IETF Logo Mail Archive

Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Sun, 18 August 2019 21:48 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A502112013B; Sun, 18 Aug 2019 14:48:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7b5RyL678CV; Sun, 18 Aug 2019 14:48:08 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl2gcc02on2119.outbound.protection.outlook.com [40.107.89.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32EDB120047; Sun, 18 Aug 2019 14:48:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EyJO4KUs+DAN7xQhyv6NSez2NzlR3Y44tkFKy6jA3Cfs+jcVrsMUHRgdhYdGmqoYEUQS1QusXYMUvp0Y2iL6FmZrv2B4r1Qy3GaoNFJShqmUIhN3g4XO3yaM/DzqK6S1cTnD9KFbu1UTPGEnAb6FWlJrDlw/4Fxy4ZUxX8sxcxLhNvhmHo5rXcKtL51xzv0EUTiUJavLrUjZ99Z3YrhYjlFXfsyVSCuKMYwwFjzLI5w2c6pbRPnFoxCPfMAOYVwkA15uP5IbHCJOjFeV/GQ+zdiDitSG9ZVceQLnBMJ1eif7k8e03fpMuvSwJ8tqV32d1kVyzCrQLLf4WRL5a4zfjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=f4h93bsJ99nZ37Hp9KOcoc1mBgnCrfqZRhbHw5rJ1WY=; b=HSvAWxhYO9P7vPSaJNf/W+KHXJzy4J+D+BRpF4LaDMTEoTyzuw4HYdJIqP/rqx9qlw0Igl50poAMSk+Kvt502t0nWr4GJEwSpKGEAKWNFGcey2g4jhHwmtFtxozKA3l2qUTWjeTo4/WpEIzmwY4uHRGBwhUfSsTfQzWZ1ucOBvRTjGAN0NFP4sgws9RmO7e9byXKSFZUZkgR4FExH7aVTz9aNyvpnnv3NkzUpozdk13CgcmWw3YhLfdXJrPn9LMjqlluOryEoc6CNX89xjSr6eEFAJu12NkpAEWbaQQiSr1Oasj3MHZmHS8uf5B4Zia9AeLJiQ3Ko0ZsH40AWtI+5w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=f4h93bsJ99nZ37Hp9KOcoc1mBgnCrfqZRhbHw5rJ1WY=; b=Ug9rY9h+9tApx9k7JBObkB8EgcjFl84G101+JQ/S9E6Dhj0V1wpvtE+XDOBVgQzfmPVd9yoZwZOxm64vGkvKOMVz1bEfdZdTcg4Q47NE6M1bZAYUduItVX9aApos4MEbwm5vmYcTwbfcEaxAehc7ddvu9vhxqP6j7kMrqRlTSiw=
Received: from DM6PR09MB3019.namprd09.prod.outlook.com (20.178.2.203) by DM6PR09MB3020.namprd09.prod.outlook.com (20.178.2.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.18; Sun, 18 Aug 2019 21:48:02 +0000
Received: from DM6PR09MB3019.namprd09.prod.outlook.com ([fe80::fc5a:9648:8e8f:7968]) by DM6PR09MB3019.namprd09.prod.outlook.com ([fe80::fc5a:9648:8e8f:7968%6]) with mapi id 15.20.2178.018; Sun, 18 Aug 2019 21:48:02 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: The IESG <iesg@ietf.org>, Alvaro Retana <aretana.ietf@gmail.com>
CC: "draft-ietf-opsec-urpf-improvements@ietf.org" <draft-ietf-opsec-urpf-improvements@ietf.org>, Sandra Murphy <sandy@tislabs.com>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "Murphy, Sandra" <Sandra.Murphy@parsons.com>
Thread-Topic: Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)
Thread-Index: AQHVVH41+WK2q56zSkaIVPY4TX30Q6cBbRMZ
Date: Sun, 18 Aug 2019 21:48:02 +0000
Message-ID: <DM6PR09MB3019F390CA4A798F87F7DFBC84A90@DM6PR09MB3019.namprd09.prod.outlook.com>
References: <156599290421.23877.9763694862590191063.idtracker@ietfa.amsl.com>
In-Reply-To: <156599290421.23877.9763694862590191063.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.219.117]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4de36717-96ad-49f5-c12d-08d72425beb5
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DM6PR09MB3020;
x-ms-traffictypediagnostic: DM6PR09MB3020:
x-microsoft-antispam-prvs: <DM6PR09MB3020BDDDD7EEC04C14AC75E884A90@DM6PR09MB3020.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01334458E5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(376002)(39850400004)(136003)(346002)(189003)(199004)(51444003)(86362001)(305945005)(66066001)(2906002)(71190400001)(71200400001)(52536014)(5660300002)(256004)(14444005)(5024004)(66574012)(33656002)(6116002)(478600001)(6246003)(3846002)(486006)(53936002)(4326008)(476003)(446003)(11346002)(8936002)(66446008)(64756008)(7696005)(26005)(76176011)(81156014)(55016002)(186003)(102836004)(6436002)(6506007)(99286004)(229853002)(25786009)(74316002)(110136005)(9686003)(14454004)(316002)(7736002)(66946007)(54906003)(91956017)(66476007)(76116006)(66556008)(81166006)(8676002)(87944003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR09MB3020; H:DM6PR09MB3019.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: y7ZNPvUmJHm0nffgpGCM08e3utQBZwRU4d1uG7jhfInfG80+XI/gpnFW+Cra3T6j0yx/0eFlIlWV4FW3ZIr9aY1TBHfiUvGmH3M0uSEMzVJ8xq9caaYuSEA0K54kSnJnhDcUoLmUgty76aILfIeSt6S5dOpQFLwKZB0gv7zWxBDlb/Mt25KLrcnJQ1ae+JyviC4iv3jaREEfDswvCYRrDrtL1/S/M6H00/Gqi2ANUFaLiXzl/iCdWdXhhQTqf03svyxAPecNQlnOGYlvwdiA/BraBiPJBurdF+Gum1Dna8W5hM0NM3NI+S8CbsVaEEF5mR8zvV28alohDbnsSdoKgOsfRm8ea0mpMLVvMbWOC4xlzCCN1rk4zdbkK34Ov36vOWcfH+74m6V1GWBSzru6jHi4z2dF/7myWteN7DmyTSE=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 4de36717-96ad-49f5-c12d-08d72425beb5
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Aug 2019 21:48:02.5188 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CLTN78CNYz2DRUfaaoNFPiYNHQhVcZRQj8Cndb4VX0R17HxD5nAVPe3h+9GJfEhwX0Ia1EOS9HaNcoq4bqBoUA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB3020
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/Ivh-9xPXPtERHaG8nI3ZwgZQEG0>
Subject: Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Aug 2019 21:48:12 -0000

Alvaro,

Thanks very much for your careful review and comments.
Please see authors’ responses inline below.

>----------------------------------------------------------------------
>DISCUSS:
>----------------------------------------------------------------------
>
>I have significant concerns about the recommendation (in §3.7) to use Algorithm
>A.  I think that the considerations to select an Algorithm are not clear and
>potentially impossible to verify.  Also, the selection of Algorithm A creates a
>vulnerability that could result in legitimate traffic dropped.
>
>§3.7 (Summary of Recommendations) says that "if the scenario does not involve
>complexity...(see Section 3.3, Figure 4), then...Algorithm A...SHOULD be
>applied on customer interfaces."
>
>From Figure 4, how does the operator of ISP4 know that it is not in a
>"challenging scenario" (§3.3)?  How can ISP4 tell the difference between ISP2
>not propagating routes vs it not even being connected to AS1?  By definition,
>each autonomous system can have its own set of policies, which may not be known
>by any of their upstreams.  In short, I find the guidance provided in the
>document to select an algorithm not clear enough to really be actionable --
>specially in a document tagged to be a BCP.

You are asking how does an ISP or AS operator know
that they have a scenario in which Algorithm A is applicable. 
Operators have communications at least with 
their immediate downstream customers. So, consider this 
scenario: Operator of AS4 knows (says), 
“I have only two direct customers AS2 (ISP2) and AS3 (ISP3).
Each of them has assured me that they have customers that
are all stub ASes and that these customers do not currently use 
NO_EXPORT on their announced routes.
My direct customers (ISP2 and ISP3) have mechanisms by which 
they would notify me if this ever changes.
They further assure me that they would never 
deliberately drop their customer routes.”
This gives the operator of AS4 the knowledge/confidence 
that Algorithm A is applicable at their AS.

It should be emphasized that Algorithm A works 
in scenarios like the above (customer cone depth is limited 
to two tiers below the ISP) provided each stub customer 
does not attach NO_EXPORT on *at least* one prefix announcement
out of however many prefixes they announce.
(We’ll add this observation in the draft.)

There can be many realistic scenarios like the above that exist
at the edges of the Internet. But just one is enough to
justify the inclusion of Algorithm A in the recommendations (Sec. 3.7).
(Note: uRPF is expected to work best at the edges of the Internet.) 

Further, the feasible path uRPF (FP-uRPF) is already a BCP (part of BCP 84).
If an operator deems their scenario fit for use of FP-uRPF,
then the EFP-uRPF with Algorithm A is also applicable in that scenario and 
performs equally or better (i.e., lower false positive rate for SA invalid) than FP-uRPF. 
Of course, the EFP-uRPF works better under less restrictive 
conditions than required for FP-uRPF as explained in the draft.  

Of course, according to Section 3.7, if an ISP is uncertain that
Algorithm A is applicable in their scenario, then they SHOULD apply Algorithm B.
We'll be happy to reword the section more carefully if you feel
that would help. You may advise us on any specific wording 
you would like to see added.

>
>Still looking at Figure 4, if the operator of ISP4 uses Algorithm A (because
>he/she thinks they may not be in a "challenging scenario"), then it opens the
>door to ISP2 changing its policy so that the uRPF check in ISP4 fails, as shown
>in Figure 4.  IOW, an attacker in ISP2 could stop advertising reachability to
>some prefixes and cause ISP4 to fail the uRPF check and drop the traffic.  The
>victim in this case could be AS1, whose traffic (through ISP2 to ISP4) was
>flowing fine and then it stopped.

