Re: [Sidrops] WGLC - draft-ietf-sidrops-validating-bgp-speaker - ENDS 09/07/2018 - Sept 7th 2018
Job Snijders <job@ntt.net> Wed, 22 August 2018 16:16 UTC
Return-Path: <job@instituut.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD5F012D7F8 for <sidrops@ietfa.amsl.com>; Wed, 22 Aug 2018 09:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nI0PyGpbvJbF for <sidrops@ietfa.amsl.com>; Wed, 22 Aug 2018 09:15:57 -0700 (PDT)
Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com [209.85.208.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E45B130DC5 for <sidrops@ietf.org>; Wed, 22 Aug 2018 09:15:54 -0700 (PDT)
Received: by mail-ed1-f67.google.com with SMTP id e19-v6so1737486edq.7 for <sidrops@ietf.org>; Wed, 22 Aug 2018 09:15:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=9nxseYw+el/HLzIC9ptTyZX6fb1TdKo65/EOZPR2Tp0=; b=EkbiuMY6r3ZGxPqNvPPTKkrEULVQ6trSpUxdw2VesM9zxX4hK5c/GW6qgEFK6ynCUE uIn6cdZNXib3KwJvSuZELbFXg9Xg5ebBFD3qhcpEGArVlPcmMntr6ZGtCYOGt+J20nfk ZE4A3hBTd0lWiSFxRMe53m+UGkJDlYJ3V1ob+9sxEUrE+7NqPrkSwurFJlCLBKflsdLr q/Mi+6JZhr7z8lgP2Mh05N6dfWTPKwO4zvSW793cQMdCP9Fr+LDlg4jfyZhDnHtdUbQd G7CowvHoljjhzdnO3mddL9+TJxm8vaZ9XnhrKIk7LRLkeuwRYtbF6FGvaZtYycgKlPgY TxBw==
X-Gm-Message-State: AOUpUlFgEw+7xab3lxYWHkB2zWcXLKOFA4anNNEBrl8RSteJX4fRCSuk HMRziAqUGMK/VruTrx27O0wIlg==
X-Google-Smtp-Source: AA+uWPwNub/aDpra+kGfIhV+NDuynczhaQdIxZ8rsmlqhK5W/M7IFmXjrfeN2f/8Uly639rDmDHdqQ==
X-Received: by 2002:a50:8f66:: with SMTP id 93-v6mr65511489edy.248.1534954552869; Wed, 22 Aug 2018 09:15:52 -0700 (PDT)
Received: from localhost (hanna.meerval.net. [192.147.168.57]) by smtp.gmail.com with ESMTPSA id u3-v6sm912820edo.44.2018.08.22.09.15.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Aug 2018 09:15:51 -0700 (PDT)
Date: Wed, 22 Aug 2018 18:15:49 +0200
From: Job Snijders <job@ntt.net>
To: Christopher Morrow <christopher.morrow@gmail.com>
Cc: sidrops@ietf.org, sidrops-chairs@ietf.org, sidrops-ads@ietf.org
Message-ID: <20180822161549.GA1021@hanna.meerval.net>
References: <CAL9jLaYqGt1+f3GaccNwjPOHxM34ifWDu5bhRx24PMYHpqV4XQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL9jLaYqGt1+f3GaccNwjPOHxM34ifWDu5bhRx24PMYHpqV4XQ@mail.gmail.com>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/8v_FCFQjRSjvMBux3MPcyWwnpLo>
Subject: Re: [Sidrops] WGLC - draft-ietf-sidrops-validating-bgp-speaker - ENDS 09/07/2018 - Sept 7th 2018
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2018 16:16:02 -0000
On Wed, Aug 22, 2018 at 10:52:02AM -0400, Christopher Morrow wrote: > The authors of: draft-ietf-sidrops-validating-bgp-speaker are thinking > their draft is ready to move forward, there hasn't been significant > conversation about this document since the last meeting in Montreal... > so: > > Draft Abstract: > "This document defines a new BGP transitive extended community, as > well as its usage, to signal prefix origin validation results from an > RPKI Origin validating BGP speaker to other BGP peers. Upon > reception of prefix origin validation results, peers can use this > information in their local routing decision process." > > Can we read/think/discuss this for the next ~2wks and decide if it's > in shape for movement forward in the sausage factory which is the > IETF? :) I have reviewed the document (and also have reviewed draft-ietf-sidrops-route-server-rpki-light, and before that draft-ietf-sidr-route-server-rpki-light). I see a number of issues. In summary I'd rather see IETF focus its energy on promotion of "invalid == reject" at EBGP boundaries at both IXPs and ISPs rather than spend time on standardising this method. 1/ I think it is counter productive to propagate RPKI Invalid routes from one BGP domain to another BGP domain (aka across EBGP boundaries) under the premise "but we clearly labeled the route hijack with a transitive extended community!". The approach does nothing to dampen the negative effects of BGP hijacks or misconfigurations. 2/ Within the context of signaling within a single BGP domain there already is RFC 8097. I can't really see a justification to standardise the behavior and code-points described in draft-ietf-sidrops-validating-bgp-speaker. RFC 8097's design property so that the state communities cannot propagate outside the BGP domain are considered a characteristic of robustness and were a conscious decision as far as I understand. 3/ The first sentence of the document is opiniated and doesn't seen anchored in reality: "RPKI-based prefix origin validation [RFC6480] can be a significant operational burden for BGP peers to implement and adopt." Some anecdata: I have experience enabling RPKI origin validation in quite some ISPs and IXPs, and either the deployment is easy (thus draft-ietf-sidrops-validating-bgp-speaker is not needed), or the deployment is a burden by factors unrelated to what is described in draft-ietf-sidrops-validating-bgp-speaker. I've not encountered any situation where draft-ietf-sidrops-validating-bgp-speaker would make RPKI adoption any easier. 