[Sidrops] draft-sidrops-maxlen - questions from 110 session
Ben Maddison <benm@workonline.africa> Thu, 11 March 2021 20:09 UTC
Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232733A114A for <sidrops@ietfa.amsl.com>; Thu, 11 Mar 2021 12:09:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SNJUMAKZ2LVx for <sidrops@ietfa.amsl.com>; Thu, 11 Mar 2021 12:09:13 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60067.outbound.protection.outlook.com [40.107.6.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CEEE3A1148 for <sidrops@ietf.org>; Thu, 11 Mar 2021 12:09:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ib9aCSSvNf4yi3grtD/BqzrsL9If2a9TlXKHZur98A2DrT8J/dFeUT2Nf0QIpJHi1vzegJGrLI/9j45zA3oK419Ke+LBH7Nj9TcNwNiSvqDGchQImKieKg9PFo2SxVeDaFw0FSXYdahPfOOY/uLIw1OrJome2L4KEuEmt8uZT56TqEB5rCLs+2AwBw+qEQPjpetwgh52136BRKVFp2dGCKOCkBKZle5UXDrOXPCOezbwyQR9O5ltOgsGzmqWQCdbieiw1LXwoHCprV7EnhhKXnhsk5IkZt2nYXk4sIgqBtSvn/g0ZA3wZ05e5V9Y5mU7Q9Yyni9oQqP8FqO7sT6L2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ig7p3Yk50TgoHZhTom5uJA9mLk1rXnR18wrQs4f0t0A=; b=UwNl6Ty9sxZbgWgx1kYA1G2jBNI4HxdxUAdVtELbggXgPTGYzDtNml7r066q9vcAP6VpdvnzwD4WAWSKDooJ6Zkqx3KvN27aCrF3jF2MmnItUjWc/qr1vJbK371t42lrkVh0BL+f0mhFZst630oTIAxQ08NnKj+lMJa07kxJ93b9sydwNH/K7aM4YT3aCKmR1yvywXKCnUm+2KCuA0Wao6vkS0Z15sackYXw7OmEBRJeqBOeDugFwwS+oQ+/RcK/or08m6qfKDlR/9u0rM3opSH7vTxYxLu7UB/xZVsspH1/rUzB/vwW98R89CVab4NT0vaYRNMs+cgiXkcvnwt5nw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ig7p3Yk50TgoHZhTom5uJA9mLk1rXnR18wrQs4f0t0A=; b=YC8uxhTyBUv7OiEF+LupM0eidoaFmjZ6Ae8zIG1FsfMkfjIw7rfqrpW+MrLG/66kESec7lrxNYy8n/xOjMhWbgulfD8GdctYEfPy219gUj6CSZFvAg/ugvnAqykjqDidOR6MU7eLhnkauh59lZ8BhEW5hPEPURWRWU5qfCtTnNo=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none; ietf.org; dmarc=none action=none header.from=workonline.africa;
Received: from VI1P190MB0751.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:12a::9) by VI1P190MB0624.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:124::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.31; Thu, 11 Mar 2021 20:09:09 +0000
Received: from VI1P190MB0751.EURP190.PROD.OUTLOOK.COM ([fe80::e957:cd87:272d:5fcb]) by VI1P190MB0751.EURP190.PROD.OUTLOOK.COM ([fe80::e957:cd87:272d:5fcb%7]) with mapi id 15.20.3912.031; Thu, 11 Mar 2021 20:09:09 +0000
Date: Thu, 11 Mar 2021 22:09:00 +0200
From: Ben Maddison <benm@workonline.africa>
To: sidrops@ietf.org
Message-ID: <20210311200900.cwrctqybf45cecao@benm-laptop>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="jzxbtc6iq4xld3kl"
Content-Disposition: inline
X-Originating-IP: [160.119.236.50]
