Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 20 August 2019 14:29 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FF4012009E; Tue, 20 Aug 2019 07:29:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UjldxbOAB4rT; Tue, 20 Aug 2019 07:29:23 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2121.outbound.protection.outlook.com [40.107.91.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20208120094; Tue, 20 Aug 2019 07:29:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=khfdzUDn5UFCrYXL08cMH7RAo9zBxajafhiX1ZAecIqHRgHfHg6SmqAvQr+lEeC6iE0/b71YU+rwr7kUTJ0zkh1goYzFMKzN0oBtdEAsD/CSdwnsPEwFszZjtEUEH6ZB+dx6tjDiwwFjfj9an58Gs7+sBskVrF5Q6k+UCn0oGiI0EetzQ7H4DkJIzI+tGdh90rdf5Ay8cRhIN2Txk+DBBaHe6KH9s+s8Kvgi2T0Pe1DIdMo6ZWvqSe+oJDge0yQzaWaoIJ2jugODZWqZQ3l12DKqRI8C1iglwfxc8dseQoFjrDkQh5SsDRqpo9TttjM+zrOIyfMugr2RGJRxiSmJYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7yV19tUeoyCSLV/2Xy/MhZ392rFOShEGatEh1SBrgEI=; b=U6Vewy19FRqzDNNJcDDI9NIx7HlFqWYvhA75eacA6R5fQ5a/O1dLsP4vRxU79jszlwIZFWJcUBbhu1DpboKgGI8cd8qssE+K9mvTHc/epum4K5lNnvHQgRxaz2AIgv3Kvfcx5V8MVofF6wDQyQ1WwfX1P/g6tleIbYTJjurNe4aPNwUpnZR1yzQm/3A8PEQePodTkZjM4TALl/szBIfytcxgxNPYf6DA9KGxbUibU7f9Bi2Z/BE3NnWOTZrHNTNn6S9aWG7mzGjDEn97Cf88Mf25WnF3CSYGYzhZ1hW6Dlpxjaxy1r6GPGJg/TH3vrm/y9jMVikZS4uLjbZFB24Vmg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7yV19tUeoyCSLV/2Xy/MhZ392rFOShEGatEh1SBrgEI=; b=ymcjEockqhuyo73xJ4Co3uOhM7I0mSTs96bXtCBtAtnYRFBgUmQZ9Q3uoXOHLR79TOg1g1Mh/86Bu9MTckwWYubt1nMGkIUSlsL6ASArDMRUlHIUUoCG06wByqxbdxDCxQ4QjXc67Bhrj2hfTgrGDs3NvQ3m0042sQBDX7ziOI0=
Received: from DM6PR09MB3019.namprd09.prod.outlook.com (20.178.2.203) by DM6PR09MB3081.namprd09.prod.outlook.com (20.178.3.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.18; Tue, 20 Aug 2019 14:29:21 +0000
Received: from DM6PR09MB3019.namprd09.prod.outlook.com ([fe80::fc5a:9648:8e8f:7968]) by DM6PR09MB3019.namprd09.prod.outlook.com ([fe80::fc5a:9648:8e8f:7968%6]) with mapi id 15.20.2178.018; Tue, 20 Aug 2019 14:29:21 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Alvaro Retana <aretana.ietf@gmail.com>, The IESG <iesg@ietf.org>
CC: "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Sandra Murphy <sandy@tislabs.com>, "Murphy, Sandra" <sandra.murphy@parsons.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-urpf-improvements@ietf.org" <draft-ietf-opsec-urpf-improvements@ietf.org>, Jen Linkova <furry13@gmail.com>
Thread-Topic: Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)
Thread-Index: AQHVVH41+WK2q56zSkaIVPY4TX30Q6cBbRMZgAGRGwCAARoHbw==
Date: Tue, 20 Aug 2019 14:29:21 +0000
Message-ID: <DM6PR09MB3019C877AB5B6B903EDE9A5084AB0@DM6PR09MB3019.namprd09.prod.outlook.com>
References: <156599290421.23877.9763694862590191063.idtracker@ietfa.amsl.com> <DM6PR09MB3019F390CA4A798F87F7DFBC84A90@DM6PR09MB3019.namprd09.prod.outlook.com>, <CAMMESsyW17-dn--FJZYQQyeMvBZ5vyOJVaVH7t3TF+ngDsMyyw@mail.gmail.com>
In-Reply-To: <CAMMESsyW17-dn--FJZYQQyeMvBZ5vyOJVaVH7t3TF+ngDsMyyw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.223.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 29275abf-1b1e-4e7b-06b0-08d7257acaa1
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DM6PR09MB3081;
x-ms-traffictypediagnostic: DM6PR09MB3081:
x-microsoft-antispam-prvs: <DM6PR09MB30812C3A1B27E724C2FE1F0784AB0@DM6PR09MB3081.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 013568035E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(136003)(346002)(366004)(39860400002)(199004)(189003)(51444003)(30864003)(76116006)(91956017)(256004)(14444005)(316002)(229853002)(6246003)(7736002)(6506007)(305945005)(74316002)(478600001)(8936002)(54906003)(25786009)(53936002)(33656002)(4326008)(76176011)(81166006)(81156014)(7696005)(99286004)(14454004)(110136005)(8676002)(6116002)(186003)(52536014)(3846002)(55016002)(66574012)(486006)(476003)(446003)(11346002)(5660300002)(9686003)(102836004)(71200400001)(71190400001)(66066001)(2906002)(6436002)(66946007)(66476007)(5024004)(66556008)(64756008)(66446008)(26005)(86362001)(87944003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR09MB3081; H:DM6PR09MB3019.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: L49M660EpZ1tAkOOXqiZpHOVu8KK9I7Qz93MjChzbC0peSZU0+7SlvSGZ7jO2hARi3CtKYHaYF4C2JB+cmsU4lXiab6qM/vi6Q4JapSeGF8SIlNo+m0a14c12DDWviVRWV+YSmejc+Khndrrxh3mf5E2xA9lUB0JRtk1irp35CADa1ZE/aDR3cqS2Ofxt8/+rKH59g5PV8GfbwxJqVSe1NDl7DtzzR4z+mhJgEDIe/DDybV6FyrXRXpXjSRFNZroxUkuwVWzOLpSpvb4/w5jUYcS0/0YGef+2TYoaSkTiVZmaj1LHn9dyP7Hy3m4If8mNos3zTNbo+OKzLTHTcLlXtOcHUAr7MurDc35PxcOF/lmRJuL10dlJmMXT90JDc1tB/ZweQxG2KmneE8adhJ9wFO4wofieqjypf11XOniVmU=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 29275abf-1b1e-4e7b-06b0-08d7257acaa1
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2019 14:29:21.0533 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qM/2z+DTxXIo4XSCqsd7CNIpXiTVCVuzwROelSB4I8LCsvTRgunyiF6F1X6WvEbDuZTKZ+AKYIWVdbVqX5w6Tw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB3081
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/BMs45DbX98H_H1mLQGLpweb5V1E>
Subject: Re: [OPSEC] Alvaro Retana's Discuss on draft-ietf-opsec-urpf-improvements-03: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2019 14:29:26 -0000

