[Sidrops] Enforcement mechanisms
John Scudder <jgs@juniper.net> Mon, 17 July 2017 15:22 UTC
Return-Path: <jgs@juniper.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B555131B39 for <sidrops@ietfa.amsl.com>; Mon, 17 Jul 2017 08:22:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XWURd2ZNhc5Q for <sidrops@ietfa.amsl.com>; Mon, 17 Jul 2017 08:22:08 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0102.outbound.protection.outlook.com [104.47.40.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B49A131C55 for <sidrops@ietf.org>; Mon, 17 Jul 2017 08:22:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LptA6RSdv+B9toebP+Ef9rcZfZiQh4/oIP9OoImadcU=; b=U2GXsRATUd7mXGUTv+JRbDN5RMnVmHlkcSHCoAIGT67DAcIZmJ8kqhTVJUu4U0MYO+8663D8JXT6hJKvWMoBeAk7W+cEZLKZMfVpP+qAz/cLvMNgpAqVptbgvkLhciG99mbSCKSeejgj/FnzcmBml5FSBoOKSgeYcXXp/RKJ/PU=
Received: from CY1PR05MB2507.namprd05.prod.outlook.com (10.167.10.134) by CY1PR05MB2347.namprd05.prod.outlook.com (10.166.193.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1282.4; Mon, 17 Jul 2017 15:22:07 +0000
Received: from CY1PR05MB2507.namprd05.prod.outlook.com ([10.167.10.134]) by CY1PR05MB2507.namprd05.prod.outlook.com ([10.167.10.134]) with mapi id 15.01.1282.008; Mon, 17 Jul 2017 15:22:07 +0000
From: John Scudder <jgs@juniper.net>
To: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: Enforcement mechanisms
Thread-Index: AQHS/xBzqHU/jR6ztkORt5aDx3NgMQ==
Date: Mon, 17 Jul 2017 15:22:07 +0000
Message-ID: <081F8800-6734-4AB0-BB6C-19FB6C9A100B@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2001:67c:370:128:1cb0:d75e:405c:ee35]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY1PR05MB2347; 7:PD8V9hN9YPMjA4uGowR2FG94x/qwrYSuDUOzWeHHzm9/fxP939mt90ltb2r/MieSUSyRtAmajzibMVl4B4gAg1v33rlW0bVmOWetgzpqjYmn4cnJOx3LRNVK4J4EqwXdcCZzDHOwk1b+J1jNpC6q5kwbRbfwrGJYpue9onxHbn9Snu1Rtj6QBrtOSU5zxziP6vaj4vJHTr1TUkVnbOThOeJTg5ebJS/smioKDPfC88pP6fsn9UJXS5TejaUftH/pAGB+Q3iklqyzpTRWadKwbqfRJ75AHvMrgq0/lRPkQE41ShRKxbtH+V8sq/yUfCY2oa5wX6xpFqoaFj0wziKcxekRTHrNMMaSsWAdKIAQ3+K60I+36q0RrXcO2qLHCSx3OtJExHWY17Z/GFHFfGMYnOCNV3fRt1sw2g/XXH59gOGWw+jNJQbap6OmWEeTHKIDYoXMDkXi34R97Nszt9rMlyETcTBZtq1OEUo0/17IE3oZ0sy6mR0Osf9k/KXEkWt4p90s6n723C5Ap1cxexIS1TimU/88jvPxtPbN9ZliyYAVdmaRFwbDwYx02GjpBf4MHn7nu5POd4eogMmLocei2AnbtTBVzyouLZfEEBrNP8l/LksrqoSVAWsB6MlMw7EqNjAMB4pQBY7ChCLf3/L6yKOV7SoDltUsbIQ5y7GyCm517Kh6PYJKxQ3cyJuHr7pfDc6C+MtCODsR2fWdAT7zAWEEKz1Zbx56e4PB0lnYpMCD05QT8NJhqai5LyVFYOrh+lPXs2osiXyvJnWIoGFV5ulNwfKWzTe6hN5s67qO/D0=
x-ms-office365-filtering-correlation-id: 5005cba0-96ee-45c1-07d5-08d4cd279636
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY1PR05MB2347;
x-ms-traffictypediagnostic: CY1PR05MB2347:
x-exchange-antispam-report-test: UriScan:(236129657087228)(48057245064654)(50300203121483)(247924648384137);
x-microsoft-antispam-prvs: <CY1PR05MB2347E3DE7161EB38DFFF3ADBAAA00@CY1PR05MB2347.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(2017060910075)(5005006)(8121501046)(93006095)(93001095)(3002001)(100000703101)(100105400095)(10201501046)(6055026)(6041248)(20161123562025)(20161123558100)(20161123564025)(20161123560025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY1PR05MB2347; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY1PR05MB2347;
x-forefront-prvs: 0371762FE7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39840400002)(39450400003)(39400400002)(39860400002)(39850400002)(38730400002)(53936002)(2501003)(6506006)(2351001)(14454004)(6486002)(5640700003)(189998001)(77096006)(6436002)(86362001)(6512007)(6916009)(478600001)(3480700004)(33656002)(236005)(99286003)(110136004)(50986999)(54896002)(6306002)(54356999)(83716003)(966005)(82746002)(36756003)(2906002)(6116002)(2900100001)(102836003)(3280700002)(3660700001)(5660300001)(81166006)(25786009)(1730700003)(8676002)(7736002)(221733001)(8936002)(606006)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR05MB2347; H:CY1PR05MB2507.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_081F880067344AB0BB6C19FB6C9A100Bjunipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2017 15:22:07.1749 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR05MB2347
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/GY47-AL695lEQItvdDedftGFm9s>
Subject: [Sidrops] Enforcement mechanisms
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 15:22:12 -0000
Regarding Amir Herzberg's "collateral damage", slide 9 of his presentation: https://www.ietf.org/proceedings/99/slides/slides-99-sidrops-rpki-deployment-status-challenges-and-the-learning-validator-01.pdf It occurs to me the described damage only occurs if AS 3 uses "drop the route" as its enforcement mechanism. Another option would be to blackhole traffic to the "bad" prefix (1.1.1/24 on the slide) if and only if no good alternate route to the prefix is available (as is the case in the example on slide 9). This would still represent a successful attack but a different one -- denial of service to the victim instead of data stealing. Note that in the example on slide 9, since AS 2 doesn't care about ROAs at all, we only have the options of devil or deep blue sea in any case. The main liability of this approach that I see is if it's not a real attack but rather a "wrong" ROA, with the usual "drop the route" approach there often will be no (or not severe) negative consequences to the affected party, if they're covered by a properly ROA'd supernet, so you can still get your yogurt, albeit maybe through a suboptimal path. OTOH with the approach I describe, they're sure to lose connectivity, no yogurt. But I think this is really an argument for getting rid of "wrong" ROAs, not for using weak enforcement. (If you're using weak enforcement because you're afraid of the consequences of strong enforcement, you might as well admit you don't want to do enforcement at all.) You can decide for yourself if the cure is worse than the disease. But I believe it's possible to configure your router to do this today, if you feel like it. --John P. S. This probably can be related back to the prehistory of CIDR, for those who remember that. Is this the first time CIDR has come up in SIDR?
- [Sidrops] Enforcement mechanisms John Scudder