IETF Logo Mail Archive

Re: [Sidrops] [WGLC] draft-ietf-sidrops-rpkimaxlen-08 - ends 25/October/2021

Ben Maddison <benm@workonline.africa> Sat, 11 December 2021 13:37 UTC

Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 689263A07F1 for <sidrops@ietfa.amsl.com>; Sat, 11 Dec 2021 05:37:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwlE7Dh5E1WL for <sidrops@ietfa.amsl.com>; Sat, 11 Dec 2021 05:37:43 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70085.outbound.protection.outlook.com [40.107.7.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 049F53A07EB for <sidrops@ietf.org>; Sat, 11 Dec 2021 05:37:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NLUNUREPCDxfLdZELY6P2C2wmDl0ltTUgI0KLYv17QK7yPnMEDbdBCk1m/lGzZNNCzoDrlGb12eLF0zos8pTEV4K6l3aFIpxswlkv5DveoUKgOggZ4ZZOL+g7JFpT6Xobu74Yn5idFQPwCf83gAvGlKKIoLbObe39cLLSM3qAcRV2eUTjMZWbaQeqlTXIJ5EmyUgOX/rVFjW3431od4+IoHYyDS2tNohggY+V/Cyg/NXucf0638SYOOaylgfPcbEW1J6BI7e6b2Yxt3iwLuwyssoS+35hoJdbmseBiC/RtqQE2Fh+CyIKOyfBaBOGgkI6lkw0BAGYSm8wU6cfYwu2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=37KjLBFVKq5LOa8XoIaseFJmbFuhJ7YbWlHYM/kZ880=; b=hvv2uT3C1DgDARgPCaZjW1bwLnNykLEIKH2wptrD2YgzgclPi6vH6CiPa7fcbT3BslSMy1FzrFuAV/Xnqa91maPMUeK8VTzAzV9/R1e+tfZhv6nbXrLgKJVt5ZqvaRefkPM7BBoD6Nb6hb/XxaUIiQCSqG4NCyPZidAGk59d+/DAT1s9DM1Bx5JTbT8ATBo1Ru1Q5RedM4ziqrlc9BxsfN7yCK9IAPqr5mj73Ucp/2YIgnuQ6BiFS02glEl6ih7vY9VT/3ugF7jPTYLp1ASgx/zqT9mHtE9rvo/bIaO3vCVp7MO9CPoP4kzbPuvk1gDlJueNaik+JfgCzLj7aXtt0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=37KjLBFVKq5LOa8XoIaseFJmbFuhJ7YbWlHYM/kZ880=; b=duRfivmGGCEbzNOL68sCLCck4W2qct3Be+HD3yGR+E4JQEENH+P3cd7wnafU+hKFPmZgNLN2WY03nQ3gef/9Z3eJRNxmZtZTz/X62ZIy7I8ejIsMqMtlW8kkljzeaYSMTC/GMPyHuqcAraG6lRV7w2Ao8YVLNUIzowZxlKhQIvc=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=workonline.africa;
Received: from AS8P190MB1078.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:2e7::13) by AM7P190MB0757.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:11c::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4778.13; Sat, 11 Dec 2021 13:37:35 +0000
Received: from AS8P190MB1078.EURP190.PROD.OUTLOOK.COM ([fe80::a079:73c5:8443:3068]) by AS8P190MB1078.EURP190.PROD.OUTLOOK.COM ([fe80::a079:73c5:8443:3068%7]) with mapi id 15.20.4778.016; Sat, 11 Dec 2021 13:37:35 +0000
Date: Sat, 11 Dec 2021 15:37:26 +0200
From: Ben Maddison <benm@workonline.africa>
To: Alexander Azimov <a.e.azimov@gmail.com>
Cc: Job Snijders <job@fastly.com>, "sidrops@ietf.org" <sidrops@ietf.org>, Ties de Kock <tdekock@ripe.net>, Nick Hilliard <nick@foobar.org>
Message-ID: <20211211133726.3tg4qo43cyrrdk2j@benm-laptop>
References: <00E18520-A535-4CC8-A287-56FB2F164E14@nist.gov> <5B2CD457-E376-4B8C-B901-202ACC4C465C@ripe.net> <a775bf84-29a3-45f1-08f5-a6728cf11bc3@foobar.org> <CAEGSd=BvEhaZyqE01hCBYwafZH5Z1-6-0eYbRL-AD3sURe4STg@mail.gmail.com> <YZ4XMQKHI5ZlLAui@snel> <CAEGSd=B2HE1Yqv-eyws=8xbjkxAnC8-pWWF4zveNCSJ++7q7fw@mail.gmail.com> <20211208120944.5oq6o2sr6m6xzq42@benm-laptop> <CAEGSd=BdohzVk7xBcYpp7e=_nn6jvRJ83pUNXQoY0tPvK3nTHg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="c5clandeiayqlu2y"
Content-Disposition: inline
In-Reply-To: <CAEGSd=BdohzVk7xBcYpp7e=_nn6jvRJ83pUNXQoY0tPvK3nTHg@mail.gmail.com>
X-ClientProxiedBy: CTXP275CA0033.ZAFP275.PROD.OUTLOOK.COM (2603:1086:100:1::21) To AS8P190MB1078.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:2e7::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6fc8e8f4-cd59-4115-bca3-08d9bcab63a8
X-MS-TrafficTypeDiagnostic: AM7P190MB0757:EE_
