IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 11 April 2023 02:38 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D2A4C151B21; Mon, 10 Apr 2023 19:38:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5HdBtc0lc6te; Mon, 10 Apr 2023 19:38:28 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on20724.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d04::724]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A6D2C14F75F; Mon, 10 Apr 2023 19:38:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cn/Kn1nNYaFwK6k5O2xZ9KCS9WDWAWJGqbVXRAtV1AFGBBCmxpy1Qy9uJz2hxKvhZ86apAxpQUkSkf+dhbvTWHVFAQZPalyiqCclQKrlO4DkBrwlalMd6yf3eBdN69gacx2DSuRWLle8W/Jco2LqfMGnrYs6kJ9mW8EBlGPsP17iBcNyrrV1Z6d/W7UNjSFr3i6S7lB/0yqPXy9SPaI6BJV9D1URx8xdGbe98R+2bNHgcOWxJOvik50LOt8jq8km5Ur49khcGSOXZGIGJVrPLpKstpS2dxEMCrtigGPFlvFePtdP1wxz3nmODOmYWeXQeXJEiqR2bHzXgL0MGVy7NQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NWOM2adAicvYxb1H69DOyNsU3i91r0Sb1eo2V+g4TyA=; b=oVrqjdrVIN2gnu0YU5kC0l6SuwVH8PBTi7UvxewmvsaFFkhey5OQhaBf6YUVDLHXopnoAZDmmrsCNU2YcakJYQ4qd3sDu4Cfbk3p2f368ata7xdlH6wvqszyQHz6BhzxHs1eCjg6rJ5FiTZwVRSFTTGpD3uWM0FUBhFX+3xp4gzWLe4uQGhq+L77g56b+Adf8CMkt55IuYZ0g6odcPR8PVAUfYdb9a85CP5FbL55rSuO6ZVWkWYSsvol1fW5ugrjvLieX2kYFp1+11LUsTHdKLb5f1Sx48Y551z7OrybRUTCEfhNJR9BU0k6a5YYXiGNhRN7tj0+jnzfIIT9QYLtlQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NWOM2adAicvYxb1H69DOyNsU3i91r0Sb1eo2V+g4TyA=; b=L29//mzyr9BFr4n1+tWNzutWFYczu0HRJGOzJjN8geep+21q+FDmjOEv/GyTFNL04bcCa4+iX5klwrN68tOZp2a05+4U4VStIm/Z76jMeTkawWRHwFDhWrNBRb7e3dNAorwR4FcW8wmILLj2Aj0OzR/xCiZ63id+dDYDdZgcZ/v/ft3wp5B9US3dYzaG5RNQ1f8/lISJuTz5HeyUlavUgOCDDRUbXUPm9vDgJKfYr2O+YSMbW9hR+nhbITzWRxwwoogX+OjyJEFG0oWRygax4LFMW2GGV3hJymmHhUvEFTMT0IaXWADpYTAKvC5fF3TJiHcx1vzKYcgeL7xe2KBHvg==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by SA0PR09MB7434.namprd09.prod.outlook.com (2603:10b6:806:76::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.36; Tue, 11 Apr 2023 02:38:24 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::226a:790b:a85c:d03e]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::226a:790b:a85c:d03e%5]) with mapi id 15.20.6277.035; Tue, 11 Apr 2023 02:38:23 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: 戴志滨 <daizhibin@ruijie.com.cn>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>
Thread-Topic: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
Thread-Index: AQHZa62fHomX99EDmkC9A0iJkpZORa8lVlEw
Date: Tue, 11 Apr 2023 02:38:23 +0000
Message-ID: <SA1PR09MB8142F2D674E03ED367420359849A9@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <180853ad1e71559b555b2d81e25cbd6e2b2c12e7.6bb3a20e.ce45.4f8e.8378.c9504f8ba716@feishu.cn>
In-Reply-To: <180853ad1e71559b555b2d81e25cbd6e2b2c12e7.6bb3a20e.ce45.4f8e.8378.c9504f8ba716@feishu.cn>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|SA0PR09MB7434:EE_