X-ClientProxiedBy: JN2P275CA0008.ZAFP275.PROD.OUTLOOK.COM (2603:1086:0:3::20) To VI1P190MB0751.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:12a::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (160.119.236.50) by JN2P275CA0008.ZAFP275.PROD.OUTLOOK.COM (2603:1086:0:3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Thu, 11 Mar 2021 20:09:08 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 65b5a0b9-bd81-4b73-8094-08d8e4c9879d
X-MS-TrafficTypeDiagnostic: VI1P190MB0624:
X-Microsoft-Antispam-PRVS: <VI1P190MB062491EB91C6A20EB2D46394C0909@VI1P190MB0624.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: GN0WL3JgXtBBJFgrHFq/+BYQFhb8Um7mGvP4ipDp+KTlQ8SkR98jyftkpCkXMUGdbJVhwGp/HownLXYoqBeCIVxv8rPrMO1ve+XN8cO6pOJSpb3z+0xbHx7vUgQEyi3SVw2UPNGcD4wMO6pb1K+VUu0b8w+dQ5zvVNG9fgf2UPl3t2cT4V3EvdNqDzRHXnxlV+SMsTJpnf7MorVxOC05nbbVPZYC/sTY5AMbcAQwH//MsHrpX9adMWyaalbWZaG9NxT8X6LGWAPjiXbQKBLpnMJNRGzs26GaMpMSBXGmRtSl7GEMsqGFwquAMvIg3TOKCwM5jdUfJ5dtPs6U5YUeRIDVFTUJjqPp/VXOu+6Tt6n/dN28J0w7dnk4tBu48N208ucNbIY0ofs6QzWvuSoK5/BlVYvmPq9OKXHxncRUBgnbzmOeYoXHqydLRMJcr6yZrA39A0gQj0thp2NG/F/ft01u/V93TpynColHsL4LKlsExOFY4Sl6uTyBhOF3HBl6YyJc0zIzwIu/tbEH8DEde8xOd1i1cxb9EcVu9lqwHh1Rh95OLw5twhEksuG54nYTDZo3Z+Srn10mUevWHmDvth4uFeQgXu+1zjRkk9CJyOaxju95zajrVSh2z2CmXPGvi9c5DG3/huDsg6tT8GSxlA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1P190MB0751.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(7916004)(376002)(39830400003)(136003)(366004)(396003)(346002)(6916009)(8676002)(2906002)(66574015)(8936002)(86362001)(83380400001)(9686003)(44144004)(1076003)(316002)(66556008)(186003)(16526019)(66476007)(66946007)(6666004)(478600001)(6486002)(21480400003)(956004)(26005)(52116002)(6496006)(33716001)(5660300002)(46492009)(2700100001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: JiCYdIH/f3WRv1ysCwDz3gZowReSmuH++Aj0hgRqluZ23EjctUSeTTqhFSyGP9WdfB5U9HueX+LylbdSBzwGSMj27lKG+wj4Yam+hONuWFAHhNFUl1MEQIPWcSMClo5Be+IPJYXpDFy7xdMiNO9g/n4RByqj3dY7jQHZXdGuUc34tw8tVOTfVdG4J0qJk9jUojiwwYjTt5yHEv8z5KA8W716kF69U2tozrQ6N9S3jWYVxbiuwquEascwPBl/IG+ekjSYPph4qGG9zJQXd5UWb7vJK1IXo94gpPsco8GtybeQ/NI5UVpNF65GOUFWpt41Y5sJdUdhSLzLO4R7OYlVCX12EkDM3RSBUeDR2qN18OY5Kms6E6yh5mQ6eI797BaI6Z5uyFT2xqAYHMbn+wPlqpRiiw85uEqVa3dcM7DDJXMVMtJ84N2Ahvc3Rcoshz6EsH/JtnekxpP5QnoQcWEIvbAQTQRIgfr7REfYGyH7rXMWDm/V7pYGedf2uGHGazPlhFGDcNnEu26OKRBHs9anDv9jxyMcOhJsymelG/UO0xGo4mXFc0Eloj9KrrZmIa8s6Vy6lUyoNTe63vBlaklfFFvPB3OxOrZYINbVXTfOc6eM0zFiKdn8szQkZXHjqpwmM0BvQ/xeBcT6Yx2tdkLTp1jahgbL/Kg3rjfA1dhrPh4XcIScrrLkAdPJDaKNh42zXYJ8BiCN7DihzxBrWmEfEQq8FPImA7FdA/KI4tcqQYDEp0f7i7oVTA+gzA2ZXB3J8iYZkv/IoLwZDsVBE5ssd/Uvqj864J7CtcNjYqtOPMbGxca/WV02C7JISf+tsJaJf9RN45ZnVTxn1u/2WK3YPTupbZU2yLPEfpPM0k9ki4xa7jh8ySFFHK5sqt/dD33oHIvkP/CWnzVDMIVFXbWu5isAcgTRudk+Ej9czO+ii13uJQ1z2enj8DjAJzVPdRX++Yxrf3ngJeAzI5v0MKBHZ12FXmg4sb7U4iu7onza3R6Gzcg7ePWTgp6mSnYSkEYTasRLOr7n6yLYimJ1CTUCcbrKH/UN0MqfNZFhNHKs4XbasSDXJ3kjD9ODnOmz024641howOn7g7iCITRY4/4NNLpD5L4JTaTOv5DvonvbvGdEXDDkYYLhr+uiaznQEgaComOhtSFIjFcUFN90XQLUysbPPuHY0f5ab5orGQB913SPG9jDT5+fpd4JPZdkP2m9H8YQSO+hb/lKZ4kdPiQpZ2DpIRaTeiMhOgOqNriBrj9g9a6tjxOecO8zwVeA34kYiTK9g054vEfU/ciWiNbjt9OndtcAMdgDmsAVZ35QM76TH5/C5ecdU3MjV4HjABBC
