IETF Logo Mail Archive

Re: [Sidrops] [routing-wg] misconceptions about ROV

Tim Bruijnzeels <tim@nlnetlabs.nl> Tue, 22 February 2022 11:39 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 082593A0E5D for <sidrops@ietfa.amsl.com>; Tue, 22 Feb 2022 03:39:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnA03Kf_Mu_Z for <sidrops@ietfa.amsl.com>; Tue, 22 Feb 2022 03:39:10 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:65::8:228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1483F3A0E64 for <sidrops@ietf.org>; Tue, 22 Feb 2022 03:39:09 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 0861D51; Tue, 22 Feb 2022 11:39:04 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net []) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1645529943; bh=MRq0HoQAdhdxEPqt3ORR41RozhijHN+OrbjBWWTfszA=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=pOZdqQgAB3gEJ4Q8FfkRhB/Tlux2TTPZTUf2S0Taf29OhIxUG6cGbkF7TAx9qVqfm 9jgNfjOrpORJT8L88Any/mRmkO62PCH0xWAlyjeINNwBdW/sozh8isERSsWHLDmHmW NwAHmG4YzLvBU8oRNa5zDqMlywSDnDkXPVKYW6tuis8JbPcOvBDR13oseo1HmV3h6K uG+RVTKt4Helwz9/8Lermw5Q7ZFiP1LRc9cApX7/58vEV8cjlziAad1loivo3u3seR 9fzM5drqnMIwCu9cmOeq6HEjo4HjHD+iUqCDzbgm1LIPBTDcgQOHMj70x7HAE+SEih pJcJahpM5MWhA==
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.40.0.1.81\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <YhS/WR3czIP3jNLF@snel>
Date: Tue, 22 Feb 2022 12:38:59 +0100
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <ABE3FA29-6C9D-492B-A72A-68C20176E76D@nlnetlabs.nl>
References: <m2h78roqbp.wl-randy@psg.com> <7FBC2063-2404-4BF9-836E-210629C4BA63@juicybun.cn> <m28ru3ofyq.wl-randy@psg.com> <3C18BA8C-FA34-4D24-96E4-F85644089513@nlnetlabs.nl> <015C9C28-4230-40D8-A9F2-7420B726C00F@juicybun.cn> <DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl> <YhS/WR3czIP3jNLF@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/LBSaMr_AGCRtpJ8qnwM618lTo7Y>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2022 11:39:16 -0000

Hi,

> On 22 Feb 2022, at 11:47, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> On Tue, Feb 22, 2022 at 10:19:23AM +0100, Tim Bruijnzeels wrote:
>>> On 22 Feb 2022, at 09:51, Di Ma <madi@juicybun.cn> wrote:
>>> It seems to be a good idea to do signaling and have a sort of signed
>>> object for policy indicator :-)
>> 
>> I think we need a model where we can have valid/invalid/not-found (or
>> equivalent) for paths.
> 
> Do we really? Slide 10 "BGPsec is protocol, not policy":
> https://archive.nanog.org/meetings/nanog52/presentations/Tuesday/Bush-bgpsec.pdf

I did not say it's policy. I don't know what would be needed. But it
would help if people had an automated way to know that BGPSec validation
can be applied or not for a given path / session etc.

> 
>> Then we people can turn validation on with much less risk, and people
>> can start implementing BGPSec on their routers independently with more
>> immediate (albeit initially small) benefit.
> 
> I am not so sure about the above, it seems the reasoning stems from a
> desire to seek compromise without regard for the consequences of such
> settlement. The notion of "less risk" needs to be quantified more
> precisely to have meaning.
> 
> I understand the goal of BGPsec deployment to be to reject
> BGPsec-invalid paths, that's all. If the signatures are trash: don't
> accept it, I don't see 'middleground'.
> 
> Are there any scenarios in which one would want to accept BGPsec invalid
> paths? Similarly, RP implementations discard malformed ROAs, network
> operators reject RPKI ROV-invalid BGP updates.

Currently you need to accept BGPSec invalid path on any path where
at least one ASN does NOT participate in BGPSec. Applying BGPSec path
validation is only safe when you know that ALL ASNs on the path
participate.

> If people perceive risk: don't enable BGPsec, let others be the early
> adaptors. It is early days, lots of software still has to be written,
> lots of testing is required.

What I am hoping for, essentially, is that a partial deployment model
would be more feasible where people are not expected to form islands,
which merge, without specifying how those islands form or merge.

If there would be a 'not-found' like state for the *path* validation,
and reliable way to clearly detect an *invalid* path as opposed to
a path with non BGPSec capable ASNs, then a simple reject *invalid*
policy could be applied.

I understand this is not trivial. If it were, it most likely would
have been solved before 2011. Still, it may be useful to think about
this again.

Reject invalid && partial deployment has worked well for ROV. And,
time will tell, but I strongly believe it will work well for ASPA.
I would like something like this to work for BGPSec.

Alternatively - rather than having a 'not-found' it may be an option
to automate a safe decision on accepting only 'valid'. See below.

> 
>> Note that all this is orthogonal to ASPA. ASPA essentially says
>> whether paths are plausible, and BGPSec (valid path) says what
>> actually happened.
> 
> Yes, the above is an accurate summary.
> 
>> Though if ASPA informs that an adjacency is invalid then this could
>> perhaps be valuable input to BGPSec path validation with regards to
>> downgrade detection.
> 
> Only time and research can tell whether it is a useful signal to
> transfer from one plane to another plane.

The two are orthogonal, but may complement each other very well.

Suppose, for the sake of argument, that routers would know (through
validation) that all ASNs on a path are certain to participate in
BGPSec then they could also 'safely' reject any such BGP invalid
paths. If this decision can be automated then operators don't need
to create or destroy the islands manually.

Adversaries could still spoof paths, but if the ASPA 'AS_PATH' is
then invalid - they would presumably be rejected on that basis.

If the ASPA 'AS_PATH' would be valid and accepted, then the addition
of BGPSec validation on that path (provided the ASNs are known to
participate) would give additional security.

As I said I don't know.. I am just trying to look at it from another
angle.


> 
> Regards,
> 
> Job
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.8.7 | Report a Bug | By Email