Re: [Sidrops] [GROW] Different path validation options

Brian Dickson <> Tue, 09 July 2019 17:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 30EDC1207CF; Tue, 9 Jul 2019 10:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.602
X-Spam-Status: No, score=-0.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vDRQcbRguAep; Tue, 9 Jul 2019 10:08:31 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AAABD1207C2; Tue, 9 Jul 2019 10:08:31 -0700 (PDT)
Received: by with SMTP id 34so6689496uar.8; Tue, 09 Jul 2019 10:08:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oirdonexy3KunBxTMFImz0bvkb6w5dePIxU2VBxA9W0=; b=htIiimazb8Nib9x5bZFztjZYQEsrZPZNwcODRch9eH5b3x5qAwUNP0OWYa6ZDvAN+4 BT0AS6sgBlJ5NrAff974StCdHB5xtnYUukWL8nybxUgWJdI4WZn39YT5jLpytWSFznaq rqjtK5bInqJN8HawgdJzUwbmg32uvADbtDNNKQyhfjK2h/T1wnSQEuH2cM8EaUbDHUxH LmbVHYuwCIkiIWqVWkFYo12w+4NnzZIDy0p0NpPwrgIPI3EWragxhibmt1kBZZ9Ca0/+ oJe7xt3dUx4YPdZnXMbS9C3hAswYRJBrTLD8GFeycAgnob98j/UweutNxZzW7FMUXbjp snMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oirdonexy3KunBxTMFImz0bvkb6w5dePIxU2VBxA9W0=; b=aRuEGsiefKddegp+8icmQXsDNDnu9TANSJxJQBuQA+Slibk6PfamuyIafqFKfLR3oq XDkbJDhs6UMCP4Sj/lIk7HVuJ+nR7wIf+y7P9K8YxE00jQsnovipK3g0DDsuzp/BaHlc 0NKZnBuLzQ7qsI6KsMRcCzolFAHfKXJdjFiU2E28XIuahf4loOgUvks962CwdJz2zCyc 6zYkFEXB5mv4mambH6O8Q6ImGG9zy5L/dZFRr786eAkmqyTm9+WKfSkq/0fK26S6szHA rME1Hh0fI8ZfW1Y4aK4vFUPyEy96IuMZ83ohbX96e3ZKwz7ADvhI8z7EL8cNgv6OmsKZ lLFQ==
X-Gm-Message-State: APjAAAWnFxk3pFvJlZCvfige56bQ7K4JkRboWOyzyKbhrMVWPj3PkkZA pqnsBZ8dBiU9+YzLcwZT+xm3tEzypMJ6vFQ7p2o=
X-Google-Smtp-Source: APXvYqyGNNetVyuYwzYzaLmXkdwe50l7yUD5NNUvOcPLggEFXivmYlGCvhtdQZN+vqCBPJEWNtEshVAgD0wkMFbV4KI=
X-Received: by 2002:ab0:6390:: with SMTP id y16mr5552571uao.62.1562692110507; Tue, 09 Jul 2019 10:08:30 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Brian Dickson <>
Date: Tue, 9 Jul 2019 10:08:19 -0700
Message-ID: <>
To: Iljitsch van Beijnum <>
Content-Type: multipart/alternative; boundary="00000000000023e34e058d429c07"
Archived-At: <>
Subject: Re: [Sidrops] [GROW] Different path validation options
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Jul 2019 17:08:34 -0000

Minor clarifications/comments inline about LDM.

On Tue, Jul 9, 2019 at 8:15 AM Iljitsch van Beijnum <iljitsch=> wrote:

> There are now four drafts about AS path validation to remedy routing leaks
> that I'm aware of:
> LDM: draft-ietf-grow-route-leak-detection-mitigation
> ASPA: draft-ietf-sidrops-aspa-verification
> ASCones: draft-ietf-grow-rpki-as-cones
> PathRPKI: draft-van-beijnum-sidrops-pathrpki
> The TL;DR on the four:
> Add in-band information to BGP that signals that a peer-peer hop has been
> traversed to avoid having two peer-peer hops. The idea is to do this
> without new code, at first at least. As the checks must thus be implemented
> with existing policy options, those will probably be easy to implement in
> code on the routers later.

LDM marks prefixes in-band, on peer-to-peer AND on transit-to-customer
(assuming at least one party is doing LDM.)
LDM checks prefixes in-band upon receipt, on peer-to-peer AND on
customer-to-transit (assuming recipient is doing LDM.)

This prevents all of the major leak paths:

The marking is propagated if large communities are being sent, so even if
intermediate networks involved don't mark or check, the leakage is still
detectable under many scenarios.