X-Microsoft-Antispam-PRVS: <AM7P190MB0757AC0CF9F152A0F7F0FF12C0729@AM7P190MB0757.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: dniX3MXgfXtfQ+e8v9l9Z3+ATExtdvbqJS5z4SBlSV2kNfUkvVyPoQ8GqvPyvfB8d8ilUJ9EHb98RKwfpL0OojUx6hWnXKJdM7aPAg2DZizDUuQ0mhEiuy2/xz85+iL/LOf5zboOwgzWv3JyNClBP1UZTb7TM3iU8wMF64a2FbkeraecmBlhHlsigXESpVEqbuQxlHh6NAs1T7K5UyPwA8EL37umCP/mR0sBJNvK9NEDgl+er62gVTw8Qa+C9wwpGQAqE4/DsPbGW9cPwD+IQj6kK4fhEHDOI0b+H+z8ZFKA72uO8Pt/Y4+A42gSK0YoAwFN1KnjUXyRHfJyD1iZ/oSt9qhufw9XY0/VeQfCH9DteMghwE5FY1o8zUTvAknIjp+IRkJJbsuLQdI7MNzamEypINi3e/bBDsefF5Txlpf/yBRQbsWVO6yfZ+grC2d5nMxlaWqTXaIrd6oUj46+TNgGSPqBlWrcsDsDCQ8ig4o2MWE8IWNo2aJmXnb2NglvfVj1rdtMcnt2Hjl/93lN7IesXi8znKFGSjKc7UXNAPl7lFGn9eyqgvTOZO3PGTqlEuZYBQDppwGyFnC3+sc3xmgQqCqnHaqHQj9KEa2oar38KWGETbaKAimFp0KQBWravEIjraAtBqRakBvIUS5zexqCa9TyxvC5aa5SMnA6LfzFMDSNgYTziAmh4Rx3l1PaKRzgA6FR2XaZCaPuSlNd7Rd4UyIzMeeS9h88e8hJ/6nptHticB76r54fpm/DM5IW
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8P190MB1078.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(7916004)(366004)(376002)(346002)(136003)(39830400003)(396003)(6916009)(4326008)(52116002)(508600001)(44144004)(66946007)(66556008)(66476007)(1076003)(6666004)(26005)(6512007)(38350700002)(38100700002)(316002)(54906003)(9686003)(86362001)(21480400003)(8676002)(5660300002)(33716001)(186003)(2906002)(6486002)(83380400001)(8936002)(6506007)(46492014)(2700100001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: pgg8cLaaTkbHFl8rgcafYfg6z28t6JXD+6/j728vJK0KGyN5UDmxRga0WHS4gZV+JDnLPoC+5mXkOHHYizwK1043p0Uq1gbWiKLNUdfiNB45wdjZW2/uSSUrXbnlY7NCy5rKgId5EiJ1QUphocny4i9DCCRytAzjG/ojuu0NkKVLCmcpixgqnIr9pBWCs42hQEKfj/Uridh/sOHGX35keHfckiDBH3QQRmvzZpYfNIppzYGJUt9p0LCMkxmfbk+yg52TatnJaefpDEJJXunLP3KMLyagsFe1zCifmEJTxVbBGxrzSxgkKM7yQW92vAsT82op0ttsV19gF+0IYgmAXpxZEPFrK+w0fKSL68hRVZGhUtySR0P5kpB1q6wIaVyUCcJP7SNV/xt+kcOSgY4qT32l8r7EgJ6JvJZwL4akfYx72mYOtLHI3BfVLzd7LaYZKTDJ3J9+IHqg48FHJrMXZzf+QQZzaLoFBZm21CydMXzIQF7YSe8clFhCOJWqQ6Wcc7gsGKmQO/Cyo9HrjbrsBjQvJAeD0HVBWkInNzetqwAvv9yg4LdYbmMmNrjuyAbGJOtGthOSzd4JzOUVSmRnGg9tkzXddrLkFC8hq4I5EcHkD7ibdnCBDN9P381jJJSP6jwtLD+KdhS6PtdMt3EgR06ADvsqAlQtVkcQn1JyOiN9Xhxo9JcOOoEBCOkBIGc+emGE0gKv6mfLUbkj+er4rdXQ/BsxKiCssAGgkNHrae+5WFzaNjEMe/YVZYbG0QOvq09K1WnPhhpOM8/ywf7KOoVELII3l4slUL0UcS4kPl99ecgflBzCgsoS6fUk/5LVZ2GbePOSGBrZ/38oMqhuL3EJsmwFXKha3hQ/W3yzcJ9tRhoOERrDZuysbak0bQqNfoWAXzOKGDS+UzSA+HY+knZfwXU267nKaziZTKSZg2Wb110MnGv87dqMAXXME5AWMh9D0nqSFXeJKoa1ha/CV8z6YvCMhmEvSbjSWlFnJKbIgHJ4uM26JE5mh3Lg5VnxmvqvXwbWm3BrHTVFjRa9TNhbPVFgJGyLnSnGZkQqNKqDcE2y0EiYA5f87yT2taS4E5LdXDeVGaPLy1tMJE1O0Xynz8ta0ZIjZv1Tn7usLjlR1RTt8uoEshX/M9bgEVoGRzCbmnss5sK1bPraE5YYOP1nvHyY0ekx8ANgGag2LNDoio62qWdFeEMAAna7XlXqPf6XCyPlSpiZX2VE6psI079/D6hx/KGflESDm9Td5kKsZ/GQOfpw5mfOEdDsaFin4PS8DTZgkHTBJyDlqDd1QhNFwTAyzPFSRr+n3AF5PxngziWKJEKlP2rfNHXLm55n8skin0gzDqPCikcT+SX2dwULHseWGPGmrnP+IbqQONO7ABw9/U/qQNe8dmWntwLBYsvLTk54QPPNVwrsw/Lgr9l+uznT53vef4D/Ta/WMkeQYVJiO1RNAM1OWYDKA1lRns0fo0PmEvtPeMZC/9Rl1Prp7M7hJoJrfeTMBK3OxWknoujubac/TWkpK5yLcNEqMjpOoIUub6B9+SyfaGIkiKXWly/r74sHaShMWl2jxdIVilhBuIn+dnyvifJas8l5+Rmg81C2Nz5S6qNZTcVd41ZluoQSDOYnA1oJfIAHnpo=
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: 6fc8e8f4-cd59-4115-bca3-08d9bcab63a8
X-MS-Exchange-CrossTenant-AuthSource: AS8P190MB1078.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Dec 2021 13:37:35.0036 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: iRR32QTXiFMCG/YTc8TrdxNN++T8BS6HvuGfieSI693FC5vLWLPppDNp5F/jrXYh+xtuvArdE52y3vSeU1FfMA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7P190MB0757
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/PIWo1uwqTx4fVTpguCf9aqUj-5A>
Subject: Re: [Sidrops] [WGLC] draft-ietf-sidrops-rpkimaxlen-08 - ends 25/October/2021
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2021 13:37:50 -0000