Alvaro,

Responses below inline.

>>>---------------------------------------------------------------------- 
>>>DISCUSS: 
>>>---------------------------------------------------------------------- 
>>> 
>>>I have significant concerns about the recommendation (in §3.7) to use Algorithm 
>>>A. I think that the considerations to select an Algorithm are not clear and 
>>>potentially impossible to verify. Also, the selection of Algorithm A creates a 
>>>vulnerability that could result in legitimate traffic dropped. 
>>> 
>>>§3.7 (Summary of Recommendations) says that "if the scenario does not involve 
>>>complexity...(see Section 3.3, Figure 4), then...Algorithm A...SHOULD be 
>>>applied on customer interfaces." 
>>> 
>>>From Figure 4, how does the operator of ISP4 know that it is not in a 
>>>"challenging scenario" (§3.3)? How can ISP4 tell the difference between ISP2 
>>>not propagating routes vs it not even being connected to AS1? By definition, 
>>>each autonomous system can have its own set of policies, which may not be known 
>>>by any of their upstreams. In short, I find the guidance provided in the 
>>>document to select an algorithm not clear enough to really be actionable -- 
>>>specially in a document tagged to be a BCP. 

>>
>>You are asking how does an ISP or AS operator know 
>>that they have a scenario in which Algorithm A is applicable. 
>>Operators have communications at least with 
>>their immediate downstream customers. So, consider this 
>>scenario: Operator of AS4 knows (says), 
>>“I have only two direct customers AS2 (ISP2) and AS3 (ISP3). 
>>Each of them has assured me that they have customers that 
>>are all stub ASes and that these customers do not currently use 
>>NO_EXPORT on their announced routes. 
>>My direct customers (ISP2 and ISP3) have mechanisms by which 
>>they would notify me if this ever changes. 
>>They further assure me that they would never 
>>deliberately drop their customer routes.” 
>>This gives the operator of AS4 the knowledge/confidence 
>>that Algorithm A is applicable at their AS. 

>Precisely the fact that transitive assurances can’t be trusted about networks being well behaved is that mechanisms like ingress filtering, uRPF, RPKI/Origin Validation, BGPSec, etc…have been developed.  I’m sorry, but it sounds ingenuous for the guidance to be to trust your neighbors…


First, I notice that BCP 84 does not use RFC2119/RFC 8174 language. 
So, I think this document can also avoid using upper case SHOULD etc.
Having noted that, I feel there is a difference between saying, 
“ISP should trust their neighbor and should use Algorithm A” 
versus saying, “if an ISP has knowledge (by whatever mechanism they choose) 
that the scenario they are in is amenable to Algorithm A, 
then they may consider using it in their AS.” The draft clearly intends the latter.

