IETF Logo Mail Archive

Re: [sidr] origin attribute

Shane Amante <shane@castlepoint.net> Wed, 24 October 2012 16:54 UTC

Return-Path: <shane@castlepoint.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E99C421F86F8 for <sidr@ietfa.amsl.com>; Wed, 24 Oct 2012 09:54:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.375
X-Spam-Level:
X-Spam-Status: No, score=0.375 tagged_above=-999 required=5 tests=[AWL=-0.584, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, MIME_QP_LONG_LINE=1.396, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FqI3SGYUdLDG for <sidr@ietfa.amsl.com>; Wed, 24 Oct 2012 09:54:01 -0700 (PDT)
Received: from mail.friendswithtools.org (unknown [64.78.239.70]) by ietfa.amsl.com (Postfix) with ESMTP id ED62821F86D9 for <sidr@ietf.org>; Wed, 24 Oct 2012 09:54:00 -0700 (PDT)
Received: from dspam (unknown [127.0.0.1]) by mail.friendswithtools.org (Postfix) with SMTP id 6DB421CEA for <sidr@ietf.org>; Wed, 24 Oct 2012 16:53:59 +0000 (UTC)
Received: from [10.9.0.10] (web.hollyman.com [64.78.239.73]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.friendswithtools.org (Postfix) with ESMTPSA id 0466D1CA7; Wed, 24 Oct 2012 10:53:59 -0600 (MDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Shane Amante <shane@castlepoint.net>
In-Reply-To: <A64741BE-036C-4131-8459-8A6C665DB592@tcb.net>
Date: Wed, 24 Oct 2012 10:53:58 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <BDF858CE-D3E6-4CCC-B6A9-329601DEBB92@castlepoint.net>
References: <m2sj95nru4.wl%randy@psg.com>, <4B14E6F9-195C-4C1F-97E8-69ECE0F08041@juniper.net> <C0619671-4FA8-4B0C-9F78-D9836BE8B5FB@ericsson.com> <4EC7E1D2-1385-4BFC-89C6-CCF98B27D734@juniper.net> <2EBD8BE2-CFD3-4909-8BF9-9C2826A9BB1C@tcb.net> <FE9E6372-0F47-457F-B426-B314AB0241A0@castlepoint.net> <A64741BE-036C-4131-8459-8A6C665DB592@tcb.net>
To: Danny McPherson <danny@tcb.net>
X-Mailer: Apple Mail (2.1499)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Wed Oct 24 10:53:59 2012
X-DSPAM-Confidence: 0.9899
X-DSPAM-Improbability: 1 in 9809 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 50881d27199633604875165
X-DSPAM-Factors: 27, to+#+the, 0.01000, Cc*sidr+#+#+#+ietf.org, 0.01000, the+#+code, 0.01000, 2012+at, 0.01000, 2012+at, 0.01000, at+#+#+PM, 0.01000, Cc*sidr+wg, 0.01000, Subject*Re+#+#+attribute, 0.01000, 23+2012, 0.01000, Subject*sidr+#+attribute, 0.01000, is+#+#+the, 0.01000, Cc*wg+#+sidr, 0.01000, PM+#+#+wrote, 0.01000, Cc*sidr+#+list, 0.01000, Cc*wg+list, 0.01000, to+#+#+to, 0.01000, in+the, 0.01000, in+the, 0.01000, Oct+#+#+at, 0.01000, Oct+#+#+at, 0.01000, On+#+23, 0.01000, need+to, 0.01000, Subject*origin+attribute, 0.01000, 2012+#+#+#+PM, 0.01000, Subject*Re+sidr, 0.01000, Subject*Re+#+origin, 0.01000, Cc*sidr+#+#+sidr, 0.01000
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] origin attribute
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2012 16:54:05 -0000

Danny,

On Oct 24, 2012, at 9:11 AM, Danny McPherson <danny@tcb.net> wrote:
> On Oct 23, 2012, at 6:03 PM, Shane Amante wrote:
> 
>> I suspect John is referring to the operational practice employed by some networks, right now, whereby they overwrite ORIGIN during receipt of an UPDATE into their network to 'normalize' ORIGIN to a consistent value.
> 
> Ironically, if "normalize[ing] ORIGIN to a consistent value" at an upstream AS results in a change to the ORIGIN code for a given path, you've _created INconsistent ORIGIN codes for the prefix in the routing system.  I suppose I understand why this might be desirable for a transit network provider, but as an edge AS I'd prefer to not have intermediate networks changing the values I set.