x-ms-office365-filtering-correlation-id: f7487cfc-fc9f-459f-cb13-08db3a35d22d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gxQQ3/u4hBeJ0jtP5y2xprCoyruYS4WJnfHv70qYDvsTP5t80gl0ClZSobGZivRTAEE7X8fl7Fnq4FAFFR5OuUpGHnXq85sDriK6ZEnrXgx0WIEUUbRqcHla7mk0VHeJ42RL+lyopaMVFY9FBK9hAiBsVdjNRQRWo0pw1fcLZnwHMwvVBaqn/YPzRABLkX3P4vBmxIPBA6OyfzgNFM3579Ptk/IJnSTTry5ixK7T+lrWyBOe2ans+R6P4LViz6bquFwt3f7wSiNFqQ1g0ECV1ZfDOrAro19K5DV4xR/r8cryYP3BilR3gGkpz2uqZYoDV0TkhExdpqxmOvSzdkTb+ubI0RDI6a0XkVG/a3IN0X/fSZ44JyE02FuNNTR/MECLN5B+rfqeV5cihoVUuOrXDJ9+gdnwlqQjxAiZgwxDq/3MPSpK61/j+zIgevtwin/ngaCjMS7f9bXkx3TpgzQcxb/RCPNnx/uR9GHh9jK3Ow/dvcgtC4dyefNU8MNJbTFUNRRE0C7tEqIaryIpNAXckc1TVoiin2/wXdekVmPicb4QzvxtuKsYLF6ZPjge5fiRcKaYT/gWhWxLmn/EIW87qn/tc7gbgj8penTdqxW3fTBD3EmRuWSyzEgsezBQbaDg
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(451199021)(498600001)(71200400001)(7696005)(9686003)(26005)(6506007)(186003)(4743002)(54906003)(2906002)(15650500001)(5660300002)(4326008)(66946007)(76116006)(66446008)(8676002)(6916009)(66476007)(64756008)(52536014)(8936002)(66556008)(38100700002)(38070700005)(122000001)(66574015)(55016003)(86362001)(83380400001)(33656002)(82960400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dVOSzcOVWSDoWcISQb/cpoRZ2Lo8Xtrp6LmR19Lgm3iXEsv2f3TGqOX5ex5NVo5rHQKh+H9mbXYthRlsPQ1gBU4k9ts5+uy4YAARq7OMMlZQhIkoEH8Get0cZmSXy9H9Sn1Q48sLO3AHGBywHBvpldZ52hknB3B+75ySt8vxX/lD9074RgPQczfTrUtojUAYGZCzguAAa+rLucWJnMU6G/Tn3/Ko0e/uiiYmqJWhJdTDq+OXFB7soJK9TbdYMelSyETlqDNCSc7RPATdoAH8P4wVQ4j0uXDQsi9bdtssA3zCeeUKC0ie9uPB1kR8p4Z439FDjaijvEowoCRVLsh0mfptNBBfOfgL5RMg45eZrhnGGJ4Ep0dmiBnmHwYr2JTQQ9NPURXgNTeXv3cpfEvtjFuDbWiUZzLw12lnl35pOedKL0aGMAheP18Y1vw21pCTbX1es4Wzi5eVHsPyzopv7bofKEANNWSf2RKF/xs5shs2U3CwKVh0hD/to2aE9dKd6CL7YX6JoodicQhYJHjjcNhyLNIlMcS3j1S+Usdxb6WuMlagJqTuDNnNKu1GbIDwFdhREWKePuUdQxPo7IVEKocADIz4NLLaop80yJZVNq32u4HJrMV8s1Vc0OeXNqt7e2U+KqstLZAsiOEftMxmioMBGJdWPhtSvIyhtyzspOHlJzq6V3APJrDpCT/pJm7uiCKQ6yRcCLt3bo8itmQiiWDq+S79/dTw2da+Rdx6mCdQGLfze7KqFPZVSNd6h0KdMdQUTyV8HLSWwsuhlEoN2OMfPVMNj79VVQV5ODRF/m9t7f4SXA1C5K0T8qndW9IZJe3uYttcorTwnD4u44RlhYp4zCcRCTeFdu9pKdbXfe7GP0g2FloxcZ1x/jPGOILF1GFeC+wutzzcYMWRprDSUM6VxfEfAd2nOiPkLDsNmOPh+LSxVFUfbuvOROrTqpy7sV6vw8Bn3NuulgVMe8W27cJFaVkNFD2/T8uVfJ0ZAuUQObp0436x2tdQCVvLSL1qxqRqZ50Smvte944rzzZjP6KA3gIuEMbVPlta2wXmjpzT3uPlexuwigJe5Meqp1tSHfcKql03X6fjBhAfrjnDyy8DFO9KFyJS4ma6Iad8O7+D4hFbCnlIxQI9/QNsEza+7NejolxL4OxRqTYrcS4B9qGw5Zr1bmu5Duv8ObyqTV8pEDf9NEaYi82gxLR7ej6sxHdDnhq38HHhQ9+Y0BIJ+7gp9k81bvr3e1xYeH+RkWoIu3TNGPrShfWhgJASTPoxfZau7XV544B1m4bQf404RPrZvs8udC1LDmlAWskBU7baAIIAJHp2bULEZNdHJqKIeSvaRsY16VwAOyRoc3Q+/3unMBMOfQzsY07cnhPsMBBT+cHFeRh1DkwyEVWe9xoEfjjHoZ707kmGJBxGJadpp5Bsj6dA4Uaz52M0aefga6mgKnlLsks1Xfchzgne+4MHn0zSQ7b544MZc/0exy0gKHjffPe+ipuatDMIY4RHskvoqiJUu3aC+lQ/bObUCG24mbL5QqTA7t78ffstbzOOA9rFPa4+qTbm6eLQQ2ivluM=
Content-Type: multipart/alternative; boundary="_000_SA1PR09MB8142F2D674E03ED367420359849A9SA1PR09MB8142namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f7487cfc-fc9f-459f-cb13-08db3a35d22d
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Apr 2023 02:38:23.6782 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR09MB7434
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/P-ZkRiCGrdnW9mPy37ExQ4kEYlw>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Apr 2023 02:38:33 -0000

