[Sidrops] first route leak prevented by ASPA
Claudio Jeker <cjeker@diehard.n-r-g.com> Wed, 25 January 2023 13:06 UTC
Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFD94C1522C2 for <sidrops@ietfa.amsl.com>; Wed, 25 Jan 2023 05:06:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.192
X-Spam-Level:
X-Spam-Status: No, score=-4.192 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRS2PZ1rdOZS for <sidrops@ietfa.amsl.com>; Wed, 25 Jan 2023 05:06:43 -0800 (PST)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90C26C15155B for <sidrops@ietf.org>; Wed, 25 Jan 2023 05:06:41 -0800 (PST)
Received: (qmail 43771 invoked by uid 1000); 25 Jan 2023 13:06:38 -0000
Date: Wed, 25 Jan 2023 14:06:38 +0100
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: sidrops@ietf.org
Message-ID: <Y9EpXo+sncvtZAGz@diehard.n-r-g.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/E0ir_MJ5AHYmvQNEqaW5bu8igbQ>
Subject: [Sidrops] first route leak prevented by ASPA
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2023 13:06:47 -0000
Hi all,
Since a few days OpenBGPD is able to do ASPA verification and filtering
based on the outcome. Right now my system detected one ASPA invalid path
that is an actuall route leak. So it seems ASPA is working :)
--- begin terminal transcript ---
$ bgpctl show rib in avs invalid as 945
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
aspa validation state: ? = unknown, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete
flags vs destination gateway lpref med aspath origin
V-! 2606:b0c0:b00b::/48 2001:4bf8::253 100 0 8271 6939 61138 945 i
--- end terminal transcript ---
This is because of the following ASPA record [1]:
customer-as 945 provider-as { 1299, 6939, 32097, 50058 }
combined with a Locally Added Assertion for my upstream AS:
customer-as 8271 provider-as { 13030, 174 }
AS 8271 has a lateral peering with AS 6939, so upstream path validation
happens and as AS 945 didn't include 61138 as provider, the path is
invalid.
With such minimal ASPA records my system already sees around 170,000 ASPA
valid prefixes!
All of this (including a ASPA-capable validator) is available in the
lastest OpenBSD-current snapshot!
I'll share an implementation report later on.
Regards
--
:wq Claudio
[1]: https://console.rpki-client.org/rpki.august.tw/repo/AS945/0/AS945.asa.html
- [Sidrops] first route leak prevented by ASPA Claudio Jeker
- Re: [Sidrops] first route leak prevented by ASPA Tim Bruijnzeels
- Re: [Sidrops] first route leak prevented by ASPA Claudio Jeker
- Re: [Sidrops] first route leak prevented by ASPA gengnan