IETF Logo Mail Archive

Re: [sidr] [Idr] Route Leaks and solutions

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Tue, 21 July 2015 16:57 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38D401ACD4E; Tue, 21 Jul 2015 09:57:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nDPTTg-WEeQL; Tue, 21 Jul 2015 09:57:02 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0761.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:761]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 980671ACD2B; Tue, 21 Jul 2015 09:57:02 -0700 (PDT)
Received: from SN1PR09MB0799.namprd09.prod.outlook.com (10.162.101.145) by SN1PR09MB0797.namprd09.prod.outlook.com (10.162.101.143) with Microsoft SMTP Server (TLS) id 15.1.219.17; Tue, 21 Jul 2015 16:56:45 +0000
Received: from SN1PR09MB0799.namprd09.prod.outlook.com ([10.162.101.145]) by SN1PR09MB0799.namprd09.prod.outlook.com ([10.162.101.145]) with mapi id 15.01.0219.018; Tue, 21 Jul 2015 16:56:45 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Christopher Morrow <morrowc.lists@gmail.com>
Thread-Topic: [Idr] Route Leaks and solutions
Thread-Index: AQHQst/YBwy3rwbYakKgtnDiHnHcZp3NZLUJgAAwLgCAACk92IAAEGcAgAWPDmCAESuXgIABuyOo
Date: Tue, 21 Jul 2015 16:56:45 +0000
Message-ID: <SN1PR09MB0799966A8DE3EC7397F993CF84840@SN1PR09MB0799.namprd09.prod.outlook.com>
References: <005901d0b283$ea07bd20$be173760$@ndzh.com> <m2fv52b1w1.wl%randy@psg.com> <CY1PR09MB07939BA36BB01C19AD9AC2A384930@CY1PR09MB0793.namprd09.prod.outlook.com> <CAL9jLab5LOfeSYGzt=ywAwkoJdbe4moXD2w5LsGF-L_Cju_TUw@mail.gmail.com> <CY1PR09MB0793E39F703D436A3E21805B84900@CY1PR09MB0793.namprd09.prod.outlook.com>, <CAL9jLaZP1kprSrRZCDif2_9NJnComdzJox9PThh0FqKSJ96bPw@mail.gmail.com>
In-Reply-To: <CAL9jLaZP1kprSrRZCDif2_9NJnComdzJox9PThh0FqKSJ96bPw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: psg.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:67c:370:160:21f3:a411:d0d1:8b05]
x-microsoft-exchange-diagnostics: 1; SN1PR09MB0797; 24:/77ZeFBfFegWrvDTxkEQXgJ+esN/Eim5SCvH8/8LU8qm3uyvsjOtMnuwQ1TQMZmlrs/mSsYiP4JKpMXSGsbwzwkRZHb40vuEHAY3ZLeHxXU=; 20:oyS4iah/bGn9eMJg7MegUyMQGwcsBrVVieZhftVFIUshSqhazKPP2AHdUF5OArKjivBB9O05F/WVABEvDe/tMQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN1PR09MB0797;
sn1pr09mb0797: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <SN1PR09MB079737DBC763556EBDAFF09484840@SN1PR09MB0797.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:SN1PR09MB0797; BCL:0; PCL:0; RULEID:; SRVR:SN1PR09MB0797;
x-forefront-prvs: 0644578634
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(62966003)(87936001)(189998001)(77156002)(19580395003)(110136002)(106116001)(86362001)(5001960100002)(99286002)(92566002)(102836002)(2950100001)(2656002)(76576001)(77096005)(15975445007)(74316001)(5003600100002)(54356999)(40100003)(33656002)(76176999)(46102003)(50986999)(122556002)(5002640100001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR09MB0797; H:SN1PR09MB0799.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2015 16:56:45.8133 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR09MB0797
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/J3-5BXx4buSrUFHCvJ2MBpnMg-Y>
Cc: idr wg list <idr@ietf.org>, "sidr wg list (sidr@ietf.org)" <sidr@ietf.org>
Subject: Re: [sidr] [Idr] Route Leaks and solutions
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 16:57:05 -0000

>If the RLP bit is dependent upon ops folks getting the right
>config-bit set for each customer we would want that to be as much
>automated as possible so there would be the least chance for 'forgot
>to set the bit' or 'set bit incorrectly'.

Some sort of mapping of a prefix-route to eBGP neighbors to who it will be sent to, 
namely, customers, peers, providers, isn’t that done already in a routers currently?

>I'm worried that I can't tell reliably what the bit was 2 as-hops
>away, did they mean 'customer' ? or was that a mistake? Did someone
>change it mid-path to me? Did the implementation of their vendor gear
>change/set the wrong attribute value?

Initially, only the big ISPs have to get it right (setting the RLP bits). 
That itself would help reap the benefit substantially.
Basically, then one big ISP’s prefix-routes sent to its customer cannot make  
a U-turn (route leak) somewhere in its customer cone and be accepted by another big ISP,
even if the ASes in between are not doing it (or they make mistakes with their 
RLP bits) as long as they do not change any preceding ASs' RLP fields.    

>There seem to be a bunch of uncertainties with this, in my mind. I
>guess that with bgpsec signing this attribute at least 'joe really
>meant that jim was his customer', and you can't change the value on a
>bgpsec path.
>
>If we want that, I think having the attribute where it can get changed
>(not-bgpsec secured paths) is a real problem, or opens up some pretty
>large problems...

Like I said in my talk in GROW yesterday, without bgpsec (RLP bits secured), 
the 99% accidental leaks are detected/mitigated but not the 1% malicious.  
With bgpsec (RLP bits secured), the 1% malicious are also detected/mitigated.  
See slide 5:
https://www.ietf.org/proceedings/93/slides/slides-93-grow-4.pdf 

Prior to bgpsec protection, there are two types of attacks that
are possible on unprotected RLP bits:

1. Upgrade attack (RLP = 01 is altered to RLP = 00) to avoid route-leak detection. 
That falls in the 1% malicious category (undetected) but no other 
more egregious damage occurs as a result of this upgrade attack.
See more discussion of this in Section 5.1. of the draft:
https://www.ietf.org/id/draft-sriram-idr-route-leak-detection-mitigation-01.txt 

2. Downgrade attack: (RLP = 00 is altered to RLP = 01) 
This does not matter in the 'down' direction because RLP =01 
always allows propagation of the prefix-route in 'down' direction.
So this attack (RLP = 00 --> RLP = 01) matters only when update propagates 
in the up or lateral peer direction.
That would only mean that an alternate update that is not labeled a route leak 
would be preferred by the (provider or peer) over this one.
And if there is no alternate update, then for reachability,
the only prefix-route that seems like a leak might still be accepted.
But this is left up to operator policy.       

Sriram

v2.23.0 | Report a Bug | By Email