Re: [sidr] Route Leaks and BGP Security

Christopher Morrow <> Tue, 22 November 2011 02:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3538121F8AC3 for <>; Mon, 21 Nov 2011 18:47:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.258
X-Spam-Status: No, score=-103.258 tagged_above=-999 required=5 tests=[AWL=-0.259, BAYES_00=-2.599, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Xk5yTTH2v0xL for <>; Mon, 21 Nov 2011 18:47:29 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3298321F8ABD for <>; Mon, 21 Nov 2011 18:47:29 -0800 (PST)
Received: by ggnp4 with SMTP id p4so775379ggn.31 for <>; Mon, 21 Nov 2011 18:47:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=PSQpT879iJ5YK+WfBNLfHE+7pC8lkz8wpO81zhSjGHA=; b=OjkH6BxwpPctCInTMXGRgLm9l/SZf/hWea4CpBsr70xx/vYYDqDy7d+AfwaTf6F8lM vKLx5h9yorvPo1EGWA+7lCjd9ySVDIaWKUdU57VyfCxf6agbGhy+OgQx1gOP0EN6rJcY fsY9k0ZvLQLe2dgbYmCswYK6AcFHVJ2Xck+8E=
MIME-Version: 1.0
Received: by with SMTP id i10mr34022575pbp.60.1321930048344; Mon, 21 Nov 2011 18:47:28 -0800 (PST)
Received: by with HTTP; Mon, 21 Nov 2011 18:47:28 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <>
Date: Mon, 21 Nov 2011 21:47:28 -0500
X-Google-Sender-Auth: Xjein1lHREYU6k3a4nJaMUWdAVc
Message-ID: <>
From: Christopher Morrow <>
To: Shane Amante <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: sidr wg list <>
Subject: Re: [sidr] Route Leaks and BGP Security
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 22 Nov 2011 02:47:30 -0000

On Mon, Nov 21, 2011 at 6:08 PM, Shane Amante <> wrote:
> Hi Chris,


> On Nov 20, 2011, at 10:35 PM, Christopher Morrow wrote:
>> On Wed, Nov 16, 2011 at 11:23 PM, Danny McPherson <> wrote:
>>> Team,
>>> I've updated this draft based on some feedback received already.  Given
>>> the discussion at the WG session, and the list discussion as of late, I'd like
>>> to ask that it become a WG item and used to inform the BGP Threat Model
>>> document -- particularly with regards to what's an acceptable residual risk and
>>> what is not.  Once that's comprehensive it can be used to inform secure routing
>>> requirements documents in the working group, and then we can begin assessing
>>> the feasibility of reducing various risks.
>> "The authors believe the capability to prevent leaks should be a
>> first-order engineering objective in any secure routing architecture."
>> So, in the simple scenario laid out, the customer is filtered by the
>> isp's, no? and the filter data is built with something like:  take irr
>> data, meld with rpki data, create filter-lists.
>> The rpki data gives the isps an ability to filter the customer
>> announcements, which would stop the leaks. Is the thing you really
>> want to outline in a draft the process to link the
>> resource-certification data with the existing IRR data and create
>> better prefix/as-path filters?
> As the -01 draft states:
> ---snip---
>  Discussion of out of band methods to mitigate this attack are beyond
>  the scope of this document, as it's objective is to inform routing
>  protocol design choices currently being considered within the IETF's
>  SIDR Working Group.
> ---snip---

yea, that's cheating :)

>> I think one item that was asked for on the list (or perhaps in the
>> meeting) was: How can you know a route you see is a leak?
>> Taken another way, in the case of your example:
>> victim - isp2 - attacker - isp1
>> how is the victim to know that this path isn't proper?
>> what in the update says that?
> That's the point.  :-)  At present, nothing being "secured" in the UPDATE, (specifically AS_PATH wrt BGPSec), will tell you that the UPDATE was sent through a legitimate control-plane path vs. an illegitimate control-plane path.