Hi Alexander,

On 12/10, Alexander Azimov wrote:
> > > [...]
> > >
> > > Let's elaborate what kind of events we are facing at the moment.
> > > The majority of hijacks and route leaks are mistakes. We can assume that
> > > the difference between accidental and malicious hijacks is absence of
> > > forged as path in case of accidental events.
> > > So, ROA with ANY prefix length is good enough to limit the blast radius
> > of
> > > accidental hijacks.
> >
> > Only if the origin AS of the hijack route is that of the hijacker. That
> > is not the case for all mistakes (Noction-leaks, for example).
> >
> > Minimal ROAs are the best current initial line of defense to such
> > incidents.
> >
> I agree with your point about Noction. At the very moment, we don't have
> any other technique if forged disaggregated routes are leaked.
> Though it is mixing up route leaks and hijack problems, and there might be
> more suitable solutions for route leaks in the long term.
> 
> My point and my main concern grow from the fact that Noction-like incidents
> don't present all the scope.
> The incidents that I witnessed were results of redistribution of static
> routes with Invalid origin AS. I hope we can agree that for this kind of
> incident the length of ROA doesn't matter.
> 
Yes. We can certainly agree there.
However a substantial proportion of the wide scale incidents that I have
seen in recent months have been such events.
We really don't have a good defense to these other than the ROV
length-check.

