[Sidrops] new ASPA-based AS path verification algorithms implemented in NIST BGP-SRx
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 21 December 2021 15:02 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5ADB3A0DC9 for <sidrops@ietfa.amsl.com>; Tue, 21 Dec 2021 07:02:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level:
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmQLU-zZaIaa for <sidrops@ietfa.amsl.com>; Tue, 21 Dec 2021 07:02:37 -0800 (PST)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on2070d.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::70d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 249053A0DD7 for <sidrops@ietf.org>; Tue, 21 Dec 2021 07:02:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DWl1XJ7GAWZR2ypmgxF2AyAzHI2lUkANDupNko455jHvXWQjOtCLvhl0/U+HYhV8l+biia2/MHr6DzfDf1SEsTEtfqekYxUvVlwb78VFQXHdbJgfKt87ruxrPcGN9srr5bQS7vlaBFmLRGS4Q1b/Z/9GtXfFUL9ZEPBBPvoPuIzG4Y1UwPygX0XP/BPF/IlY67usPtkExSwujFAs1aZTsOxRuQ5sKLpVXpweSQxbRa5QwLuT/m9fFGhx9GRN/TxmLf4eTGv9mXFSCieAOi3h3yz2/jZNi7Bo4NrsQ0kssjIotoSTn823IuQH99y3p86iHoTT4UP9+NOT4GEy3lZzBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ebiskAdcIF1MC84po5HKdfnopIHLAFJ2Y/H5YP1ry+A=; b=dF6HZuGXFdNg6CbyEaGb3BPzuhjiqlTlgR0MoQiWcH4+Gt4ZspwDrj01NXvr8OwpjYV/7ohHokPb5LobYa1Htdd/yMcTXU9+RaVgxw+J6jIIhkE1TUKozReJukInpoMCCZECIAVnYTzCPG06yy5ZpA/oxoepLu8XsZk2K+K1nyPbPrfn9oIJewNpYIZKA1mMWhelKOijRFtrGTB8EM7GHn8KU+gaiPTrzQjbW2yNpuhLCo0PkXVeWyLOe9Nfg29T+qp1YlGv6uBz6GyO4j30fxpd+STC6e2RBRkAldMlpkp5bjnG3OZCKxwv0/Dkl712wBu0tu5rilKADCgKCq93xw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ebiskAdcIF1MC84po5HKdfnopIHLAFJ2Y/H5YP1ry+A=; b=llmdwOvLJRsUR5nKTEVaIgQeBroECv+pi3X7g7LXlEoCvMPbg0NvQT8HMtM3GRHZcSZhVskCab5QEm3IY9aqO7nHvtCnoK/LyTWiAfXTv8AQxpWSrYeAi12SXSe1aeEpX74sedP8iv5KCyKmPV2+2iGV/4zZFs7OYIQvusKVNfg=
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by SA1PR09MB7438.namprd09.prod.outlook.com (2603:10b6:806:17a::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4801.15; Tue, 21 Dec 2021 15:02:31 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::717a:2702:70fb:6225]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::717a:2702:70fb:6225%4]) with mapi id 15.20.4801.020; Tue, 21 Dec 2021 15:02:30 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: new ASPA-based AS path verification algorithms implemented in NIST BGP-SRx
Thread-Index: Adf2AEh2j2cZJJpeRBaB0tOWBPfkHAAeARpQAAA+T6A=
Date: Tue, 21 Dec 2021 15:02:30 +0000
Message-ID: <SA1PR09MB81426590D7A567A146290D83847C9@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB8142FE4A5F98F463B809629F847C9@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142350CDCC4F73A4FE9D82A847C9@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB8142350CDCC4F73A4FE9D82A847C9@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 513118d2-1166-4dea-a8d0-08d9c492e95f
x-ms-traffictypediagnostic: SA1PR09MB7438:EE_
x-microsoft-antispam-prvs: <SA1PR09MB7438CDB7DEA0ABC03F37391E847C9@SA1PR09MB7438.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4714;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pBVDiNzNKMsA1bokp6z1w6LhN4Hj7VOASURjZplo9p0mu/5DbcOqvMHGoYfKfKbuAcsnxFfr+v4UQ9vvwNWj/u4TAZwv2o2ow1+eBUHlkHiU/4vxPP81nzm+x3bBk+E2Au2gwEzWhqvLeGQCq5rXLwAcnxbUOOIlOUUrITHSLFnmlwnJJeruosI2ARzSl6n3VSq9cnMqrOp/0FPzEx0nGkGxWs3x7Rm2zPl5oIOXpBN17DCP1QICa7ml+8wkMUFaeRXGArD3Jr46j2c0ywRC9jNdR6trfnYj/mXdyx3wDyVOiZEFtTUKLeFxZ9SnwiO+Lz6BU8XVZgZwLQD4/Typo5RkmIC4SiTSu6+jM8LNTURtw1d8YuET3AGQiT3mbEBiUYb2sk6aI/zVOKm5GTFGi2K9g6mpO0q1kg0r5Y/9TcRal4Y3xOKsAUs58bR8eBzd9m3tWbdO3ic6ImHtd/80WEA6PjDA5QSXm4FPnriVw+2rnfJ8GW56LCa84ufdtigMLWflVLU6U+uUtEvnYNrv6nynbLQreyEABko0