[Idr] Re: [Sidrops] Re: WG LC for draft-ietf-idr-deprecate-as-set-confed-set-14 (7/8 to 7/ - call continues from 7/8 to 7/26/2024 - 2nd extensions to 8/6
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Thu, 22 August 2024 17:01 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90B78C1E0D98; Thu, 22 Aug 2024 10:01:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.453, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0XwtrwPt1hh; Thu, 22 Aug 2024 10:00:59 -0700 (PDT)
Received: from SA9PR09CU002.outbound.protection.outlook.com (mail-southcentralusazon11010011.outbound.protection.outlook.com [40.93.193.11]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8B66C1CAF4A; Thu, 22 Aug 2024 10:00:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=KxVFFz3RKPWm3fiGThQsIYC6AnXveV/NKIko1LvuSIN9MOd75rWUQ2xAHL52zcVJJ6vv1bXM8TH3JfFKyUKHQK/tq/J7Iqu7ccY/EXNA8E5w7kf/4+WcnFet5kgLR3AWLnnDdl6BRfltQPzBhmN8TQKRtZc17Dmt5SSKzNb9g1HoO5Tbcr/h3paqRor6YSkvihuXs0pOoNaYyP6KEMyfEHWXj+M13aaMoIqjmLegT/lG/SpsOanTxEGHEpPD7AebiLCKZphIE897l4BGy8y3ADaJiXnapKvAWe8hU8BXxSa0Wj2NzeMcj5FJS/6GPrBO089R/YBE0DJwFYVi4ANiEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tsT+PU0FRStwFbXVi4SLzzz0BVbRhrKiXJGPxHIZclw=; b=D4gD8Xo3mefbE3jMqUAghfDBXCA5AnJJ5lNS5YL1ciRwLfsl+EcCvVHOLYZqbEBIDLH5Fm8mZQ4xv4SICIp12h8XOFCCTfO5DRfYq9rHRTA1LIZ1VhZVRqtg+oKA2VFlUGMdLogP5wTS8psMeWRxx0xYnfDjsHtXRkJzIhLqHST6tERoxdWu7kEDAIfWfJ4wi4JBgD8R/yq3O7vbDyMZHv31h/CZNjrQHVIGez9BvsQmw8yXxdJa9Cw03lXPU2cYikYwghLNVKm5gXaUUpbtB3Z2gOz538n+t8nZkxD3qrSHAce/vnfACGKcSO2lZvE9DExRfT/X4DLgDSdEoGKX0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tsT+PU0FRStwFbXVi4SLzzz0BVbRhrKiXJGPxHIZclw=; b=NfLMhmb3dOTq2pphDU13mvRfRNKpKRky3ZwBD4b/ayOsELImVzhLX/pZ+8qlVvrrgwx+lnhLDxhubzML0eElupSkoqrqNKMfjUfwPES/9jA8P5tkcryczTDy8ehW7+kcy9w9PCP6ShvRquMWgW3M7IPtwMYPjT6pYtdH1K0Mv7CK30UiFND/D2rr+EOM6B15MAaGBZ9IixKwAZ/gGhsTxTpnIRlEzBoby2g8I8dQaxBlL6qeIDQ+52G7VRtkH6OH64iG4lBcbi1KcTpbImDUiOeC94zh5BSeUUm+QCbg6wIT30DHGcp9+xI7puq9yWwlnpLijzp/MM+BezkoclBmkg==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by SA1PR09MB11164.namprd09.prod.outlook.com (2603:10b6:806:36c::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.20; Thu, 22 Aug 2024 17:00:44 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7%5]) with mapi id 15.20.7897.014; Thu, 22 Aug 2024 17:00:44 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Thread-Topic: [Sidrops] Re: WG LC for draft-ietf-idr-deprecate-as-set-confed-set-14 (7/8 to 7/ - call continues from 7/8 to 7/26/2024 - 2nd extensions to 8/6
Thread-Index: AQHa9EXU9LEaXW/KgUSgiFzOD1JM9rIy9BUAgABpYlA=
Date: Thu, 22 Aug 2024 17:00:44 +0000
Message-ID: <SA1PR09MB81426C4495383D73E68484EC848F2@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB81429DA3D95133F743EE2FF184BE2@SA1PR09MB8142.namprd09.prod.outlook.com> <CO1PR08MB6611189A21004F78179BDF24B38D2@CO1PR08MB6611.namprd08.prod.outlook.com> <ZsTuq46mz8lqQ-Ag@diehard.n-r-g.com> <SA1PR09MB81420D4FFD4A9E5DE21F72CF848F2@SA1PR09MB8142.namprd09.prod.outlook.com> <Zsb4cBwCT7l3QYk_@diehard.n-r-g.com>