>For example,  the AS 100 router announces a route with AS_PATH {100, 101,102, 101} to the AS 103 router,  and {101, 102, 101} are forcibly added through the post-routing policy.
>After receiving the route, the as103 router scans for the AS_PATH and finds that local AS 103 does not exist in the AS_PATH. Therefore, the router determines that there is no loop.
>So we need to consider the handling of these unexpected AS_PATH attributes.

BGPsec mitigates such AS_PATH manipulations.

With the use of the ASPA method, assume that 101 and 102 have ASPA: {101, 102} and {102, 115}, respectively. Then ASPA verification also mitigates this attack for the majority of possible scenarios – if the manipulated AS_PATH {100, 101, 102, 101}  is received at AS 103 from AS 100 in the upstream direction (i.e., from a lateral peer or a customer), then the AS_PATH will be detected as Invalid (route leak) by AS 103. However, if the manipulated AS_PATH is received in the downstream direction at AS 103 from AS 100 (i.e., AS 100 is a provider of AS 103), then AS 103 may fail to detect. We have already stated in Section 12 that a limitation of the ASPA method is that a provider can maliciously manipulate an AS_PATH towards its own customer and can get away with it.

I know you are thinking of detecting upfront an AS-loop that does not include the receiving AS. IMO, that seems like a question for the IDR WG. You are right that RFC 4271 has not identified that kind of manipulated AS_PATH as a malformed AS_PATH. Well, the SIDR WG came up with BGPsec to detect all types of AS_PATH manipulations. That is why Section 12 mentions that ASPA and BGPsec can work in a complimentary manner.

Sriram

v2.23.0 | Report a Bug | By Email