IETF Logo Mail Archive

Re: [Sidrops] request to consider draft-spaghetti-sidrops-rpki-prefixlist for WG adoption

Geoff Huston <gih902@gmail.com> Thu, 10 August 2023 00:34 UTC

Return-Path: <gih902@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BD35C151077 for <sidrops@ietfa.amsl.com>; Wed, 9 Aug 2023 17:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7xTdEdmacHA for <sidrops@ietfa.amsl.com>; Wed, 9 Aug 2023 17:34:23 -0700 (PDT)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A564C151071 for <sidrops@ietf.org>; Wed, 9 Aug 2023 17:34:23 -0700 (PDT)
Received: by mail-pf1-x42a.google.com with SMTP id d2e1a72fcca58-686e29b058cso283073b3a.1 for <sidrops@ietf.org>; Wed, 09 Aug 2023 17:34:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691627662; x=1692232462; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=YPpaeCm+2tdgbbYi0KNTG9pbGLCiN3pO/tY4GKOpO24=; b=mi+ik9+dIlUviBhPT1LoScggVLA05jj4j2gkgL0cFKOgcYTGMyQatmAMlbtHfjy76B FR0nvFx5kp2BxvRlASkjgzikurUYfwnqswYiRMzRoy6/iQEU/Nz6d/nR/8slnbsE9qev QjgYIlLJG8W7nbfhvjNVi244UQUJFLt16nEFSYKk+jqkBpcjX9OAnk4KQXLCaQ6P+qGn 7OxmGLZ3LneG1FDhkr/C/I+8nIpr/6OaDjJp0urSdB7W7wq05R86qyAFtRoPUoLgK660 LDjyP6DM7k/w2c/DhCZpTU0Tr45hm9XZ1PeSK+OfI5BD3jWzWgBE7g6QXTA7V7oG0nsn 5zsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691627662; x=1692232462; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YPpaeCm+2tdgbbYi0KNTG9pbGLCiN3pO/tY4GKOpO24=; b=bZzIde2Sl6Rb5akPp4jnz5Scm0JzsK0T9XuI4TvgadDm/CiQnCB2uLZrTo/ABOH1dc RUrRdV/favJ1zbRQ2dnNl3hiT1lTDRDQPmhrxWXgbHioPutCXa5YqmVPUOEF2N/kyf3w 7950/XtNLD6T+IKVkrwPz0Ar2RVIJCbsl3XrIVRKJ++bXw7rPCf0b2Yp4ZANMO9IE0DU 1Aldw/sRQiuVpf8kya1rFdRoeyE/AkmkikPeAWxmTU18ZdYiCzBQX75+kRvXPPTkmVz2 vvjwWoG6O7A0ciCAYLABlSI/9SpUy/BLS7tZPV0svWLDVMVf4LJyYMzQqSP9KBfrqaYu Qa8g==
X-Gm-Message-State: AOJu0YzMHUKOVV1Q/k/cjU0HbDwvpQ1FXgQbvV5XKisvh/Ip8ucnVzON /C8zjiwQazjdJZIA1vhWidYzRkfum0ejjA==
X-Google-Smtp-Source: AGHT+IEDDDcMplpYH/fdxvrwAqiPgEZdmUiaan8ZhX/zuTnmlo8BBDU7k60X2PJRdY/lulahv8fexw==
X-Received: by 2002:a05:6a20:a10f:b0:140:bd85:15a5 with SMTP id q15-20020a056a20a10f00b00140bd8515a5mr1061609pzk.39.1691627662440; Wed, 09 Aug 2023 17:34:22 -0700 (PDT)
Received: from smtpclient.apple ([2605:59c8:33cd:b100:17e:546:9805:8a11]) by smtp.gmail.com with ESMTPSA id a19-20020a62e213000000b006875be4163csm195613pfi.17.2023.08.09.17.34.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Aug 2023 17:34:21 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Geoff Huston <gih902@gmail.com>
In-Reply-To: <SA1PR09MB8142AB3638F9A737706B89358413A@SA1PR09MB8142.namprd09.prod.outlook.com>
Date: Wed, 09 Aug 2023 17:34:10 -0700
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <23A0A292-8AAE-4075-953A-22A9D647A9FC@gmail.com>
References: <SA1PR09MB8142D5B0AFE288F6494E27E68403A@SA1PR09MB8142.namprd09.prod.outlook.com> <ZMAKd1F8MnnkNowl@snel> <000001d9c20a$4b63bf30$e22b3d90$@cernet.edu.cn> <SA1PR09MB814241FCE402C998B8B5CB028404A@SA1PR09MB8142.namprd09.prod.outlook.com> <70F6B97C-55FB-4F76-93B8-59CCA681294B@gmail.com> <SA1PR09MB81421C3E226CA3ED52D874D9840AA@SA1PR09MB8142.namprd09.prod.outlook.com> <96923A47-FDCC-4F03-A5F3-8C655B7CE98B@gmail.com> <004b01d9c5b6$c08c24f0$41a46ed0$@cernet.edu.cn> <52ECA8DC-A412-4D8B-B12C-9E763BCB5840@gmail.com> <SA1PR09MB814284E05F7CB79FC369B5F98412A@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142AB3638F9A737706B89358413A@SA1PR09MB8142.namprd09.prod.outlook.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/N6ZnFhmLDvANWaKUs5SrJAbtS1A>
Subject: Re: [Sidrops] request to consider draft-spaghetti-sidrops-rpki-prefixlist for WG adoption
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2023 00:34:24 -0000