> In today's networks, the means to control the propagation of a particular BGP route are through configuration of 'policy' locally on routers, (ASBR's/PE's), that look for a combination of /one or more/ _BGP_attributes_ in the BGP route itself to limit its propagation.  As one specific example, an operator of an AS typically configures their ingress ASBR's to assign a specific standard BGP community that says something like:
> - this is a customer route;
> - this is a peer route
> (I would note that these BGP standard communities are 'local' to and only have meaning within the operator of their particular AS.  An operator should NOT or would NOT "trust" third-parties, e.g.: their customers or peers, to set and send these communities to them for lots of obvious reasons).

ok, so if we step forward and ask for 'give me an attribute to
indicate customer/peer/other', would we then trust that? it'd be
(presumably) set per as-hop, is that anymore trustworthy than the
communities supposed above?

(I'd also ask what the rules are for setting this sort of thing, but I
don't think that matters since we can't really trust the value in it)

> When a BGP route travels to that operator's egress ASBR's, the egress ASBR then has a locally configured policy that looks for the locally significant BGP community string that says: "this is a customer route", in which case the route is sent out of both peer & customer eBGP sessions.  OTOH, if the eBGP policy at the egress ASBR determines, based on the locally significant BGP community string assigned to a BGP route, "this is a peer route", the action in that locally configured policy at peer eBGP sessions is to drop (not announce outbound) that particular UPDATE; whereas, the action at customer eBGP sessions is to announce that UPDATE outbound.
> Locally significant BGP communities + locally configured policy are just one method that could be used, but likely the most widely used.  Depending on the size of one's network other BGP Attributes + locally configured policy may be used.
>> is there other data that could be used (outside of bgp) to tell the
>> victim that the path is improper?
> IMHO, and as I think Russ has pointed out, BGP was only (?) designed to express reachability, not to carry or forward _policy_.  At present, nothing in the BGP protocol disseminates _policy_[1].  Instead, policy to control propagation of BGP routing information is only known to routers via out-of-band configuration (through CLI or NETCONF), either manually or through automated methods.

yup, I don't think we're going to get to the fully publicly exposed
policy world though... are we? (we can't, I think, expect everyone to
expose that sort of thing, never mind keep it updated)

> -shane
> [1] The only minor exception I can think of to this is the well-known NO_EXPORT or NO_ADVERTISE BGP communities.  However, those have an extremely limited scope -- specifically, both communities are only exchanged between _directly_ connected adjacent ASN's.  I would add that since BGPSec does not make any attempt to sign the BGP community Attribute, it follows that even in this most limited case BGPSec is not able to certify

During the design team discussions of what parts of bgp to sign, the
decision was made not to cover communities and other attributes
since.. which community means what? which are important? which aren't?
can one AS set 701:666 and send that along to 701? what about 70:112?
(as rob austein said: "What are the security semantics of a
community?") Also, what about (as danny pointed out a few meetings
ago) the networks that strip all communities on ingress so routes with
all relevant attributes equal but different community sets don't cause
extra headache/etc.

> (authenticate?) that a given BGP route *should* or *should not* be propagated to AS'es 2+ hops away.  What if one stripped the NO_EXPORT or NO_ADVERTISE community off and re-announced that BGP route -- is that not considered a MiTM attack, just as bad (or, worse?) as fraudulently inserting one's self into the AS_PATH?

yup... no-export/advertise were taken as 'advisory' communities that
networks MAY heed, but certainly weren't bound to do so.

So, back to the question:
"Given BGP as it is today, how do you know if a route is a leak or not?"

I suppose documenting: "One leak scenario is <see id name>" is a fine
thing, does it help to actually fix the problem though? I think what I
heard in the meeting and on the thread(s) here was: "Sure leaks are
important, there's not a way devised so far that distinguishes a
'leak' route from a 'normal' route, more than 1 as-hop from the
'source' of the leak.

In the id/draft:

   isp1   isp2 - me
       \     /

I can't tell at 'me' that the route I see is a 'leak', just that I see
an as-path that is isp1-as1-isp2.