> >
> > > Unfortunately ROV deployment isn't at the level when we are no longer
> > > affected by accidental hijacks. And the best option is instant prefix
> > > deaggregation, if it is possible.
> > > And I hope you will agree - the time is precious.
> > >
> > > Now let's discuss how the recommendations from this document may
> > complicate
> > > things that already got nasty due to the fact that your address space was
> > > hijacked.
> > >
> > > *Scenario 1:*
> > > Being a proactive and BCP aware autonomous system holder, one may add
> > > egress ROV with strict policy to drop Invalid routes with an exception to
> > > blackhole routes.
> > > In case of a hijack this good citizen will have to relax it's routing
> > > policy/turn off ROV on egress. It is still not that bad, but in huge
> > > companies with complicated access rules to devices, it may still take
> > time.
> > >
> > If your neighbors drop invalids, turning off egress ROV doesn't make any
> > difference: the update gets dropped on the other end of the wire.
> >
> > If your neighbors don't drop invalids then this can be done in local
> > policy using SLURM, in close to real time.
> >
> > In either case, this is a red-herring.
> >
> In this scenario, I was supposing that ROV is done on egress and is absent
> at the ingress of the neighbor.
> And, yes, it can be done using local policy, but it may take time if this
> scenario is not thought out in advance.
> I wonder if you want to cite it in your document. I don't see any
> references to rfc8893 at the moment.
> 
I'm hesitant to add any more length to an already lengthy document.
I kinda think this should be fairly obvious to an educated reader.
What do others think here?

> > *Scenario 2:*
> > [...]
> >
> I think you missed my point in this scenario.
> 
Yes, Sriram pointed out to me that you were considering competition for
path selection inside the intersection of Y and Z's customer cones. I
missed that previously. Apologies for making you repeat yourself.

Viewed from this perspective, this scenario is simply a variation on the
one that lead to us adding section 5.2.

In this case the defensive routes are hidden because of differences
between local-pref in Y, but the effect is the same as if there is no
adjacency between X and Y.

I stand by my view that, in the general case, solving for this creates
more risk than it removes. But I also appreciate that this general
guidance is "general", and isn't necessarily true for your employer, or
those with similar topologies...

> [...]
> 
> I can imagine that for access providers the list of 'important' targets may
> be quite small these days.
> But this view can be very different from the content provider sude. Last
> time I made this math I had 1000AS to cover 80% of egress traffic and
> another 1000 AS to cover 95%.

Yes, the same distinction occurred to me.
This phenomenon only occurs when the networks that one cares about are
not directly adjacent to the hijack victim.
Most content networks with which I am familiar have very high external
interconnection density, and are usually only one AS away from the other
end of a TCP connection.
This would make the above much less of a problem, and perhaps explains
why other CDN ops people here seem less concerned about it?

I wonder if you have looked at how many of those ~2k networks you are
directly adjacent to?

> I hope you admit that makes 'some' networks care about the customer cones
> of their peers. And as far as I know, these networks are primary targets
> for Noction-like systems.
> 
> [...]
> I hope you reconsider. Let's try to find the golden mean between our
> positions.

I think that we can resolve this by explicitly noting that the "general"
recommendation of section 5.2 will not apply to everyone.

Something like (section 5.2):

    447,451c447,452
    <    victim and hijacker filters ROV invalid prefixes, it may be the case
    <    that the existence of a minimal ROA issued by the victim prevents the
    <    defensive more- specific prefixes being propagated to the networks
    <    topologically close to the attacker, thus hampering the effectiveness
    <    of this response.
    ---
    >    victim and hijacker filters ROV invalid prefixes (or where path
    >    selection policy within intermediate ASs prefers paths learned from
    >    the attack source) it may be the case that the existence of a minimal
    >    ROA issued by the victim prevents the defensive more-specific
    >    prefixes being propagated to the networks topologically close to the
    >    attacker, thus hampering the effectiveness of this response.
    453,455c454,456
    <    Nevertheless, this document recommends that where possible, network
    <    operators publish minimal ROAs even in the face of this risk.  This
    <    is because:
    ---
    >    Nevertheless, this document recommends that in general, network
    >    operators SHOULD publish minimal ROAs even in the face of this risk.
    >    This is because:
    468a470,480
    > 
    >    Some operators, however, especially those that are topologically
    >    distant from traffic sources that they consider "important", MAY
    >    legitimately prioritise the ability to defensively de-aggregate above
    >    the protection that minimal ROAs afford.  Operators making such a
    >    decision SHOULD carefully evaluate (insofar as they are able) the
    >    filtering and path selection behaviour of ASs in their vicinity to
    >    determine the extent to which the aforementioned risks apply to their
    >    situation.  Furthermore, operators SHOULD continue to re-evaluate
    >    this decision periodically in the face of continuing deployment of
    >    route origin validation by other ASs.

Let me know if this works for you?

Cheers,

Ben

v2.23.0 | Report a Bug | By Email