> On 9 Aug 2023, at 5:04 pm, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov> wrote:
> 
> Hi Geoff:
> 
> My comments are marked with [KS]:
> 
> [GH] wrote (responding to Yangyang's scenario where it is shown that a hijacker owning AS3 can create a false PrefixList and take advantage):
> "Not wrong, but not all that relevant either. If there is no ROA for a prefix then _any_ AS can originate a route to that prefix, and there is no ROA that can be used to say whether such an origination is authentic or not. That’s always been the case."
> 
> [KS]: The question is: Does the draft propose giving a higher authenticity to an ROV-unknown route if the apparent origin AS has the prefix included in its PrefixList versus another route for the same prefix with a different origin AS that does not have a PrefixList?



There are no words in the draft to this effect.




> 
> [KS]: If you give equal status to the two competing routes (one with an origin AS that has a PrefixList including the prefix and another with an origin AS that has no PrefixList; both routes are ROV-unknown), then the PrefixList is irrelevant (lacks a use case) for this scenario. However, only then the said hijacker does not gain any advantage over the legitimate announcement. 

The prefix list is not irrelevant. but doe not apply in this scenario. If an AS has published a prefix list and the prefix is not in this list, yet it purports to be originated by this AS, then the prefix list provides grounds for a relying party to drop the route. 


> 
> [GH] wrote: "However, the prefix list can prevent others from accepting some forms of synthetic routes that would otherwise pass undetected. If a third party synthesised a route for 10.0.5.0/24, originated by AS1, then the valid prefix list signed by AS 1 would inform a relying party that 10.0.5.0/24 is not a route that AS 1 has acknowledged that it will originate, and the relying party may choose not to accept the route on that basis." 
> 
> [KS]: This is the classic case of AS hijacking as defined in the REAP draft. AS1 is being hijacked. It is being made to appear like it is hijacking a ROV-unknown prefix. ASPA-based path verification solves this problem only in the upstream path (Update received from a customer or lateral peer). REAP solves it more generally in any direction without side effects. PrefixList seems to solve it but not really... as explained below with examples.
> 
> [KS]: The prefix owner of 10.1.0.0/16 does not register any ROA. They originate the route from AS1. AS1 includes the /16 in its PrefixList. But if the prefix owner senses a hijack situation with the /16, they should have the liberty to deaggregate and announce two more specific prefixes: 10.1.0.0/17 and 10.1.128.0/17. At another time, the prefix owner may announce a more specific 10.1.1.0/24 (subsumed under the /16) for traffic engineering purposes. But according to your scheme above, AS1 (or any other RP along the AS path) will find these more specific prefixes not included in AS1's PrefixList. This seems to point to a design flaw. Does AS1 try to learn what more specific prefixes (subsumed under the /16)  may be announced in the future by the prefix owner? How can that information be collected by AS1 so it may include all possible more specific prefixes (in routes announced) out of the /16 into its PrefixList?

So this is a a re-run of the maxlength issue with ROAs, and frankly I have no particular opinion one way or the other, though in this particular working groupo I suspect opinions are all over the place. The prefix List could require explicit enumeration of all prefixes including more specifics and insist on exact match. Or it could folk in a maxlength parameter and imnplicitly define more specifics. Like I said, I personally have no opinion one way or the other. I think this also relates to your following comments.

> 
> [GH] wrote (in the IETF 117 presentation slides): "Any route originated by this AS not contained in a validated RPKI Prefix List SHOULD be regarded as invalid". 
> 
> [KS]: This is similar to your earlier quoted statement and poses a problem as discussed below.
> 
> [KS]: When creating the PrefixList, is any attention paid by the AS owner to the ROAs of the prefixes being included? The following are examples of real ROAs using maxLength:
> 
>   AS2518, 2001:260::/32-48, apnic
> 
>   AS24560, 223.235.0.0/16-24, apnic
>   AS9785, 223.164.0.0/16-24, apnic 
> 
> [KS]: If the ASes that originate the above prefixes include only the prefixes but not all the more-specific prefixes that are allowed due to the maxLength, then when the prefix owner choses to announce some of the more specific prefixes, they will be found to be Invalid by the PrefixList verification process and will be erroneously rejected. When the maxLength is much bigger than the prefix length in the ROA (though that is discouraged by RFC 9319), it is a very difficult task of enumerating and including the huge number of allowed more specific prefixes in the PrefixList! 
> 
> [KS]: A problem also arises when a prefix is actually originated by an AS but that AS's network engineer made a minor typo while typing in that prefix into the PrefixList. There may be other inconsistency issues between the PrefixList and the ROAs that are relevant to it. 
> 
>

v2.23.0 | Report a Bug | By Email