I think we shouldn’t dismiss the possibility some ISPs may have the means
to rule out the NO_EXPORT complexity. 
The document would not specify how the determination is made; 
would not even say that it is required.
However, if an ISP finds that they have rapport with their direct customers
or that they have access to their RIB-in feeds or whatever,
and thereby able to determine that Algorithm A can be used, that is their decision.
(I am not saying that the immediate above sentence needs to be stated in the draft.)
In most cases, an ISP will likely find itself using Algorithm B.
How about the following change in the draft in Section 3.7?

OLD text:
   3.  For all other scenarios:
       *  If the scenario does not involve complexity such as NO_EXPORT
          of routes (see Section 3.3, Figure 4), then the enhanced
          feasible-path uRPF method in Algorithm A (see Section 3.1.1)
          SHOULD be applied on customer interfaces.
       *  Else, if the scenario involves the complexity then the
          enhanced feasible-path uRPF method in Algorithm B (see
          Section 3.4) SHOULD be applied on customer interfaces.

NEW text:
   3.  For all other scenarios:
       *  If the ISP has some means to ascertain that the scenario does 
          not involve complexity such as NO_EXPORT
          of routes (see Section 3.3, Figure 4), then the enhanced
          feasible-path uRPF method in Algorithm A (see Section 3.1.1)
          may be applied on customer interfaces.
       *  If there is a possibility that the scenario may involve the complexity,
          or if the ISP simply wishes to avoid any risk associated with Algorithm A
          (see Section 3.3), then the enhanced feasible-path uRPF method 
          in Algorithm B (see Section 3.4) should be applied on customer interfaces.

….
>>It should be emphasized that Algorithm A works 
>>in scenarios like the above (customer cone depth is limited 
>>to two tiers below the ISP) provided each stub customer 
>>does not attach NO_EXPORT on *at least* one prefix announcement 
>>out of however many prefixes they announce. 
>>(We’ll add this observation in the draft.) 
>>
>>There can be many realistic scenarios like the above that exist 
>>at the edges of the Internet. But just one is enough to 
>>justify the inclusion of Algorithm A in the recommendations (Sec. 3.7). 
>>(Note: uRPF is expected to work best at the edges of the Internet.) 
>>
>>Further, the feasible path uRPF (FP-uRPF) is already a BCP (part of BCP 84). 
>>If an operator deems their scenario fit for use of FP-uRPF, 
>>then the EFP-uRPF with Algorithm A is also applicable in that scenario and 
>>performs equally or better (i.e., lower false positive rate for SA invalid) than FP-uRPF. 
>>Of course, the EFP-uRPF works better under less restrictive 
>>conditions than required for FP-uRPF as explained in the draft. 
 
>I couldn’t find much in terms of guidance in rfc3704 about when using FP-uRPF is recommended, except for this: "Feasible Path RPF…is suitable in all the scenarios where Strict RPF is, but multihomed or asymmetric scenarios in particular.  However, one must remember that Feasible RPF assumes the consistent origination and propagation of routing information to work; the implications of this must be understood especially if a prefix advertisement passes through third parties.”  

>I think that the guidance in rfc3704 is about the same as the guidance in this document, plus the fact that some of the potential issues with trusting other networks are at least mentioned there.  However, I don’t think that there’s enough guidance in rfc3704 for this document to simply point at it — the same questions would apply: how would an operator know that "consistent origination and propagation of routing information” is present?


As the draft notes, EFP-uRPF (Algorithm A) is more tolerant than FP-uRPF 
regarding "consistent origination and propagation of routing information”. 
In fact, ASes not using NO_EXPORT on *all* originated prefixes 
paves the way for use of Algorithm A. 
Of course, Algorithm B is highly flexible/accommodative.   


>
>>Of course, according to Section 3.7, if an ISP is uncertain that 
>>Algorithm A is applicable in their scenario, then they SHOULD apply Algorithm B. 
>True, but that still doesn’t provide any tools for the ISP to know either way.  If there’s no way to know (other than trusting your neighbors) that the network is not in the middle of a “challenging scenario”, then why wouldn't Algorithm B always be used?


Yes, it may end up being true that Algorithm B is always used. 
We also want to let ISPs make their own decision about 
applicability of Algorithm A. I am hoping for agreement on the proposed 
wording change in Section 3.7 (with modifications you may suggest).


