IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

"Lubashev, Igor" <ilubashe@akamai.com> Tue, 28 March 2023 19:46 UTC

Return-Path: <ilubashe@akamai.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D11AC15152F; Tue, 28 Mar 2023 12:46:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.785
X-Spam-Level:
X-Spam-Status: No, score=-2.785 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Io0Ph-Q6nvX; Tue, 28 Mar 2023 12:46:24 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8B98C151B3B; Tue, 28 Mar 2023 12:46:23 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.17.1.19/8.17.1.19) with ESMTP id 32SJEMwd021487; Tue, 28 Mar 2023 20:46:08 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=TchtO6vR/wPFJ1wWqAyBLVF+B0WLknrskdudUAyHLs8=; b=Fht6tsQ5s99xMK6mA0/xTntCrhQVexIErAGDsz/AWATYkhrLnEr7MhpBKhx73niD2tWo DLF8yZmUDXTZw03GY0afVwtQHCBVFOAXCdSOzW1hABvT/oZ7p6WRYKjkZv854iMiRmdc 38YNxpjCWtt25G2N0z7n+BdKajqrQ/NUYq5deUWzC4MNjqc3+/gy9Qhgip/eNeBFEDR1 +xhIkJPdY/gMiqtj5NG8PNwftIS+IZB/fmcBrGYQEIox/gr3lWtMMH6QZ7+GbbwQFKJj PavtXHBjcuvXEHmFsYib8V5JzVCso3+IQw4I+Aw4zeF8Owwd0PZzfWAMLfv4ngIASA8w 2g==
Received: from prod-mail-ppoint8 (a72-247-45-34.deploy.static.akamaitechnologies.com [72.247.45.34] (may be forged)) by m0050096.ppops.net-00190b01. (PPS) with ESMTPS id 3pht8h7src-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Mar 2023 20:46:07 +0100
Received: from pps.filterd (prod-mail-ppoint8.akamai.com [127.0.0.1]) by prod-mail-ppoint8.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 32SITwrw004680; Tue, 28 Mar 2023 15:46:06 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.205]) by prod-mail-ppoint8.akamai.com (PPS) with ESMTPS id 3phv9yn4sa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Mar 2023 15:46:04 -0400
Received: from ustx2ex-dag4mb3.msg.corp.akamai.com (172.27.50.202) by ustx2ex-dag4mb6.msg.corp.akamai.com (172.27.50.205) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.21; Tue, 28 Mar 2023 12:46:04 -0700
Received: from ustx2ex-dag4mb3.msg.corp.akamai.com ([172.27.50.202]) by ustx2ex-dag4mb3.msg.corp.akamai.com ([172.27.50.202]) with mapi id 15.02.1118.021; Tue, 28 Mar 2023 12:46:04 -0700
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org>, Claudio Jeker <cjeker@diehard.n-r-g.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>, "draft-ietf-sidrops-aspa-profile@ietf.org" <draft-ietf-sidrops-aspa-profile@ietf.org>
Thread-Topic: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
Thread-Index: AQHZUV5vNJLZt5LW/keL30gQG63u3q78M0KAgAu/3gCAB0JdAIAA/GCAgAAE8wCAAHSisA==
Date: Tue, 28 Mar 2023 19:46:04 +0000
Message-ID: <ed0146b09da346b2b48cb9701240926c@akamai.com>
References: <SA1PR09MB814241245D01E81BADE3ED0884CF9@SA1PR09MB8142.namprd09.prod.outlook.com> <31FDE1E9-3E87-4011-B65B-C6B3A264303F@vigilsec.com> <SA1PR09MB81427B4A1B126A5D1C1E289C84CF9@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142E41F2D6B537BCAA758F384CC9@SA1PR09MB8142.namprd09.prod.outlook.com> <CAL9jLaYz3OhcwBBcVMqnUseBR9J1ZyktcJo5YLeefQHMoYJu+A@mail.gmail.com> <CAL9jLaZ7eDc+zbhapS8dTYQKnTfgLd=MOPYw97-qcJ4eP6S6Mg@mail.gmail.com> <CAL9jLaYJ4ODfumG9Yk3-yv=_TaTSUeD++U4sGy7S-0xWcGBQPw@mail.gmail.com> <ZBGqSVL9sSqnAiJc@diehard.n-r-g.com> <SA1PR09MB8142E9F71F250B83062C724884869@SA1PR09MB8142.namprd09.prod.outlook.com> <ZCGcYHJ9PyrjgR+V@diehard.n-r-g.com> <SA1PR09MB8142EA7F33880679E9B509D384889@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB81426E1BB66D6DF31860F26984889@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB81426E1BB66D6DF31860F26984889@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-originating-ip: [172.27.164.43]
Content-Type: multipart/alternative; boundary="_000_ed0146b09da346b2b48cb9701240926cakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-24_11,2023-03-28_02,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 suspectscore=0 adultscore=0 phishscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2303280149
X-Proofpoint-ORIG-GUID: gd6IhZ38wXQF0X5tK5wdrKvpzbosQxJw
X-Proofpoint-GUID: gd6IhZ38wXQF0X5tK5wdrKvpzbosQxJw
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-24_11,2023-03-28_02,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 clxscore=1011 suspectscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 mlxlogscore=999 mlxscore=0 spamscore=0 impostorscore=0 priorityscore=1501 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2303280151
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/8nnNkfKpnw7S2TmVDGbWmcWDaPc>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 19:46:29 -0000

Sriram, thank you for updating the draft and getting into additional details of what leaks and hijacks can be mitigated during partial ASPA deployment.



