IETF Logo Mail Archive

Re: [sidr] AD Review of sidr-origin-validation-signaling-09

Chris Morrow <morrowc@ops-netman.net> Wed, 30 November 2016 02:02 UTC

Return-Path: <morrowc@ops-netman.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDA891294B2; Tue, 29 Nov 2016 18:02:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.398
X-Spam-Level:
X-Spam-Status: No, score=-3.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFIWc1GKUV_H; Tue, 29 Nov 2016 18:02:30 -0800 (PST)
Received: from relay.kvm02.ops-netman.net (relay.kvm02.ops-netman.net [IPv6:2606:700:e:550:5c82:28ff:fe25:4960]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05E43129466; Tue, 29 Nov 2016 18:02:29 -0800 (PST)
Received: from mail.ops-netman.net (mailserver.ops-netman.net [199.168.90.119]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by relay.kvm02.ops-netman.net (Postfix) with ESMTPS id 12B5F40A49; Wed, 30 Nov 2016 02:02:28 +0000 (UTC)
Received: from morrowc-glaptop4.roam.corp.google.com.ops-netman.net (static-96-241-182-39.washdc.fios.verizon.net [96.241.182.39]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.ops-netman.net (Postfix) with ESMTPSA id E42A710EECE83; Wed, 30 Nov 2016 02:02:27 +0000 (UTC)
Date: Tue, 29 Nov 2016 21:02:27 -0500
Message-ID: <yj9od1hdrah8.wl%morrowc@ops-netman.net>
From: Chris Morrow <morrowc@ops-netman.net>
To: "John G. Scudder" <jgs@juniper.net>
In-Reply-To: <917E9000-8F1F-4E4F-BDEC-767E3510A71A@juniper.net>
References: <88A45E79-880B-4F82-9FAA-80C05627A49F@cisco.com> <917E9000-8F1F-4E4F-BDEC-767E3510A71A@juniper.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.3 Mule/6.0 (HANACHIRUSATO)
Organization: Operations Network Management, Ltd.
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/kDkZf70QNazrxtzQTW9WcO81Qug>
Cc: "sidr@ietf.org" <sidr@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "draft-ietf-sidr-origin-validation-signaling@ietf.org" <draft-ietf-sidr-origin-validation-signaling@ietf.org>, "Sandra L. Murphy" <sandy@tislabs.com>
Subject: Re: [sidr] AD Review of sidr-origin-validation-signaling-09
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2016 02:02:32 -0000

At Tue, 29 Nov 2016 20:23:55 -0500,
"John G. Scudder" <jgs@juniper.net> wrote:
> 
> On Nov 13, 2016, at 1:40 AM, Alvaro Retana (aretana)
> <aretana@cisco.com> wrote:
> > C1. The reference to rfc7607 should be Informative.
> 
> Done (in -10 candidate source).
>  
> > C2. [Major] Security Considerations.  I think that there is one
> > consideration that should be mentioned in this section: Given that
> > the largest value is preferred (2 = invalid), there is an attack
> > vector where a router in the path (yes, even an internal router) can
> > inject a community indicating that the route is invalid; the
> > communities are not protected.  This action could result in
> > inconsistent routing or in even a DoS.  I know the document is not
> > explicit about what to do with the validation state (which is ok),
> > but the clear intention (from rfc6811 and rfc7115) is that it will
> > be used to make routing decisions.  Please add some text about this
> > potential issue.
> 
> I started to write something about this and then realized I don't
> understand what you mean. At first I thought you were saying that an
> attacker that can forge an OV community can bias route
> selection. While this is true of course, it's also not unique to OV
> (Localpref has this property for example). It probably wouldn't be
> hard to write a sentence to summarize this, if necessary.
> 
> However, you specifically refer to the invalid state: "a router in the
> path ... can inject a community indicating that the route is
> invalid". This makes me think you think there's something special
> about "invalid", and I don't know what it is. You also say something
> about the sorting order, which I'm also not sure why that would
> matter.

I read this with the implicit: "Of course 'invalid == drop'."

So, if between an edge/core nodes you marked the edge -> core prefix
stream (mid-stream) with 'invalid' the core may discard all routes
seen and so marked.

This COULD move traffic away from a single edge node (or nodes) and
bias traffic across longer/other paths OR it could isolate folk behind
the edge node(s).

Of course, just wiping out the prefixes in flight and stitching back
together the tcp session... same effect.

-chris

v2.23.0 | Report a Bug | By Email