>>> 
>>>Still looking at Figure 4, if the operator of ISP4 uses Algorithm A (because 
>>>he/she thinks they may not be in a "challenging scenario"), then it opens the 
>>>door to ISP2 changing its policy so that the uRPF check in ISP4 fails, as shown 
>>>in Figure 4. IOW, an attacker in ISP2 could stop advertising reachability to 
>>>some prefixes and cause ISP4 to fail the uRPF check and drop the traffic. The 
>>>victim in this case could be AS1, whose traffic (through ISP2 to ISP4) was 
>>>flowing fine and then it stopped. 

>>
>>There are two observations that are in order here: 
>>1. An ISP would not normally drop its own paying customer’s 
>>routes with malicious intent. 
>>2. It is also hard to envision that ISP2 would attack its upstream ISP4 
>>(in Figure 4) just to disrupt its SAV (uRPF), while that results in 
>>absolutely no gain but only causes unreachability for 
>>its (ISP2’s) own customer and self-inflicted loss of revenue/customers.  

>I also doubt that an operator would take actions to harm its own paying customers — but the routers can be compromised anyway...or the advertisement can come from the customer itself with a NO_EXPORT community, etc..  The main case I’m thinking of is the compromised/rogue router.    In any of those cases, choosing Algorithm A opens the door to vulnerabilities.  Yes, they might be the same (or at least similar) as what exists with FP-uRPF — but they are not mentioned.


Even for other BGP security mechanisms, the issue of compromise 
of a router or RPKI/ROA management system exists.
Due to such compromises, malicious ROAs may get created,
AS prepend count in BGPsec may be changed maliciously, or the route leak 
protection (RLP) attribute in the route leak solution may be maliciously altered.
We hope that such malicious activity is 1% or less of the attacks,
and that we are successfully addressing the other 99% in our solution methods.
I’ll add text accordingly for EPF-uRPF/Algorithm A in the Security Considerations section.
   

>>>---------------------------------------------------------------------- 
>>>COMMENT: 
>>>———————————————————————————————————  
>...
>>>ASes in an ISP's customer cone SHOULD be used to augment the appropriate RPF 
>>>lists." How? Note that the Introduction already sets the stage by saying that 
>>>"the routes under consideration are assumed to have been vetted based on prefix 
>>>filtering [RFC7454] and possibly (in the future) origin validation [RFC6811]." 
>>>If ROAs SHOULD be used (§3.5), why is origin validation only "possibly (in the 
>>>future)" considered (§1)? Maybe a better statement would be that "routes 
>>>SHOULD be validated using prefix filtering, origin validation and IRR route 
>>>objects". 

>>
>>We agree with your suggested rewording in Section 1. We’ll use that. 
>>What is advised in Section 3.5 regarding ROAs is as follows. 
>>In Figure 3, suppose that prefix P4 a ROA with AS1, 
>>and AS4 (ISP4) may not have received a route for P4 (on a given customer interface). 
>>But AS4 (ISP4) has received (on that customer interface) a route for P1 with 
>>the same origin AS (AS1) as in the ROA for P4. 
>>Then AS4 (ISP4) should augment its corresponding RPF list with P4 
>>to allow the possibility that AS1 could legitimately announce 
>>a route for P4 and potentially use a SA (in a data packet) belonging in P4.  
>>We'll add this explanation in Section 3.5. 

>Hmm… Except that the “possibility” that an announcement exists *and* the use as a SA, is different from AS1 really doing it.  IOW, augmenting with the expectation that it may happen has its own risks…
>


Yep, there is that trade-off. Here we choose to further reduce the possibility 
of false positive (for SA invalid) at the expense of some other risk.
Yes, a malicious actor at another AS in the neighborhood 
within the customer cone might take advantage to some extent. 
But the same vulnerability exists even if the update were announced.  


>...
>>> 
>>>(6) [For the AD/Shepherd.] I'm assuming that the intent is for this document to 
>>>be part of BCP 84, is that correct? I'm not sure how to let the RFC Editor 
>>>know that is the intent, but it should be made clear somewhere. 
>>
>>I am not sure that “to be part of BCP 84” is the intent. 
>>The intent is that this RFC/BCP (to be published) will be 
>>a new BCP that updates BCP 84 (RFC 3704). 
>>It proposes to recommend the new EFP-uRPF which is 
>>an improvement over the FP-uRPF in RFC 3704. 
>>We’ll state that explicitly in the abstract as well as the introduction. 
>>The draft header already states – “Updates: RFC3704 (if approved).” 

>Updating rfc3704 and being part of the same BCP are separate considerations.  To me, the fact that this document Updates rfc3704 makes it a good candidate to be part of the same BCP; a BCP can contain more than one RFC.
>
>A good example is BCP 14, which includes rfc2119 and the more recent rfc8174.


Oh, that is good to know. Thanks for clarifying. I am fine with your suggestion.
Will double check with co-authors and Sandy.

Thank you.

Sriram