[Idr] Destination-IP-Origin-AS Filter for BGP Flow Specification

Robert Raszuk <robert@raszuk.net> Mon, 04 November 2019 17:50 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 9BFB612012C for <idr@ietfa.amsl.com>; Mon, 4 Nov 2019 09:50:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 71UuQnVJaLaK for <idr@ietfa.amsl.com>; Mon, 4 Nov 2019 09:50:39 -0800 (PST)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FC82120044 for <idr@ietf.org>; Mon, 4 Nov 2019 09:50:39 -0800 (PST)
Received: by mail-qt1-x832.google.com with SMTP id t20so9552506qtn.9 for <idr@ietf.org>; Mon, 04 Nov 2019 09:50:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=MTLkXD9q91l96UEG1lfCZmxmN/+HDTg45MiN6jQDEhw=; b=RE6/AzaN7hj6XJx/xjBAXlQcS+YoU4SJQdvl4pzm9I3tnQ2ZBL/sUf6/r4hZf6AfZk +4fWN22DTU5OwphapkXV8b9CF9ymyctNeOMeMxtcOWIJoMGTw9tfBbqFzBPezJAv5HC4 eU3p5YvvLrk52Rct0JjoIN9vd/dnTJhv+h4kjVtcN5KFKRl7fCd0mdzvHZoTppTkifUV RI6E8/awivwUF9DVM4AU1mHXgrX+CTJEgQwOTniBeH8eJn0tiAgorrzIQ86L8LOcsOVv 04oV2DlMzKvmDVLzu7iiHQIppXozbxArFkjSQvb/2eBE8D99WsojjrPGKEr5VVgmO0e5 CGjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=MTLkXD9q91l96UEG1lfCZmxmN/+HDTg45MiN6jQDEhw=; b=JyNAbzs0hpoyzXxAYHM7vmBXPcBH6fvENEmrtkofqH7wGW48x7SrjBuml2SML+c2dC DJvRvpDYrMeA/zTbykSHxPBoE+N6WRjQNHs6sQVyKPY+xjsZfn/VBbOXR+CdbVV4GMyg CLf4ioCY7oQyJ5t6G/kmBBdk1k5rkdPWyrrrxieCeQBqOpuUnARpQHcVOQtsu4aR8Eqr cfVNXQh8VDTZn5swIz0rcZ+A31qlv2JNau9QM25tJDntqSZSKlVjAcu2+Sl6vBJ9s+hN acjs68GoFpWzgcgg7Ow/84bVDw8WiYDbna/8oDdG3i+bGIs4swSEIKU42OxHIBeV92Hw IYhQ==
X-Gm-Message-State: APjAAAV117YFTpqQ1WXMnzUGGSxIXw8xqgR+9aIDzLYKu1ZjXx3iHVv+ I0yyjZwbEufosS8BH1gOMaWlW0S6bDU4mLRdjJM/Bg==
X-Google-Smtp-Source: APXvYqyZWm9aYF2DKfizy3kg92k1gZT1eKd3BSt4q4VCbibleA8x+Fvmq+oWmO2K4XxQqOgOjgiswq4nClN210tDY6E=
X-Received: by 2002:ac8:1017:: with SMTP id z23mr2837169qti.94.1572889838138; Mon, 04 Nov 2019 09:50:38 -0800 (PST)
MIME-Version: 1.0
From: Robert Raszuk <robert@raszuk.net>
Date: Mon, 4 Nov 2019 18:50:29 +0100
Message-ID: <CAOj+MMHLFxe94chd1woN74KeJy3UQa2mfSjXjrE7uudPBDw6KQ@mail.gmail.com>
To: rainsword.wang@huawei.com, wangaj3@chinatelecom.cn, Zhuangshunwan <zhuangshunwan@huawei.com>
Cc: "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000012d03b059688f418"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/x6xoTdJ9vBVDaqh2dv5NshMJ8Go>
Subject: [Idr] Destination-IP-Origin-AS Filter for BGP Flow Specification
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 17:50:42 -0000

Dear Authors of draft-wang-idr-flowspec-dip-origin-as-filter

After reading this document with interest I am scared !

*You have constructed a fantastic tool to hijack traffic to any AS or for
that matter balckhole it completely with surgical precision. *

Yet the draft does not say a word about validation of such filters. In fact
it describes use cases where validation would not be done as no destination
IP address would be present at all. Section 4 just illustrates DST ASN +

Technically you highlight the value of the proposal by stating that R1
needs to install only one rule in the data plane:

 Using the method defining in this draft, the ISP AS64597 needs to
   setup only *one "Destination Origin AS + Source Prefix" rule in Router
   R1 as following:
     | Destination  | Source Prefix| Redirect to IP Nexthop  |
     | IP Origin AS |              |                         |
     |  64598       | IP Prefix 61 |       R3                |

     Figure 3: Steering the Traffic Using Origin AS and Source Prefix

Well packets do not carry ASNs so that may be a bit tricky for the data

I assume you mean that router will explode given Dst ASN into all atomic
BGP destination announcements either by BGP AS_PATH match or by RIR/RPKI
lookup. So effectively one such control plane rule may result in 100s of
not 1000s of data plane match rules.

And at the end you state:

*5.  Security Considerations   No new security issues are introduced to the
BGP protocol by this   specification.*

IMHO this proposal both on security and technical grounds should not
proceed any further.

Many Thx,