Fair enough.  In my defense :-), RFC 4271 does state that ORIGIN code "SHOULD NOT" be changed by any other speaker <http://tools.ietf.org/html/rfc4271#section-5.1.1>.  Fortunately, it doesn't say: "MUST NOT".  :-)

Perhaps a better question should be: is ORIGIN code still required, particularly from a BGP path selection perspective, in today's networks?  I would say "no".  (If you wanted to know the 'source' of a BGP route, there are already a plethora of BGP communities to help operators narrow this down ... but, this is more for convenience of troubleshooting, it doesn't need to be in path selection).

IOW, instead of "securing" ORIGIN, maybe folks should be looking at deprecating it?  IMO, this would have likely been a far more productive use of time than the deprecation of AS_SET's, (the latter of which I still maintain was a bad idea, done primarily for convenience w/out adequate consideration of it's _long-term_ usefulness).


>> This is especially valuable in cases where one network, A, is multi-homed to an adjacent network, B, and network A may not be announcing a consistent set of BGP path attributes associated with a set of IP prefixes at all locations.  Ultimately, this practice allows network B to consistently skip over ORIGIN and, instead, evaluate more well-understood BGP Path Selection criteria like MED's, IGP metric, etc.
>> across the full set of "common" BGP routes, (i.e.: those with the same AS_PATH, LOCAL_PREF, etc.), learned across all exit points to network B.
> 
> I'm pretty sure MEDs and "IGP metric" are far more ambiguous and broken in practice than ORIGIN code (e.g., [1]), especially when comparing across paths learned from different adjacent ASes.

FWIW, I wasn't actually referring to to MED or IGP metric comparison across different AS_PATHs, rather MED or IGP metric comparison across same AS_PATHs.

Regardless, your point is valid that comparison of MED's, even just across the same AS_PATH, is oftentimes fraught with operational headaches/brokenness.  However, in defense of MED's :-), I believe that the root cause problem here is, most likely, an inability (or, worse, unwillingness) for the network sending MED's to continually fine-tune not only the MED value(s), but at the same time (just as importantly) to __intelligently__, (i.e.: only when necessary), deaggregate [very] large prefixes in order that more relevant MED values can be targeted at those more specifics resulting in better 'signals' toward upstream networks.  Then again, we might agree to disagree on this.   :)


To the larger point of going back to actual requirements for this work, then why hasn't there been discussion in the requirements or threats documents about 'securing':
- ORIGIN
- NEXT_HOP: third-party NEXT_HOP at IXP's anyone?
  BTW, I would note that the above would be an extremely clever way to divert traffic through a bad guy's network that would be completely invisible within the AS_PATH, (but could show up in traceroutes).  w00t!
- MED's
- BGP communities: which are quite commonly used to manipulate an upstream's BGP path selection algorithm (i.e.: raise/lower LOCAL_PREF) and/or _scope_ the announcement toward adjacent ASN's/routers, (i.e.: no-export, no-advertise, being the two standards-based ones)?

... not even a mention of being "out-of-scope" and for what reason(s), even though draft-ietf-sidr-bgpsec-reqs-05 states: "As noted in the threat model, [I-D.ietf-sidr-bgpsec-threats], this work is limited to threats to the BGP protocol."  

Then again, there still isn't a serious acknowledgement that 'route leaks' are, in fact, a much more serious "threat to the BGP protocol", than manipulation of most of those BGP attributes even though the route-leaks problem has been crisply defined in 1.5 pages:
http://tools.ietf.org/html/draft-foo-sidr-simple-leak-attack-bgpsec-no-help-01
... with further elaboration in this and associated drafts:
http://tools.ietf.org/html/draft-dickson-sidr-route-leak-def-03

<sigh>

-shane



> -danny
> 
> 
> [1] <http://www.nanog.org/meetings/nanog29/abstracts.php?pt=Njk2Jm5hbm9nMjk=&nm=nanog29>

v2.23.0 | Report a Bug | By Email