There are two observations that are in order here:
1. An ISP would not normally drop its own paying customer’s 
routes with malicious intent.
2. It is also hard to envision that ISP2 would attack its upstream ISP4
(in Figure 4) just to disrupt its SAV (uRPF), while that results in 
absolutely no gain but only causes unreachability for 
its (ISP2’s) own customer and self-inflicted loss of revenue/customers.    
  
>
>I am balloting DISCUSS because the guidance provided for the selection of an
>Algorithm is not clear enough to be certain that the selection is the correct
>one; and the election of Algorithm A creates a vulnerability (as explained in
>the text) that is not mentioned.
>
>----------------------------------------------------------------------
>COMMENT:
>----------------------------------------------------------------------
>
>(1) The implementation of the EFP-uRPF method is expected at a transit AS.
>However, that AS has no control over what the origin AS and others announce.  

Please see responses above.

>I find the use of rfc2119 keywords in §3.2 inappropriate because none of the
>actions are under the control of the AS implementing uRPF and can't be
>Normatively enforced.
>

Yes, agree. The use of rfc2119 keywords in not necessary in Section 3.2.
The recommendations here are to facilitate feasibility of uRPF
and are not about actions performed by the AS implementing EFP-uRPF.  

>(2) §3.5: "Prefixes from registered ROAs and IRR route objects that include
>ASes in an ISP's customer cone SHOULD be used to augment the appropriate RPF
>lists."  How?  Note that the Introduction already sets the stage by saying that
>"the routes under consideration are assumed to have been vetted based on prefix
>filtering [RFC7454] and possibly (in the future) origin validation [RFC6811]."
>If ROAs SHOULD be used (§3.5), why is origin validation only "possibly (in the
>future)" considered (§1)?  Maybe a better statement would be that "routes
>SHOULD be validated using prefix filtering, origin validation and IRR route
>objects".

We agree with your suggested rewording in Section 1. We’ll use that.
What is advised in Section 3.5 regarding ROAs is as follows.
In Figure 3, suppose that prefix P4 a ROA with with AS1, 
and AS4 (ISP4) may not have received a route for P4 (on a given customer interface).
But AS4 (ISP4) has received (on that customer interface) a route for P1 with 
the same origin AS (AS1) as in the ROA for P4.
Then AS4 (ISP4) should augment its corresponding RPF list with P4
to allow the possibility that AS1 could legitimately announce 
a route for P4 and potentially use a SA (in a data packet) belonging in P4.  
We'll add this explanation in Section 3.5.
  
>
>(3) How does EFP-uRPF work when multiple border routers are present in the AS,
>some customer facing and some not (which I assume to be the normal case)?  I'm
>asking because §3.1 describes the method when "prefixes with the same origin AS
>were received on different interfaces (at border routers)", and the example
>talks about the Local Adj-RIB-Ins.  I think there's a missing explanation of
>how the routers with the customer-facing interfaces learn about *all* the
>received routes if the local policy might select a single BGP best route.
>OTOH, maybe I'm missing something.

Yes, we perhaps need to explain this better in the document.
It is not that “customer-facing interfaces learn about *all* the
received routes” but simply that customer-facing routers 
must learn at least one route (via iBGP/eBGP) for each prefix 
originated by an AS (in its customer cone).”  This is normal in BGP.
(There is a little more to it; but that is already well explained 
in the draft so I’ll not repeat here.)  
Considering AS4 (ISP4) in Figure 3, the customer-facing router 
that is facing AS2 learns at least one route each for P2, P3 via iBGP.
That is how it includes P2 and P3 in the RPF list (in addition to P1)
for the customer-interface towards AS2 (in Algorithm A).  

>
>(4) The document assumes familiarity with terminology such as "customer cone"
>or "lateral peer", that is not explained anywhere.  The average operator will
>most likely know what those terms mean and how they apply to their network.
>However, those operators are not the only people reviewing this document.  A
>short explanation or reference would be nice.

Will do. Will provide explanation or reference or both.
 
>
>(5) Please use the rfc8174 template.

Yes, this is already included in my author’s draft for the next version.

>
>(6) [For the AD/Shepherd.] I'm assuming that the intent is for this document to
>be part of BCP 84, is that correct?  I'm not sure how to let the RFC Editor
>know that is the intent, but it should be made clear somewhere.

I am not sure that “to be part of BCP 84” is the intent.
The intent is that this RFC/BCP (to be published) will be 
a new BCP that updates BCP 84 (RFC  3704). 
It proposes to recommend the new EFP-uRPF which is 
an improvement over the FP-uRPF in RFC 3704. 
We’ll state that explicitly in the abstract as well as the introduction.
The draft header already states – “Updates: RFC3704 (if approved).”

Thank you once again for the detailed review and comments.

Sriram

v2.23.0 | Report a Bug | By Email