In-Reply-To: <Zsb4cBwCT7l3QYk_@diehard.n-r-g.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|SA1PR09MB11164:EE_
x-ms-office365-filtering-correlation-id: 09347368-1d7e-4df1-a142-08dcc2cbf60f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: JUvV+rVPzRkvmpdaN0oF1hApPDWfTsDEqvtTnpSKikrgIosNcKT2xZ4VSYWq55bYemO6DrA+rgEVNFJk5jV+T1Y+uCV72QhjTXptdyeec3OiozsPbSErA7zJrqUy0GRzvpURC6NAvO7mia6z1TJiKbEO/UTKqTEPQ/mWwDLKDLXM8sgytjDuYdyOWW/MzBgzbgS009NBOosRLEbOv5x80RZK92IMfkNJScpASxNVGunBusBnemqMpD4wgwmDU8QFW1g/dLwBaaLWCOSM13YVcHs5s5RU2J88HdAZslDjNa7ERONAYOHxv2naLJjHaNVf12hzNI+/baIuJLegP2Oj2NiT/hBnKOLn1GyTtv3vmZt8yHuImZK9XlPEBPneJiJVIsmlXOPy6jnL6wpLcunO1rVxwTYex29BFgBNkJJb+EiYFjyjl/GVKs508ixMPMnynXi52iH3+BIVMY5FJjVSOVK9S/7vLwPBd5yJJnGgf9tOroWheAl7CX7SYjR0+FzcFwt5oFDmayEIoejOSMfpa/3WyeZ7k8D6ojS6k5YJ5TY56r3CbTdc1FXPH6Ay2aR6tlqmDpuTuLV32TLogSrq/BP2SnAqnDdvyKbHj5ctcY8J6rNdcHx1395dghbsKRaEyJj/VfiskCXjdrc5beDBbFO/YZHdoMAu3CtSPIr8yvGiWv0D0EMBBWG4dpCri0AssU1mCT1Zt/Zy4PiCuhq+dphm++Prx8xvdtOaVoM17VU3w8Gys63IWZOTZ4z493yngkDxCmOzBPl5SAoY1DbDhxc0zWzEpodi0qL9LO4uMYZwwAp+OcQn3AgkxOZVkGX9h7i3yMFQPYn64B+/k3t3B9jC9eK/+AYRpCrTu2y+esvHpI8pPd5DjSQTsCuWPn+WflgH1SMnYf4s9CDHUd/20QdUJ3Q9EyXedhFZJKHBY1d8Q8HUyg4r1FyytH99wEaq/9j5UOJQ4x/VsXkwYiBwa04te4IkgpNjBAqBPpT2XSvIWi5/+0NDpTihkgVlog1VDUd6s1UyhMjn19HcGEe0G4HivU7TB/PLHsGSmIWxkhrT0Ey63y6doEzM8i6E2cA3kg6IuReEjFfDOwcv/KOuSmXOEoh1IZTTAdqqb/637RYqXm2ElOAb6ECb3rhAnxL7aZ0qxw1akPRrXSlamzbDIo/YUb8yIPTzVHMQGMJpA63SCSVzDfEWkw3bTqgeG4d+20zDWMQbGP78nPzvRH0sz9tteiOjqad3C6rWWO+7IIdgJ4TLvEJMpQNgxCLhb048B0MI7j3m41ziB/irNw8eSeuYYakuZB313m0A0u0/vXiED4cObZ9z1P3SOSArkxWbM2meGcp7aenZMp7iHs/9ijoyVCO2SINvPkPJbTEq1Es=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR09MB8142.namprd09.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qKpOZxQAD64MzQ8f+BGirGaRWgYtfF7R4lzGnyYfVQSxO3Y6jglgl7lHluGeFzXtdefUHe+THDTYYtDor5Zj86tEbOWNvokXPVykQBKEqYrbXSkCnzfMWPiXh/0B1XfG6stQqzFNca4clLysc563SedmkaCM+pdCGPZdl5c+Wl6lTXStQ7XRzhCaOvYGczwkUUUAD2l4xArpJTg/D1UUap6aZWLAS2ZJ9ELuT3L7rdmf0gnRBBmNYUliPzdQ7BvKh2SncfTwSbdN155RMtBnqbsDpkvkwEsceyfl+0d4hMMGatsusR1B0bm1l9VpJ6PRw98YzTuDyHUQkNFN7vZHsqxKPRtqGwcp+i37AivGxerqbHZUHofLyccpQQqx3ZBkNSoWWYfkRZ+3GOoCOmb7YNbeJqgYmqRIEDDGQBmQ3Y/tAsmlG5xs/NjZTbAyWkroSLOaTpnyhsIwUFtdN4Qbw2nXdKK/BCU8cBadzA5rhfyqL738638alhrSrw8047fJuehbDMSXZSdgivjfO2krjBDpMske5Zx0hzVtAtCSPQ8mclXJkbG4R3eqNehYJJGZrVBZ8pBn3sSJN8DPbuHJrRK8mZUkNMRWKPW98RJ2K4Z3v6mEMIcs9F9gZ2slt/I9y7WZhpejIjdDkzwaS8aqKrAmv/py91fb5WG/9qqfcio9qgQlKhXWpJvyBnPzlSX6mPf+5sdMCZkcHHkETonEGgM2QG6ASaCVcbqV2bO/wjg5YtLNC1L7pMLylcHY1esw6EwveW9P7sAa1g8BRrJbtKGTM/2qh8xr36EBGCtExIHx/Coqo0pZbWbMKG5eVNxB7kkx1eWP6+UEubc+CZKPamdQH3ZM8viUX4joImj4uCgyu1Ejl7mmhmzXfPHwnB8kyRKesBM6L7LM4nMJp9/p2K0o3GuCvapCSnX9nvaaO15+ydU6nHdCQA/NMIdx527Q8gRfFw1+dNCvLMGZT70