I have a few questions about the new Section 8 "mitigation properties".



> 2.  Again let AS A and AS B be any two ASes in the Internet doing

                      ASPA (generation and verification) and no assumption is made

                      about the deployment status of other ASes.  Consider a route

                      received at AS B from its customer or lateral peer that is a

                      forged-origin prefix hijack [RFC9319] involving AS A as the

                      forged-origin.  The ASPA-based path verification at AS B always

                      detects such a forged-origin prefix hijack.



See the diagram below. Suppose AS B receives AS_PATH [C, P, A] from AS C, where A is a forged origin, AS P is A's provider in ASPA, and AS C is B's customer.  AS P did not deploy ASPA.  How would AS B detect this hijack of A by C?



 Z

/ \

B   P

|   |

C   A





> 3.  Consider an ASPA island (i.e., a connected set of ASPA capable

                      ASes).  Let AS A and AS B be any two ASes in the ASPA island.

                      Consider a route propagated from AS A in any direction (i.e., to

                      a neighbor AS with any of the BGP roles described in Section 2)

                      and leaked by an offending AS in the AS path before being

                      received at AS B from any direction.  The ASPA-based path

                      verification at AS B always detects such a route leak though it

                       may not be able to identify the AS that originated the leak.



Does it mean that the BGP advertisement is only forwarded within the "island"?  If so, AS B should be able to identify the AS that leaked the route, no?

But if forwarding is allowed outside of the island, AS B will not always be able to detect a route leaked outside of the island. In the diagram below, AS A originates a route to its Provider AS P (outside of the island), which forwards it to its other customer AS L, which leaks it to its other provider AS C, which is a provider for AS B (in the island). Since there are no ASPA Objects for ASes P, L, and C, AS B cannot tell whether AS L is a common customer or a common provider for ASes P and C.

 P  C

/\ / /

A  L /

\  / <- [C,L,P,A]

  B



Many thanks,



  *   Igor



On Tuesday, March 28, 2023 1:00 AM Sriram, Kotikalapudi wrote:

> All: I just uploaded a revised draft version -13. All comments received in this

> thread have been carefully considered and changes incorporated as

> necessary.

>

> Version-13:

> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmztRzrJQ$>

> sidrops-aspa-verification/__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmztRzrJQ$>

> Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmzt<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmztRzrJQ$>

> RzrJQ$<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmztRzrJQ$>

>

> Diff:  https://urldefense.com/v3/__https://author-<https://urldefense.com/v3/__https:/author-tools.ietf.org/iddiff?url1=draft-ietf-sidrops-aspa-verification-12&url2=draft-ietf-sidrops-aspa-verification-13&difftype=--html__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmBhBlIJw$>

> tools.ietf.org/iddiff?url1=draft-ietf-sidrops-aspa-verification-12&url2=draft-<https://urldefense.com/v3/__https:/author-tools.ietf.org/iddiff?url1=draft-ietf-sidrops-aspa-verification-12&url2=draft-ietf-sidrops-aspa-verification-13&difftype=--html__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmBhBlIJw$>

> ietf-sidrops-aspa-verification-13&difftype=--<https://urldefense.com/v3/__https:/author-tools.ietf.org/iddiff?url1=draft-ietf-sidrops-aspa-verification-12&url2=draft-ietf-sidrops-aspa-verification-13&difftype=--html__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmBhBlIJw$>

> html__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-<https://urldefense.com/v3/__https:/author-tools.ietf.org/iddiff?url1=draft-ietf-sidrops-aspa-verification-12&url2=draft-ietf-sidrops-aspa-verification-13&difftype=--html__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmBhBlIJw$>

> Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmB<https://urldefense.com/v3/__https:/author-tools.ietf.org/iddiff?url1=draft-ietf-sidrops-aspa-verification-12&url2=draft-ietf-sidrops-aspa-verification-13&difftype=--html__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmBhBlIJw$>

> hBlIJw$<https://urldefense.com/v3/__https:/author-tools.ietf.org/iddiff?url1=draft-ietf-sidrops-aspa-verification-12&url2=draft-ietf-sidrops-aspa-verification-13&difftype=--html__;!!GjvTz_vk!U_j82WLWnhnUdVaT4XZWfNqw-Uo4irI7hxtEzFM5aoYEXCr25uZZVTVb0k0PYsXELy2ZuBB9erosN5dagDRzoGmBhBlIJw$>

>

> Hi Claudio: I went with many of your suggestions below and earlier. It is easy

> enough to assume a single VAP-SPAS table even in the description in this

> doc. You should like what I did in the revised Sections 3, 4, and 5.

>

> Igor: I addressed your discomfort with the earlier rosier description of the

> merits of ASPA verification in Section 8. I now systematically describe the key

> properties (mitigation capabilities) in Sec. 8 and the limitations are stated in

> Section 12. Hopefully, you'll find it accurate and more insightful.

>

> Tim, Job, Martin, and others: Your comments/discussions relating to Sections

> 3 and 4 carefully considered and folded in.

>

> Amir, Nan:  The changes promised are included.

>

> Amreesh, Aftab, Yangyang: Please review the diff. You should find your

> comments addressed as well.

>

> All: Please let me know if missed anything important.

>

> Thanks to all who have kindly devoted time to reading and giving feedback.

>

> Sriram

v2.23.0 | Report a Bug | By Email