4/ Section 2 "EBGP Prefix Origin Validation Extended Community" describes new transitive extended communities, but not all BGP implementations support defining & matching arbitrary new extended communities. If the argument is that using new extended communities can help deploy origin validation on BGP speakers that don't have support for RFC 6810/8210; I don't believe that can be the case. By the time such implementations have been updated to support draft-ietf-sidrops-validating-bgp-speaker, chances are the platform will support actual Origin Validation and this kludge won't add value. 5/ As is well known in the operational community, "Simple Tagging" and "Prioritizing and Tagging" as described in section 3 do nothing for Internet's routing security posture. Fiddling with LOCAL_PREF is useless in the context of more-specific announcements. "Simply Tagging" is useless because the 'validating bgp speaker' is shifting the responsiblity of rejecting RPKI Invalid routes to the EBGP peer, who may or may not be able to act on this information. 6/ No explaination is offered why using locally significant BGP communities is not adequate. When locally significant communities are used, at least the operator of the 'validating bgp speaker' that is proapgating RPKI invalid routes knows the receipient took the effort to read and try to understand the implications of this insecure approach. The authors have already confirmed that they use locally significant communities today at their IXPs, and it appears this works fine. 7/ Section 7 'security considerations' is full of holes. The sentence "Therefore, a validating BGP speaker could be misused to spread malicious prefix origin validation results." should be rewritten to "Therefore, all BGP speakers can be misused to spread adversarial origin validation results. Peers have no method to reliably establish whether it was a validating BGP speaker that attached the EBGP Prefix Origin Validation Extended Community, or an adversery." 8/ Furthermore in section 7, it is stated: "AS operators SHOULD provide out-of-band means for peers to ensure that the ROA validation process has not been compromised or corrupted." but the document provides no guidance on how such an external ROA validation process can be used. There is no verifyable untainted end-to-end chain of custody. Amongst other issues related to CoC, BGP communities are not cryptographically signed or verifiable, so there is no way anyone, ever, can trust the validation results from a so called 'validating speaker'. 9/ The "While being under DDoS attacks" paragraph is entirely out of scope for this document. 10/ Since the document promotes propagating RPKI Invalid routes instead of rejecting those invalid announcements, (section 3 "A validating BGP speaker MUST support the Simple Tagging operation mode. Other modes of operation are OPTIONAL."). I think this approach is a disservice to the global community. Our organisation (NTT) is creating RPKI ROAs for its IP resources with the understanding that the RPKI is a method to globally publish what BGP Origin ASNs NTT authorised and what prefix lengths can be expected. We did not publish ROAs with the understanding that RPKI Invalid announcements (hijacks, misconfigurations) will merely be tagged with a BGP community and propagated. Kind regards, Job
- [Sidrops] WGLC - draft-ietf-sidrops-validating-bg… Christopher Morrow
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Job Snijders
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Daniel Kopp
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Daniel Kopp
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Christopher Morrow
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Job Snijders
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Job Snijders
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Christopher Morrow
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Daniel Kopp
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Job Snijders
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Daniel Kopp
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Ruediger Volk
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Christopher Morrow
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Daniel Kopp
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Jakob Heitz (jheitz)
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Nick Hilliard
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Borchert, Oliver (Fed)
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Borchert, Oliver (Fed)
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Christopher Morrow
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Randy Bush
- Re: [Sidrops] WGLC - draft-ietf-sidrops-validatin… Borchert, Oliver (Fed)