ceBWB5poLDC6eAqjfh+GIutf5ctG5R0O9439m6/CZnFwdSLGKFtb6/Bv2CEbANzdPCfeny6U32UTVZEzwBDu9Wwj6RsZ7Pcnm3LzbeWlaNw0MiVAf3Kl0huFTDbmQ1/Nqp/lulsbYljM6Ip3KeMwLopC4YVavXsy1vqBUIO97flz/1ZVIWNZamos2r1bHcnlMyMlVfXpSfOCEjcAm1y+w4uslGLHDydZ9dJCHF5bVfUVnZEbOMOFCIBRD5Z0SLscPTgkLaavAwtisqMbWsbUmi343L7NCprrqwsBlnaOdQQPwpcAo1acoTTsDj/ZE7cOU+ROul1R/htnD+isk3Gz4Pr6dtjUO9Mb3rUKQXWYYKSCqmrDyosu97oO/hHfOXUN19L23S91+P466bVcOuOkFYAvHKbnjp5Mw9hJgcIDGNDCvXdWKakamngNtZsFlfSVPjF1PMmugIo2LS31EINBQoHyc3u0CiDXtmkOsPGs8444x61FVCmJ/VgwN9FsQcVlhHcfgeMUG+4y86uS5HF6I4sT28RbwyUF+L2qgIC1mLH3T/U26/pF8WX+3vai5w7LXB3tjt133AcndsGtFWWtLBmw=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 09347368-1d7e-4df1-a142-08dcc2cbf60f
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Aug 2024 17:00:44.1800 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR09MB11164
Message-ID-Hash: BABQFGZ5LJWFASVBUSDTZT4XSEAGXADD
X-Message-ID-Hash: BABQFGZ5LJWFASVBUSDTZT4XSEAGXADD
X-MailFrom: kotikalapudi.sriram@nist.gov
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "idr@ietf.org" <idr@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, "grow@ietf.org" <grow@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Idr] Re: [Sidrops] Re: WG LC for draft-ietf-idr-deprecate-as-set-confed-set-14 (7/8 to 7/ - call continues from 7/8 to 7/26/2024 - 2nd extensions to 8/6
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/vtdXncF2MrQgjLaViRuub2rG9zA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>
>I doubt this is a widespread issue but at the same time this is a possible attack vector and security concern. Yes, I think the attack type you allude to would be rare. It is an attack by a rogue OLD BGP speaker (i.e., one that is not upgraded to RFC6793) in the path. The rouge speaker removes AS_SET from the AS_PATH, but it leaves unperturbed the AS4_PATH attribute (with AS_SET in it). >We did implement choice B and are therefore in favour of this method. However, for such security concern as described above, wouldn't it be better to just not trust the UPDATE and use choice A (treat-as-withdraw)? Choice A also seems consistent with deprecation of AS_SET and AS_CONFED_SET. Let us see what others have to say about it. Sriram ===================== -----Original Message----- From: Claudio Jeker <cjeker@diehard.n-r-g.com> Sent: Thursday, August 22, 2024 4:36 AM To: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org> Cc: Ketan Talaulikar <ketant.ietf@gmail.com>; idr@ietf.org; sidrops@ietf.org; grow@ietf.org Subject: [Sidrops] Re: WG LC for draft-ietf-idr-deprecate-as-set-confed-set-14 (7/8 to 7/ - call continues from 7/8 to 7/26/2024 - 2nd extensions to 8/6 On Thu, Aug 22, 2024 at 03:46:11AM +0000, Sriram, Kotikalapudi (Fed) wrote: > [Jeff, Ketan, Sue, Keyur, all ... please share if you have some > thoughts about this] > > Hi Claudio, > > >If a router sends you an AS_PATH without AS_SET and an