24      6939 37613 6758 37649 i
154.65.39.0/24      6939 37613 6758 37649 i
154.72.35.0/24      6939 37613 37100 37027 37063 327721 i
157.185.151.0/24    6939 38040 54994 i
157.185.154.0/24    6939 38040 54994 i
163.171.164.0/24    6939 38040 54994 i
192.150.250.0/23    6939 4651 4618 4618 63529 4621 3836 i
196.50.8.0/24       6939 37613 6758 37649 i
196.50.9.0/24       6939 37613 6758 37649 i
196.50.11.0/24      6939 37613 6758 37649 37649 37649 37649 37649 i
196.50.13.0/24      6939 37613 6758 37649 37649 37649 37649 37649 i
196.50.14.0/24      6939 37613 6758 37649 i
2001:67c:15f4::/48  6939 41103 i
2401:c500:fd08::/48 6939 4637 38040 54994 i
2a01:53c0:ff03::/48 6939 4637 38040 54994 i
2a01:53c0:ff0f::/48 6939 4637 38040 54994 i
2a01:58c0::/32      6939 16347 42487 i
2a03:8920::/32      6939 41103 i
2a03:d602::/31      6939 16347 42487 i
2a03:d606::/31      6939 16347 42487 i
2a0d:ee00::/32      6939 16347 42487 i
2a0e:5b80::/29      6939 16347 42487 i
2a0e:e080::/32      6939 16347 42487 i
2a0f:c540::/29      6939 16347 42487 i


----- End forwarded message -----