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: 65b5a0b9-bd81-4b73-8094-08d8e4c9879d
X-MS-Exchange-CrossTenant-AuthSource: VI1P190MB0751.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Mar 2021 20:09:09.0986 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: B+YxuKh1z07npG3JT8SutWy52bpeXM4NCYsH5zMC7qfa1jNigYqqXLNNbYC1wDoHLpzTDF/17xHywqXu3LA0Xw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P190MB0624
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Q1Bl-9tX0o0kAMivdLd34S85_88>
Subject: [Sidrops] draft-sidrops-maxlen - questions from 110 session
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Mar 2021 20:09:17 -0000
Hi all,
During my presentation yesterday, I indicated that the authors believed
this document was ready for WGLC.
However, I believe that the question raised by Alexander at the mic
deserves some further discussion first (although I'm yet sure that this
document is the place to deal with the issue that he pointed out).
I will attempt to demonstrate the issue that Alexander was describing
(@Alexander, please will you speak up if I have mis-interpreted your
description?).
Description
===========
Consider the following topology:
+-------+ +-------+
| 65020 |-----| 65021 |
+-------+ +-------+
| \ / |
| \ / |
| X |
| / \ |
| / \ |
+-------+ +-------+
| 65010 |-----| 65011 |
+-------+ +-------+
/ \
/ \
/ \
+-------+ +-------+
| 65000 | | 65666 |
+-------+ +-------+
65000 is a customer of 65010
65666 is a customer of 65011
65010, 65011, 65020, and 65021 peer with each other in a full mesh. The
business relationships amongst them are unimportant.
65010 and 65020 perform ROV and drop Invalids on import
65020 and 65021 do not.
Assume that ROV is the only possible form of import filtering in place
at any AS border. This is not a good assumption in practise, but
simplifies the analysis.
Every AS has policy do discard prefixes of length > k (for some k common
to them all - in the IPv4 DFZ today, this is almost universally 24-bits)
65000 has an IP allocation P/m from its RIR, for some m < k. 65000
announces only this aggregate.
65666 is attempting to hijack traffic for the sub-prefix P/k.
65666 injects a route for P/k into BGP, and advertises it to 65011.
65666 is a relatively sophisticated adversary, and will inspect the
global RPKI to determine whether a ROA matching P/k exists:
- If a matching ROA exists authorising asID X, then 65011 will announce
P/k with AS_PATH 65666_X;
- If no matching ROA exists, it will announce P/k with AS_PATH 65666.