AS4_PATH with AS_SET .... > > You raise a good question. Section 3.1 observations are based on the > premise that if RFC6793 is implemented correctly by the sender and > preceding ASes in the AS path, then the above will not happen. But you > think it could happen due to an intentional attack by the sender or a > preceding AS. If systems implement RFC6793 then why are they running without 4-byte ASN in the first place? Systems that only support 2-byte ASN do not follow RFC6793 since they don't support it. So you can not assume they will do anything regarding RFC6793 correctly. I doubt this is a widespread issue but at the same time this is a possible attack vector and security concern. It is a loop hole which should be closed. > All: > > OK, let us see if we can address this. > > Which of the following methods for modifying the recommendations at the top of Section 3 would be preferable (click to see Sec. 3: https://datatracker.ietf.org/doc/html/draft-ietf-idr-deprecate-as-set-confed-set-15#name-recommendations ? > > Method A: Modify the second bullet in Sec. 3 as follows: > > * Upon reception of BGP UPDATE messages containing AS_SETs or AS_CONFED_SETs in the AS_PATH or AS4_PATH, MUST use the "treat-as-withdraw" error handling behavior as per [RFC7606]. > > Methos B. The second bullet in Sec. 3 remains as is but add a third bullet as follows: > > (unchanged second bullet) > * Upon reception of BGP UPDATE messages containing AS_SETs or AS_CONFED_SETs in the AS_PATH, MUST use the "treat-as-withdraw" error handling behavior as per [RFC7606]. > > (new third bullet) > * Upon reception of BGP UPDATE messages not containing AS_SETs or AS_CONFED_SETs in the AS_PATH but containing AS_SETs in the AS4_PATH, MUST use the "attribute discard" approach for the (malformed) AS4_PATH as per [RFC7606]. > > Note (with Choice B): The handling of UPDATES with AS_CONFED_SETs in the AS4_PATH is as specified in [RFC6793]. We did implement choice B and are therefor in favour of this method. > Thanks for you anticipated inputs. > > Sriram >
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Susan Hares
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Sriram, Kotikalapudi (Fed)
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… gengnan
- [Idr] Re: [Sidrops] Re: WG LC for draft-ietf-idr-… Lancheng
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Lancheng
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Susan Hares
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Claudio Jeker
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Sriram, Kotikalapudi (Fed)
- [Idr] Re: [Sidrops] Re: WG LC for draft-ietf-idr-… Claudio Jeker
- [Idr] Re: [Sidrops] Re: WG LC for draft-ietf-idr-… Sriram, Kotikalapudi (Fed)
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Sriram, Kotikalapudi (Fed)
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Susan Hares