BUBRMWiKzHq8LXARxmRjcwQ2O5A4LEZiIQtdiyZbBvOFtq9UZ9kNbYlLhJuOJa21Nyc/7K5JBV8gIEdXiXkPvOFwcseNjK1qFa3c19U9VVqeq7I6KCkk76EpRTdpFEIxnqsupYh6w9AWRMtDpkBemhmGTpfyrK+ULeKrud7d1fg0sWefIwIRsDypGmraQwKa8FQnZs5GvyOxhW9Y3nIkc/hlav204/dt8eC+aJ7bU7GprOpzTt/iCMOCi4F+38vdtrJFKIg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(6916009)(186003)(86362001)(71200400001)(55016003)(38100700002)(82960400001)(7696005)(8936002)(122000001)(26005)(33656002)(52536014)(15650500001)(966005)(316002)(508600001)(83380400001)(5660300002)(2940100002)(2906002)(38070700005)(66446008)(6506007)(66476007)(64756008)(8676002)(66556008)(76116006)(9686003)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dQZxPVaOhLfzQmAJRNb+Yoc9YeLxB/pM5TYtQy1oUUpSRRQHUL7LR5A4F4DDyGhehkcznOd2B8Ji3Y6jheU6+kgIhi6wpAU4z3YtJ799nZ0WE3SZLw7XOidnOV/PCTFeQBj++TUWnjJk4uLo+FCr33bod+Xlt+UQVP0R4q2Sd7QWHbxr8Td/Dz4Wwq3JFARsE9MsrYJfDjxp8Xe7KTLPAJHOD/+hU84FvPAYeObqVhMKFLL0SIwmDp7wf4jhVloW24DY6O7LY2ievtKn/u0Fw4x8G1a1rOzDjWY7OdZzQTXKKSfxKQEYEY4H2zmylBCZJJ8UKpm/NIREUZAuyI1ZMJXWt83dsz77tKkmhVCdBC7Yw028awuxunneAWfKA3inHkpVL8lLJWsfulI33rZr70Ausj8mtBMPxM86eG/AiRPvFdVLOQN+OqgaXkevH9w75vYjx1G7xLPphjjbO0xBRoHLisollsU34EzEZNS0d/VxhHMeIpCAl5JCg6pW431a3Iwmq+dgzLQ/L2k4Mh1fK/7Kr2McZlVDXYFeSqe2VNF3xg02ezRPt8TIP3wkWPkLp9+hkttGe8DGJSZQZhdIrkslQVbnTfB4wkyic2MzaU1E52pX0i+cV44r6I6YDz2hKJm36UHO5gDj6buQMwTzcY28WfIen/1bvccx6qD1i3nhICQEd94xq5Il1sR8b5Lb+7SMsAeOtLkDJP7Tigxug62UpmaYeNSrmIoPoLvMVDkXfXPRAwZuDXlvd9pzaYcbRg8rdW2dPKIzNX8MdGXsf7xnZy9jgiDPR5fAwhD1JZ0yITPBEOGHof7dSjAX6E34OpLbbAi4FtrwNJTB3kRwR3sh2dLEQMOUOexFZLVzO15pifsY9Na5IK68fTuEjHhFq4wedFskW5E8Bm2RAsXmcldrS3MT2YgNMixJcrp20HB6uhTPx4P+cZ2a4XaasTPgfMBUsRfxoW80Y82IQ0I/8qaqjXT80Jcnniz5kxAAoIYp/wJ0QXCR47kDkZCbAcJtfy+U5Tt0oW8ojV7xwoU1FbRVtsLMgzr2W/w5nApSrYRnnPW55RSnrCVGw/HTY4tU5+PpJ3UOSl8QrC11px/MN/YXoxmkbD4or19OyzqnoJL62gqpkf4278+a1phjWEVzMWo+cUxUrwelP+fvhQIg/x0JhCvEd86RWg/eepJeUS+cOue60y6aZsFa0MPEHWiKLfQeOdowsj/u+TjP/8eeBQYiJrKMasxxyjDoQZ8UzVMFufgnyyKKcpRFVD5/blQCyvjte3jzus1YpT3EEo0tgVWId10qKz6DFIv68ZgbpR8=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 513118d2-1166-4dea-a8d0-08d9c492e95f
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Dec 2021 15:02:30.7859 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR09MB7438
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/C6Ethp2aC9sJsxDtBrLQDjmCqk4>
Subject: [Sidrops] new ASPA-based AS path verification algorithms implemented in NIST BGP-SRx
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Dec 2021 15:02:42 -0000
For folks using the NIST BGP-SRx test examples (https://github.com/usnistgov/NIST-BGP-SRx/blob/master/examples/example-demo-aspa-new/README ) to test their implementation and comparing against the BGP-SRx implementation of ASPA, we provide below the descriptions of the new (corrected per [1]) path verification (i.e., route-leak detection) algorithms that we’ve used (in BGP-SRx). Comments/user experience feedback is welcome. I’ve also shared the text (algorithms below) with Alexander for the anticipated ASPA verification draft -09. The updated algorithms also include some essential special (or corner) cases that were not considered before in the draft. New upstream AS path verification algorithm (when UPDATE is received from a lateral peer, customer, or non-transparent-RS client): 1. If there is an AS_SET present in the AS_PATH, then set AS_SET_Flag = 1, else set AS_SET_Flag = 0. 2. If there is not an AS_SEQUENCE present* but only an AS_SET, then the procedure halts with the outcome “Unverifiable”. Else, continue. 