Re: [sidr] WG Last Call Request for draft-ietf-sidr-roa-validation-10
Geoff Huston <gih@apnic.net> Wed, 17 November 2010 04:02 UTC
Return-Path: <gih@apnic.net>
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 5CD8F3A67ED for <sidr@core3.amsl.com>;
Tue, 16 Nov 2010 20:02:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.101
X-Spam-Level:
X-Spam-Status: No, score=-101.101 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, HELO_DYNAMIC_DHCP=1.398, RDNS_DYNAMIC=0.1,
USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nLb2U-XRq2rF for
<sidr@core3.amsl.com>; Tue, 16 Nov 2010 20:02:02 -0800 (PST)
Received: from asmtp.apnic.net (asmtp.apnic.net [IPv6:2001:dc0:2001:11::199])
by core3.amsl.com (Postfix) with ESMTP id 0C8963A677E for <sidr@ietf.org>;
Tue, 16 Nov 2010 20:02:01 -0800 (PST)
Received: from dhcp-27-178.ripemtg.ripe.net (dhcp-27-178.ripemtg.ripe.net
[193.0.27.178]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No
client certificate requested) by asmtp.apnic.net (Postfix) with ESMTP id
77221D5953; Wed, 17 Nov 2010 14:02:05 +1000 (EST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <D7A0423E5E193F40BE6E94126930C49307DC1C029C@MBCLUSTER.xchange.nist.gov>
Date: Wed, 17 Nov 2010 15:01:41 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <C1083B35-D45D-44F0-9C84-B78CA2FB2DD3@apnic.net>
References: <20101111020725.D08B63A68C8@core3.amsl.com>
<72030833-DB5D-48F6-A9AA-C0A579646727@apnic.net>
<D7A0423E5E193F40BE6E94126930C49307DC1C029C@MBCLUSTER.xchange.nist.gov>
To: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
X-Mailer: Apple Mail (2.1082)
Cc: "sidr@ietf.org wg" <sidr@ietf.org>
Subject: Re: [sidr] WG Last Call Request for draft-ietf-sidr-roa-validation-10
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>,
<mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>,
<mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Nov 2010 04:02:03 -0000
On 16/11/2010, at 10:27 AM, Sriram, Kotikalapudi wrote:
> This comment applies to draft-ietf-sidr-roa-validation
> and also to draft-ietf-sidr-pfx-validate-00.
>
> One additional question that I feel the origin validation algorithms need to consider is
> as follows. Should there be a fourth Validation state added to the existing three?
> 1. Valid
> 2. Valid-i (Valid - imperfect; AS matches but max-length exceeded) -- proposed new state
> 3. Unknown (or Not Found)
> 4. Invalid
>
> The rationale for the proposed additional state "Valid-i" is as follows.
> Let us say a prefix owner has prefix 10.1.0.0/20 and also own AS1.
> He has a ROA registered: {10.1.0.0/20, AS1, maxlength = 22},
> and has announced 10.1.0.0/20 with origin AS = AS1.
> An adversary has AS2, and announces 10.1.0.0/23 with origin AS = AS2.
> During partial deployment, the adversary's announcement gets
> accepted in routing tables because potentially the /23 could be a suballocation
> to a customer with AS2 that does not have a ROA yet.
In draft-ietf-sidr-roa-validation the table on page 4 indicates quite
clearly that the intent of the {10.1.0.0/20, AS1, maxlength = 22}
includes the intent that relying parties should treat more specifics
of this route has having a validity state of "invalid"
> The legitimate prefix owner detects that there is a hijack attempt,
> and then announces 10.1.0.0/23 with origin AS = AS1
> in order to recover quickly at least some of the traffic.
Again the draft indicates quite clearly that with this additional route
advertisement BOTH advertisements (origin AS2 and AS3) would have a validity
state of "invalid".
> But both the hijack update of the adversary as well as the recovery
> update of the legitimate prefix owner for 10.1.0.0/23 will be marked as "Invalid".
agreed.
> The legitimate prefix owner has no advantage over the hijacker!
> I think this is not desirable. The origin AS in the recovery update
> matches that in the ROA, except that the legitimate owner
> has momentarily exceeded the maxlength in order to recover his hijacked subprefix.
> If we introduce the additional validation state "Valid-i" as
> described above, then this undue disadvantage for the legitimate
> owner can be mitigated.
> Routers will give higher preference for "Valid-i" over "Invalid"
> and thus mitigate the problem stated above.
> The same principles will apply if the legitimate prefix owner
> wants to recover his traffic by announcing even more specific /24s.
>
If folk chose to accept routes with a validity state of "invalid"
then one has to ask oneself: why bother with this entire exercise?
If AS1 wants to bias a relying party who accepts routes with an
"invalid" validity state, then surely the response would be to issue
a new ROA with maxlength 23 when advertising the more specific route
(i.e. a ROA with {10.1.0.0/20, AS1, maxlength = 23}).
Of course the downside of this form of response is that a naughty
party can generate a bogus route for the /23 and fake the origin
to be AS1.
But also of course all we are talking about so far is origination
validation, and the story about securing BGP routes is totally
incomplete without also having a mechanism to undertake AS_PATH
validation. Origin validation alone cannot address attacks that
lie about Path, and to my mind trying to address one form of
attack with a different form of provision of validation credentials
is yet again an instance of trying to jam round pegs into square holes.
Having explored such byways of additional validity states in earlier
iterations of this draft (see -00, for example), and receiving at the
time robust negative comment from WG members at the time as to the
wisdom and feasibility of such an approach, it is my impression that
most WG members with an active interest in this topic see no value
in adding further complexity to the ROA semantics beyond what is in
the current iteration of this draft. Having spent some time thinking
about this myself in revising this document in response to such
earlier comments, its a position with which I now personally favour
as well.
thanks,
Geoff
>
> Sriram
>
>> -----Original Message-----
>> From: sidr-bounces@ietf.org [mailto:sidr-bounces@ietf.org] On Behalf Of Geoff Huston
>> Sent: Wednesday, November 10, 2010 9:12 PM
>> To: sidr@ietf.org wg
>> Cc: sidr-chairs@tools.ietf.org
>> Subject: [sidr] WG Last Call Request for draft-ietf-sidr-roa-validation-10
>>
>> Hi,
>>
>> We've revised this draft as per the informal poll of the WG in today's SIDR meeting
>> regarding the text concerning a "origin AS" when the AS_PATH contain as AS_SET path
>> element.
>>
>> We request the chairs to conduct a WG Last Call for this draft.
>>
>> thanks
>>
>> Geoff & George
>>
- [sidr] WG Last Call Request for draft-ietf-sidr-r… Geoff Huston
- Re: [sidr] WG Last Call Request for draft-ietf-si… Sriram, Kotikalapudi
- Re: [sidr] WG Last Call Request for draft-ietf-si… Geoff Huston
- Re: [sidr] WG Last Call Request for draft-ietf-si… Rob Austein
- Re: [sidr] WG Last Call Request for draft-ietf-si… Sriram, Kotikalapudi
- Re: [sidr] WG Last Call Request for draft-ietf-si… Geoff Huston
- Re: [sidr] WG Last Call Request for draft-ietf-si… Richard L. Barnes