IETF Logo Mail Archive

Re: [sidr] Route Leaks and BGP Security

Christopher Morrow <morrowc.lists@gmail.com> Tue, 22 November 2011 06:09 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF5BF21F8C63 for <sidr@ietfa.amsl.com>; Mon, 21 Nov 2011 22:09:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.552
X-Spam-Level:
X-Spam-Status: No, score=-103.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SK2RvMfDEvZG for <sidr@ietfa.amsl.com>; Mon, 21 Nov 2011 22:09:48 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9275521F8C5B for <sidr@ietf.org>; Mon, 21 Nov 2011 22:09:48 -0800 (PST)
Received: by iaeo4 with SMTP id o4so9944734iae.31 for <sidr@ietf.org>; Mon, 21 Nov 2011 22:09:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=p7GukmY2c10ZjTkMoyZnCVqqugHc2km7Sqk/8C+tU9Q=; b=mO6ai721U9RyTcmoblOhNaEoBYKHpOkzusFGJaZwt87RnLv5w2zvPzRxvfmr2uJOxu kUvRi+Tn3tqE0iJAQv5J99lbCnQNXx0ZmWE+r7dWrFT597r9t8Z4wT8p1fxTFUlN1Jom NwJ7dhn5KvZhbz0kTEvSutvgOBsWxfuT+wang=
MIME-Version: 1.0
Received: by 10.50.88.199 with SMTP id bi7mr17852334igb.45.1321942188020; Mon, 21 Nov 2011 22:09:48 -0800 (PST)
Sender: christopher.morrow@gmail.com
Received: by 10.231.207.78 with HTTP; Mon, 21 Nov 2011 22:09:17 -0800 (PST)
In-Reply-To: <C629001C-E424-4484-8081-6A4542CB120F@terrym.net>
References: <20111117040124.18551.47190.idtracker@ietfa.amsl.com> <0863194F-7564-40A9-BB73-ABF8BB97C3AB@tcb.net> <CAL9jLaZvCe2U6Y=BbZxsfF+BDOqQuV18Ac6N_6Fxxc=Cpms1jg@mail.gmail.com> <7D344AD5-B101-4BC1-8522-2259DB9853E4@castlepoint.net> <CAL9jLaY9rNCuLqozgbD7r03U8ZHB_n6MLmFrpVziPM2NNAuqnw@mail.gmail.com> <C054161F-43D5-4292-8A0F-7B386C76BABF@terrym.net> <CAL9jLaYNWge-tEo9XQeLqgOid72C2osdTHZdEZJzRHD8+M-Gnw@mail.gmail.com> <C629001C-E424-4484-8081-6A4542CB120F@terrym.net>
Date: Tue, 22 Nov 2011 01:09:17 -0500
X-Google-Sender-Auth: sNyHu4TW2wwaQSfk9Jaqz77vuSg
Message-ID: <CAL9jLaaUzm1rM5YVj+QHZDzQ2JUjO19WbiaxmjmWStDfA5-_Gg@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Terry Manderson <terry@terrym.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Route Leaks and BGP Security
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2011 06:09:49 -0000

On Tue, Nov 22, 2011 at 12:52 AM, Terry Manderson <terry@terrym.net> wrote:
>
> On 22/11/2011, at 3:13 PM, Christopher Morrow wrote:
>
>>
>> 'if it is intended' ... means:
>>  a) "is intended to be seen at the vantage point it was observed at"
>> (3 as-hops away)
>>  b) "with the as-path it shows up with" (isp1 - as1 - isp2 - me)
>>  c) something else?
>>
>> it's not clear what you meant, I'll assume b though...
>>
>
> to be specific, "it was intended to be seen at the vantage point it was observed at, and in the form presented".
>
> So something showing up 3 hops away might be fine provided the 3 hops are intended to be isp1 - as1 - isp2.

ok

>>
>> err, this didn't parse for me :(
>> You mean you don't see the possibility of adding a transitive
>> attribute to BGP, which some AS adds to a path (and signs into the
>> announcement, so it has to be kept along the path) and is replicated
>> with each as-hop?
>>
>
> yes. (and sorry for being terse)
>
>
>> Something like:
>>  isp1      -      as1      -      isp2     -   me
>>   out:is-cust  in:is-transit out:is-transit in:is-cust  out:is-cust
>> in:is-transit
>>
>> So, isp1 signs toward as1 "is-customer"
>>      as1 signs from isp1 "is-transit"
>>
>>      as1 signs to isp2 "is-transit"
>>      isp2 signs from as1 "is-customer"
>>
>
> the problem is that as1 can validly say "i don't do BGPSEC, but i'm still a valid on path actor" and you have to trust that at face value even though as1 is maleficent. You need isp1 to say that isp1 & as1 have a valid transit arrangement.
>

right, if the attribute isn't signed (or maybe it flat doesn't exist
without signage?) then ... we are where we are today.
Once you cross out of signage, you are lost (under the bgpsec rules as
written at least).