Consider the following scenarios:
A. 65000 has not created any ROA covering P/m
B. 65000 has created ROA(prefix: P/m, asID: 65000)
C. 65000 has created ROA(prefix: P/m, asID: 65000, maxLength: k)
Scenario A
==========
The route for P/k originated at 65666 will initialling become best-path
in all ASes (possibly even 65000, if their import policy doesn't filter
their own prefixes). The attack will initially succeed almost
universally.
65000 may respond by dis-aggregating, and announcing their own route for
P/k. As a result of this response, the steady state outcome is:
- 65010 will forward towards 65000
- 65011 will forward towards 65666
- 65020 and 65020 may prefer either (or even load-share between both)
The attack will be ~50% successful (from the AS-level perspective)
Scenario B
==========
Any route for P/k will be dropped at the border of an AS performing ROV.
This includes the hijack announcement or a defensive route announced by
65000.
Thus, there is no opportunity for 65000 to announce a defensive more
specific, since it will not propagate to or past 65010. (This, I
believe, is the crux of Alexander's point).
The steady state outcome is:
- 65010 and 65020 will forward towards 65000 (based on the Valid P/m
route)
- 65011 and 65021 will forward towards 65666 (based on the Invalid P/k
route)
Scenario C
==========
As described above, 65666 will forge the AS_PATH such that the
originator appears to be 65000. The hijack route will therefore be ROV
Valid.
As in scenario A, the initial attack will be nearly universally
successful.
Also as in scenario A, 65000 may respond by defensively announcing P/k.
However, 65000 does not need to artificially increase the AS_PATH length
in order to make the announcement ROV Valid.
As a result, the steady state becomes:
- 65010, 65020 and 65021 forward towards 65000 (due to the shorter
AS_PATH)
- 65011 may prefer either one (depending on its relationships with the
other networks)
Conclusions
===========
The initial impact of the attack is minimised through the creation of
a "minimal" ROA.
However, depending on the (ROV policy) behaviour of the ASes in between
the victim and the attacker, the "minimal" ROA may impede the ability of
the victim to defensively de-aggregate. In such a scenario, and in the
face of a persistent attack, the long-run impact in the presence of a
"minimal" ROA may be worse than the long-run impact in the presence of a
"non-minimal" ROA.
Both cases are still better (or at least no worse) than the impact if no
ROA exists at all.
Generalising
============
Where there is partial deployment of ROV (with discard-Invalid) it is
possible that a sub-prefix hijack may originate within a neighborhood N of
the AS-connectivity topology, such that
- no member of N has policy to discard ROV Invalids; and
- there exists no possible BGP update propagation path from the victim
AS to N without traversing an intermediate AS that does discard ROV
Invalids.
In such a case, a minimal ROA may make it impossible for the victim to
defensively originate a more-specific prefix to "compete" with the
hijack announcement for bestpath selection within N.
However, a "minimal" ROA is still the best way for the victim to
minimise the immediate impact (i.e. before any defensive measures can be
taken) of the attack, and to guarantee that the impact of the attack is
limited to traffic originating in N.
It is not possible to provide general recommendations in this case:
- The existence of such neighborhoods can only be determined with
reference to the topological location of a potential victim, and with
detailed information of the routing policies of the networks in their
vicinity;
- For any such neighborhood that does exist, the victim must weigh up
the relative importance of:
- Minimising the initial impact of the attack Internet-wide
- Guaranteeing that an attack will not succeed in attracting traffic
outside N (including in the attackers immediate vicinity)
Versus:
- Losing the ability to mitigate the attack within N.
In practise this will likely come down to the traffic that the would-be
victim expects to receive from any such N, that could be put at risk.
Cheers,
Ben
- [Sidrops] draft-sidrops-maxlen - questions from 1… Ben Maddison
- Re: [Sidrops] draft-sidrops-maxlen - questions fr… Ben Maddison
- Re: [Sidrops] draft-sidrops-maxlen - questions fr… Alexander Azimov
- Re: [Sidrops] draft-sidrops-maxlen - questions fr… Sriram, Kotikalapudi (Fed)