> Register customer-to-provider (C2P) relationships with extensions to RPKI.
> Based on this, check the upstream and downstream parts of the AS path,
> making sure there are no valleyfreeness violations and that if the customer
> in the relationship between two ASes has registered a set of provider ASes,
> the upstream AS is indeed one of the registered providers. If not, then the
> path is considered invalid.
> The hop between the upstream and downstream parts of the path may be an
> unregistered hop; peer relationships are not registered and in this part of
> the path any relationship is a valid one anyway. If there are additional
> unregistered relationships in the path, validation is not possible and the
> path is considered valid.
> ASCones
> Register provider-to-customer (P2C) relationships with extensions to RPKI.
> Recursively collect this information to resolve all ASes that may be
> visible behind a given AS. Then do a reverse lookup in the ROA database to
> obtain all the prefixes that are authorized to be advertised by these ASes
> and generate a prefix filter that can be applied to a BGP neighbor.
> Unclear what happens to prefixes that aren't included in the filter
> because of a missing AS-Cone (P2C record) or ROA.
> PathRPKI
> The RPKI ROA format is extended to include a set of authorized transit
> ASes in the upstream part of the path. Authorized ASes in the downstream
> part of the path are known through local configuration. For each prefix,
> the two halves of the path are combined into a list of ASes that may appear
> in the AS path.
> These paths are sent to routers using an extended version of the RPKI to
> router protocol. Routers mark a prefix as invalid if the origin AS doesn't
> match as usual, and if an extended list of ASes is present, if there are
> ASes in the BGP AS path that are not in the filter list (or appear in the
> wrong order).
> So let's compare.
> In-band vs out-of-band
> LDM is the only mechanism that works in-band. In-band is inherently less
> effective because the same issues that create a route leak in the first
> place may also send incorrect in-band information.

"send incorrect in-band information" is limited (in the latest draft) to
only "fails to send in-band information".
The only incorrect in-band information that would have any effect is if the
peer-peer marking uses the wrong ASN, at which point the recipient will
block the incoming announcements. I.e. it will treat that error as a leak.
Failure to mark, or failure to check, looks exactly the same as not
participating, and is no worse.

> Deployment
> LDM: although it was supposed to be easy to deploy, discussion has been
> going on for four years, and in my opinion, as per my earlier email about
> the draft, deployment issues haven't been solved at this time.

The finalized versions are being discussed among the authors and will be
discussed at the Montreal meeting. Modulo uptake by providers, I believe we
are crossing the threshold to actual deployment, at which point this is
entirely in the hands of the operators.
We can lead them to water, but cannot make them drink.

> ASPA, ASCone and PathRPKI all require changes in the RIR RPKI front- and
> backends and the RPKI relying party software implementations.
> ASPA: requires unspecified changes to the RPKI to router protocol to
> convey C2P records, and for routers to implement the validation logic.
> (Maybe this is not necessary, but this is my best guess at this time.) If
> so, that may take considerable time and subsequent updates to the filtering
> logic will be difficult because of the slow update cycle in routers. Lack
> of an "unknown" validation state with partial deployment may be problematic.
> ASCone: generating router filters to be included in configurations is easy
> to deploy, but very clumsy. Not clear how reusing the RPKI to router
> protocol would work. Unclear what partial deployment would look like.
> PathRPKI: changes to RPKI to router protocol necessary. However, the scope
> of these changes is small. Good partial deployment as each combination of
> origin AS and destination AS is immediately protected agains route leaks
> even if ASes in the middle don't implement PathRPKI.
> Who is involved
> LDM: transit ASes. Leaf ASes that don't peer have no actions.

Mostly correct; we are potentially adding the ability of Leaf ASes to mark
prefixes on ingress (identical to the marking that their transit ISPs would
have marked), allowing (but not requiring) leaf ASes to allow upstreams to
detect leaks that these same leaf ASes might have caused.

> ASPA: All ASes. Origin ASes and transit ASes that have transit ASes of
> their own register C2P records. All other ASes filter based on this, most
> notably ASes that peer.
> ASCone: Transit ASes register P2C records, ASes that peer filter based on
> this. Leaf ASes that don't peer have no actions.
> PathRPKI: origin AS registers authorized transit ASes. No specific actions
> for transit ASes. ASes in the downstream part of the path filter based on
> this.
> Security
> LDM: relatively low, as a malicious AS could modify the in-band
> information.

A malicious AS modifying the in-band information can only remove leak
marking, or add leak marking.
If they add leak marking, the only impact would be to block announcements
that would otherwise be accepted.

Removing leak marking would allow the malicious AS to leak, but potentially
be visible to third parties that are able to see the modification
(differentiate based on the ASN in the leak marking received on other
connections, vs AS path and absence of marking).
The latter would at least allow for non-repudiation (it would be
theoretically possible to identify the specific ASN).

Lack of protection on the AS-path is equally problematic WRT malicious ASes.


> ASCone: middle, as ASes can incorrectly claim a P2C relationship with no
> obvious recourse for the AS that is incorrectly labeled as a customer.
> ASPA: high, as only customers claim the customer-provider relationship.
> PathRPKI: a little higher, as the upstream part of the path is solely
> determined by the origin AS (however, at the cost of flexibility as transit
> relationship changes further upstream now require work by all the ASes
> downstream of the change)
> What now?
> There are some good ideas here, but it sure looks like we haven't figured
> out the best way to attack this problem. Publish four RFCs, throw them to
> the wall, see what sticks? Hopefully we can come up with a better process
> than that.
> Iljitsch
> _______________________________________________
> GROW mailing list