>>      isp2 signs to me "is-customer"
>>      me signs from isp2 "is-transit"
>>
>> Given that you'd have to configure (I suspect) each peering as
>> 'peering' or 'transit' or 'customer' ...I don't see this flying
>> either. :( I also don't see how to compute this on the local-router
>> level either, given the information in the session, without an
>> operator having to designate "this is a X" :(
>>
>
> right.
>
>>>
>>> History tells us we are (for the most part) inept at doing so, even with tools available.
>>
>> I had thought that RIPE had this licked in their region, no? they have
>> policy-foo encoded in RPSL-stuff in the DB no? Is that NOT working for
>> the cases in region?
>>
>
> Probably they are the closest it gets, but a line from the ENISA paper sticks with me:
>
> "Unfortunately, the quality of the IRRs varies, which makes it difficult to rely on them"
>

yup... well is that for RPSL/Policy-foo? or just for registration in general?
For instance, ALT-DB blows as a source for as701 data... RADB has some
for AS701...
Neither has RPSL-Policy-Foo for AS701 :( ('accepts all routes from
<list-o-customer-asns> && sends-all-routes to
<everyone-except-SFP-peers>')

I got the impression that the culture in ripe-region essentially was
that: "Everyone autogens filters from RIPE-IRR, so ... get that right
or your internet is very small."

>
>>> But what we do know is that when policy is implemented, the results are transparent and can be seen
>>> (ris, routeviews, et al) by anyone who cares to look.
>>>
>>
>> sure... but the data isn't exactly always 'accurate' there, and it's
>> not accessible to the 'user' (router in the field) really, and I think
>> the data includes lots of helter-skelter cruft that's not very helpful
>> for this case :(
>
> I was simply using it to demonstrate that since transit routing relationships end up in the RIS and routeviews as observable artefacts (cruft included), advertising who you have a transit relationship in something like the AAO isn't making any huge declarations of "I peer with company X" that can't be found by other investigations.
>

Could be, I do know that Randy's had some study time to show that even
though people say: "Transit free" they aren't always as free as they'd
like everyone to think. This wasn't (as I recall) observable from
routeviews/ris data though :(

Also, just using ris/routeviews as a starting point I was thinking:
"Could you watch history and build a list of common adjacencies, or
adjacencies you never expect to see?" I couldn't get to a reliable
enough answer though :( (I didn't do any math though... or in-depth
research, I fell back on 'well cyclops/et-al can't seem to be reliable
100% of the time, so...')

It's fair to say that SOME transit routing relationships show up in
RV/RIS, but not all do, and the vantage points are not 'all tier-1 and
down', they are often 'tier-77 networks view of the world!' (with
paths selected such that their Level3 transit is hidden for 'most' of
the intertubes, is that because they only bought 3356-customer routes?
or??

it's messy :(

> Although in hindsight the AAO might not be fine grained enough. In some cases an autonomous system may want to optionally list a set of prefixes that are subject to a transit/peer relationship with an adjacent AS.. (and of course, in some cases not)
>

sure, the really weird relationships are ... weird. Also, very hard to
quantify :(
just dealing with the 'normal' cases seems to be weird though :(

>>
>> oh, I think danny's draft has a link between isp1/isp2 :(
>> you probably meant here: "ISP1 and ISP2 directly connect, the path via
>> AS1 is invalid/improper/a-leak" right?
>
> That was my understanding.
>

err, then a corrected ascii-art is:

  isp1 --- isp2 - me
      \     /
       as1

apologies for the mistake previously :(

-chris

>>>
>>>
>>> The killer problem here is that partial deployments will create path islands, where only a number of the ASN hops have created AAO objects and thus a path validity exercise will still fall into a potential leak trap until all ASNs get there. The question then could then be, "is it o.k. for the answer to route leaks to be near unusable until we have a significant deployment"
>>>
>>
>> note sure, is that time also when we'd have full
>> resource-certification and the tools mostly available to just filter
>> people reliably/properly/everywhere? ('everywhere' for some value of
>> all-customers-of-all-isps, and maybe including
>> settlement-free-interconnects as well?)
>>
>
> That I don't know - crystal ball cracked when I tried to beat this year's NHL results out of it.
>
> T.
>
>

v2.23.0 | Report a Bug | By Email