3. Collapse prepends in the AS_SEQUENCE(s) in the AS_PATH (i.e., keep only the unique AS numbers). Let the resulting ordered sequence be represented by {AS(1), AS(2), …, AS(N-1), AS(N)}, where AS(1) is the first-added AS in the AS_SEQUENCE and AS(N) is the last-added and neighbor to the receiving/validating AS. 4. If N = 1, then jump to Step 8. Else, continue. 5. At this step, N ≥ 2. For 2 ≤ i ≤ N, if there is an i for which AS(i) is attested “not Provider” by its left neighbor AS(i-1), then the procedure halts with the outcome “Invalid”. Else, continue. 6. For 1 ≤ i ≤ N-1, if there is an i for which AS(i) has no ASPA, then continue to the next step. Else, jump to Step 8. 7. If AS_SET_Flag = 0, then the procedure halts with the outcome “Unknown”. Else (i.e., AS_SET_Flag = 1), the procedure halts with outcome “Unverifiable”. 8. If AS_SET_Flag = 0, then the procedure halts with the outcome “Valid”. Else (i.e., AS_SET_Flag = 1), the procedure halts with outcome “Unverifiable”. * Note: Since AS_PATH is a mandatory attribute in eBGP, it must have an AS_SEQUENCE, or AS_SET, or both. ...... New downstream AS path verification algorithm (when UPDATE is received from a transit provider or non-transparent RS): 1. If there is an AS_SET present in the AS_PATH, then set AS_SET_Flag = 1, else set AS_SET_Flag = 0. 2. If there is not an AS_SEQUENCE present but only an AS_SET, then the procedure halts with the outcome “Unverifiable”. Else, continue. 3. Collapse prepends in the AS_SEQUENCE(s) in the AS_PATH (i.e., keep only the unique AS numbers). Let the resulting ordered sequence be represented by {AS(1), AS(2), …, AS(N-1), AS(N)}, where AS(1) is the first-added AS in the AS_SEQUENCE and AS(N) is the last-added and neighbor to the receiving/validating AS. 4. If N ≤ 2, then jump to Step 11. Else, continue. 5. At this step, N ≥ 3. For 2 ≤ i ≤ N, determine the smallest i for which AS(i) is attested “not Provider” by its left neighbor AS(i-1). Denote such i as i_min. If i_min does not exist, then set i_min = N+1. For 1 ≤ j ≤ N-1, determine the largest j for which AS(j) is attested “not Provider” by its right neighbor AS(j+1). Denote such j as j_max. If j_max does not exist, then set j_max = 0. If i_min ≤ j_max, then the procedure halts with the outcome “Invalid”. Else, continue to Step 6. 6. Up ramp: For 2 ≤ i ≤ N, determine the largest i (call it K) such that AS(i) is attested Provider by its left neighbor AS(i-1) for each i ≤ K. If such K does not exist, then set K = 1. 7. If K ≥ N-1, then jump to Step 11. Else, continue. 8. Down ramp: For 1 ≤ j ≤ N-1, determine the smallest j (call it L) such that AS(j) is attested Provider by its right neighbor AS(j+1) for each j ≥ L. If no such L exists, then set L = N. 9. If L-K ≤ 1, then jump to Step 11. Else (i.e., L-K ≥ 2), continue. 10. If AS_SET_Flag = 0, then the procedure halts with the outcome “Unknown”. Else (i.e., AS_SET_Flag = 1), the procedure halts with outcome “Unverifiable”. 11. If AS_SET_Flag = 0, then the procedure halts with the outcome “Valid”. Else (i.e., AS_SET_Flag = 1), the procedure halts with outcome “Unverifiable”. …… (Thanks to Oliver Borchert and Kyehwan Lee who recently encoded the above algorithms in the ASPA implementation and testing in NIST BGP-SRx. Included are test cases where the above downstream algorithm yields the correct verification results while the same in draft version -08 will yield incorrect results.) Regards, Sriram [1] K. Sriram and J. Heitz, "On the Accuracy of Algorithms for ASPA Based Route Leak Detection," IETF SIDROPS Meeting, March 2021. https://datatracker.ietf.org/meeting/110/materials/slides-110-sidrops-sriram-aspa-alg-accuracy-01
- [Sidrops] new ASPA-based AS path verification alg… Sriram, Kotikalapudi (Fed)