[Sidrops] 答复: [GROW] Playing with origin validation

"Guyunan (Yunan Gu, IP Technology Research Dept. NW)" <guyunan@huawei.com> Mon, 13 April 2020 08:25 UTC

Return-Path: <guyunan@huawei.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B0103A1194; Mon, 13 Apr 2020 01:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZPmqyd_IgYc; Mon, 13 Apr 2020 01:25:56 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19D173A10B7; Mon, 13 Apr 2020 01:25:56 -0700 (PDT)
Received: from lhreml705-chm.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 00B98D0F08C52F5F3651; Mon, 13 Apr 2020 09:25:54 +0100 (IST)
Received: from lhreml705-chm.china.huawei.com (10.201.108.54) by lhreml705-chm.china.huawei.com (10.201.108.54) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Mon, 13 Apr 2020 09:25:53 +0100
Received: from DGGEML422-HUB.china.huawei.com (10.1.199.39) by lhreml705-chm.china.huawei.com (10.201.108.54) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1913.5 via Frontend Transport; Mon, 13 Apr 2020 09:25:52 +0100
Received: from DGGEML512-MBX.china.huawei.com ([169.254.2.152]) by dggeml422-hub.china.huawei.com ([10.1.199.39]) with mapi id 14.03.0487.000; Mon, 13 Apr 2020 16:25:46 +0800
From: "Guyunan (Yunan Gu, IP Technology Research Dept. NW)" <guyunan@huawei.com>
To: Job Snijders <job@instituut.net>, Robert Raszuk <robert@raszuk.net>, "draft-ietf-sidrops-ov-egress.authors@ietf.org" <draft-ietf-sidrops-ov-egress.authors@ietf.org>
CC: "grow@ietf.org grow@ietf.org" <grow@ietf.org>, SIDR Operations WG <sidrops@ietf.org>
Thread-Topic: [GROW] Playing with origin validation
Thread-Index: AQHWEPnYMjz2Fc6T/ECUWs0DUE9yb6h1X2eAgAFTreA=
Date: Mon, 13 Apr 2020 08:25:46 +0000
Message-ID: <C01B0098369B2D4391851938DA6700B7179AEDF2@dggeml512-mbx.china.huawei.com>
References: <CAOj+MMFiD=M6h3OU1ubW60+QJ-Yg1DBVV2uskBJQGYzP+gdE4w@mail.gmail.com> <20200412195119.GA45907@vurt.meerval.net>
In-Reply-To: <20200412195119.GA45907@vurt.meerval.net>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.108.203.187]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/QLhj90XA7SHYS0zeHveiwrkReos>
Subject: [Sidrops] =?gb2312?b?tPC4tDogW0dST1ddIFBsYXlpbmcgd2l0aCBvcmln?= =?gb2312?b?aW4gdmFsaWRhdGlvbg==?=
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2020 08:25:58 -0000

draft-ietf-sidrops-ov-egress-02 could be a good solution to the case that Robert raised. The egress OV provides the export filtering for routes with invalid ROA validation result. With this capability supported, the origin AS/AS operator is in fact able to identify that its own ROA entry is out of date and needs to be updated. However, currently there's no further action/suggestion specified other than filtering in the draft-ietf-sidrops-ov-egress-02. So, a small suggestion to the authors that maybe some specifications can be added to the draft regarding how the origin AS could/should react upon this case. 

BR,

Yunan

-----邮件原件-----
发件人: GROW [mailto:grow-bounces@ietf.org] 代表 Job Snijders
发送时间: 2020年4月13日 3:51
收件人: Robert Raszuk <robert@raszuk.net>
抄送: grow@ietf.org grow@ietf.org <grow@ietf.org>
主题: Re: [GROW] Playing with origin validation

On Sun, Apr 12, 2020 at 08:39:58PM +0200, Robert Raszuk wrote:
> Would anyone be able to explain the below phenomenon?
> 
> RPKI Origin validation marks net 45.227.254.0/24 as INVALID as it 
> expects it to be originated by ASN: 395978

If you look at https://stat.ripe.net/45.227.254.0%2F24#tabId=routing you can see that the prefix is only seen by 72% of the RIPE RIS collectors, this is a very low score, I'd consider this a problematic network outage. If you'd have internet access users serviced out of the block it probably would mean many websites don't work, or don't work well.

In the 'Routing History' widget we can see:

    May 2018 - Jul 2018 - AS 395978 
               Aug 2018 - AS 62088
    Oct 2018 - Mar 2019 - AS 42260
    Feb 2019 - Mar 2020 - AS 51852

I guess early someone deemed AS 395978 deemed to be the right origin ASN and create RPKI ROAs, but subsequently didn't update these RPKI ROAs to the new ASNs as the space moved from lessee to lessee. I suspect IP address leasing is in play because the announcement periods don't seem to overlap, suggesting there might have been coordination between previous and next Origin ASN.

Since the ROA still exists, whoever created the ROA (to authorize
395978) still is in authority, so from an operational perspective it is incumbent on that entity to correct the RPKI information. If the space had been transferred from one LIR to another LIR the 'offending' ROA would've been deleted in that transfer process.

> But it comes from  51852 which according to ipinfo or bgpview is 
> legitimate ASN:
> 
> https://ipinfo.io/AS51852/45.227.254.0/24
> https://bgpview.io/prefix/45.227.254.0/24

I am not sure in what way you are reading the data, the information displayed here doesn't weigh in on legitimacy. Both websites are frontends to public whois data, they shows the prefix is suballocated to 'Xwin universal ltd', but the originating ASN is 'Private Layer INC'.

> As I see similar discrepancies in many global networks I would like to 
> ask who to trust ? If RPKI data is not valid then I think we have a 
> real problem.

I am not sure it is about trust. I trust the system works as designed, which means there is potential for human error in the ROA creation process. In this sense IRR, DNSSEC, and RPKI have some similarities - they all potentially set a user up for failure.

Operators deploying OV have to the balance of inconvenience for entities who misconfigured their ROA against the consequences of accepting BGP misconfigurations or hijacks of prefixes which could've been prevented had ROAs been honored.

An operator should notify its customers who are announcing RPKI invalids before deploying Origin Validation with 'invalid == reject' policies on the EBGP edge. This way the alert notification about the ROA misconfiguration follows contractually established inter-organisation communication channels. Sometimes that mechanism works well!

Another theory is that some (a lot?) of the RPKI Invalids that exist in the default-free zone in a steady state are not really in use, just 'parked'. Folk wisdom suggests if you don't announce all your prefixes in the DFZ, malicious actors tend to notice and start using the space in your stead. Because of this (and other reasons) we can't really know what IP address space is actually in use or not.

Traffic studies done by some network operators in the months prior to deploying RPKI OV commonly show very little or no traffic destined for RPKI Invalids. In these studies it is important to separate RPKI invalids that become 'unreachable', and traffic for IPs covered by RPKI invalids which are covered by a less specific not-found/valid announcement. https://mailman.nanog.org/pipermail/nanog/2019-February/099522.html

Back to the prefix at hand, I believe this to be the party in charge of the RPKI ROA:

    $ whois 45.227.252.0/22 | grep @ | sort -u
    e-mail:      noc@FLYSERVERS.COM

One could reach out to the operator and ask them?

Kind regards,

Job

_______________________________________________
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow