Re: [Sidrops] draft-ietf-sidrops-aspa-verification-01: Handling unknowns

"Jakob Heitz (jheitz)" <jheitz@cisco.com> Fri, 26 July 2019 05:38 UTC

Return-Path: <jheitz@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F15C51202A7 for <sidrops@ietfa.amsl.com>; Thu, 25 Jul 2019 22:38:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Nv6Y9fnx; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=MHKGum0Y
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lg-16YrU4TU3 for <sidrops@ietfa.amsl.com>; Thu, 25 Jul 2019 22:38:51 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87DD81202A5 for <sidrops@ietf.org>; Thu, 25 Jul 2019 22:38:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=28032; q=dns/txt; s=iport; t=1564119531; x=1565329131; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=7FA1y6IgdtttWeWFnVFecfhZVcUyFtpwHTO4KSTzOg4=; b=Nv6Y9fnx5hgLg3CZr77nAhD4pkGeLuHtvuiPAjHaQVPD9Z5Fb7mE5eaf VMyB98Gqb2slVLA6qKA02lyqsqnzWqrwrzaj+AL2pQ9b0G0pUWKun0LCg 8O+wpSKJbpfn0jXD41BtIdIcx6LepMFcQSC21/RoYqk7F/A0J1Cq8Hcps 4=;
IronPort-PHdr: =?us-ascii?q?9a23=3AJinPfhD+/aD32qZAQuHfUyQJPHJ1sqjoPgMT9p?= =?us-ascii?q?ssgq5PdaLm5Zn5IUjD/qg83kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHw?= =?us-ascii?q?QAld1QmgUhBMCfDkiuLv7nbjAoNM9DT1RiuXq8NBsdFQ=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AXAACckDpd/5ldJa1mGwEBAQEDAQE?= =?us-ascii?q?BBwMBAQGBUwYBAQELAYEULyQsA21VIAQLKoQeg0cDhFKILoJbfohWjX+BLoE?= =?us-ascii?q?kA1QJAQEBDAEBGAEMCAIBAYN6RgIXgkcjNAkOAQMBAQQBAQIBBm2FHgyFSgE?= =?us-ascii?q?BAQQBARARChMBASwLAQsEAgEGAg4DBAEBKAMCAgIfBgsUCQgBAQQOBQgagwG?= =?us-ascii?q?BHU0DHQECDJEDkGACgTiIYHGBMoJ6AQEFgTYCDkGDAA0LghMJgTQBi14XgUA?= =?us-ascii?q?/gRFGghc1PoIaRwEBAgEBFoFJKwkIgk0ygiaOfoR/iG2NIS1ACQKCGoZZiUC?= =?us-ascii?q?EEoItbYY4jjqKPIpIgXWKR4NPAgQCBAUCDgEBBYE9EziBWHAVGiGCbAmCOYN?= =?us-ascii?q?xhRSFP3IBgSiNXwEB?=
X-IronPort-AV: E=Sophos;i="5.64,309,1559520000"; d="scan'208,217";a="607899259"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Jul 2019 05:38:50 +0000
Received: from XCH-RCD-020.cisco.com (xch-rcd-020.cisco.com [173.37.102.30]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x6Q5coHU019318 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 26 Jul 2019 05:38:50 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-020.cisco.com (173.37.102.30) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 26 Jul 2019 00:38:48 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 26 Jul 2019 01:38:48 -0400
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 26 Jul 2019 00:38:47 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g2sfmVxIYKFMS/hMA3KVEHuNV1k2BacijD+UKsJkyYXhjjDTkCuL9DG/PE5xmcQQv9Zen1/WdHw8Yk5ypZfFHAlpWHsneX7FbLAQVhaC9ggPUIV1ZMip21QLLlmg9csv4vbrQmmyn8Yhqu2rMqCfJOAf4at1UXl+GdRXqtdU2IPXf6qCBuIJn5qsVNE7sMRVPQqUYGaiqmbbd4eTia3tTpxTEq+YAolieuFInM4teJqpStBPJZ47soiUaM5j98WG7hg1QOgRBRinjpb84NtuSJeDKbnTO3gETThGaMqKDcSRoJ1FhBNmwn+ITcZLg03zKf9FsowHx4NokK5cEHreNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7FA1y6IgdtttWeWFnVFecfhZVcUyFtpwHTO4KSTzOg4=; b=Jxa0HgpVOjj1fmIGyCms3I4aXPvdutKqYbvkdQYVSH3E3cXmGvo58/CWqu9iWUgemdTg9NxRIWwh5TfjGhf3fFOQtfALkPxewh7QH73YzqWxfSAN4bktZB0vAd/jV1eoSENylD1xAPlXH0onzM/NtOq99DSjFWbOTg9VG7sq5evFO5gRna5VnjU0f+QkXirMfJtSmQmqkbX/suzEYyiTdCF3B5uAOuhrHX7zpFTZarpzvORH28uBETqlDd43SFUCwuOrA7IJiyhZtC0aRpaQtvu9c+fX4CF5pgRE/+tNygVk+fELye5tqhKRKpAaVUEejSogehoD5OMnR3OUhSPIcA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=cisco.com;dmarc=pass action=none header.from=cisco.com;dkim=pass header.d=cisco.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7FA1y6IgdtttWeWFnVFecfhZVcUyFtpwHTO4KSTzOg4=; b=MHKGum0YXefHXIPa0w4/gNrUluuelsLIFosGGOKoZ1BC6VucCAzl96NkuhYYlOMI6KM5sTgCbfMXXTneQtWgFXy1uJnskq2DnjGpTblOkSu5imfvcDkBUUL2mw57PFQ8Ns862XwTDYMaaBfqndNdaNEE4x+pyMWDwk94N6qKZ/w=
Received: from BYAPR11MB3751.namprd11.prod.outlook.com (20.178.238.144) by BYAPR11MB3015.namprd11.prod.outlook.com (20.177.225.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.14; Fri, 26 Jul 2019 05:38:46 +0000
Received: from BYAPR11MB3751.namprd11.prod.outlook.com ([fe80::a894:a92:ad6e:ee2a]) by BYAPR11MB3751.namprd11.prod.outlook.com ([fe80::a894:a92:ad6e:ee2a%7]) with mapi id 15.20.2115.005; Fri, 26 Jul 2019 05:38:46 +0000
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: Alexander Azimov <a.e.azimov@gmail.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] draft-ietf-sidrops-aspa-verification-01: Handling unknowns
Thread-Index: AdVCo7iaisAZRDdHT/a/3q2UygwIOwAgqjYAABL4rDA=
Date: Fri, 26 Jul 2019 05:38:46 +0000
Message-ID: <BYAPR11MB3751F9334FDC8E598D004388C0C00@BYAPR11MB3751.namprd11.prod.outlook.com>
References: <BYAPR11MB37517CDEF18A211F9D9B6324C0C10@BYAPR11MB3751.namprd11.prod.outlook.com> <CAEGSd=BJ+zbpaOTjb0mQm+TktVZO+yU_xhnjM1ZMcVFLQo20xA@mail.gmail.com>
In-Reply-To: <CAEGSd=BJ+zbpaOTjb0mQm+TktVZO+yU_xhnjM1ZMcVFLQo20xA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jheitz@cisco.com;
x-originating-ip: [2001:420:c0c8:1001::216]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7152e389-ad21-4971-3fa5-08d7118b877f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR11MB3015;
x-ms-traffictypediagnostic: BYAPR11MB3015:
x-ms-exchange-purlcount: 8
x-microsoft-antispam-prvs: <BYAPR11MB301525C57B9251321D665F93C0C00@BYAPR11MB3015.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 01106E96F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(366004)(346002)(136003)(396003)(376002)(189003)(199004)(13464003)(66476007)(14454004)(66556008)(33656002)(66446008)(8936002)(64756008)(86362001)(256004)(6916009)(14444005)(6246003)(53936002)(53386004)(236005)(316002)(46003)(7736002)(478600001)(76116006)(66946007)(8676002)(446003)(25786009)(9686003)(5070765005)(76176011)(476003)(11346002)(6436002)(102836004)(6506007)(68736007)(99286004)(966005)(53546011)(71200400001)(606006)(71190400001)(2906002)(66574012)(15650500001)(6306002)(55016002)(52536014)(81156014)(4326008)(54896002)(186003)(486006)(7696005)(81166006)(790700001)(2420400007)(6116002)(229853002)(5660300002)(74316002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB3015; H:BYAPR11MB3751.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: FeYfFIiZPwnRtlwouXsh5MHn0vxdyGNZAGQR8FeSlXKPBc7UVXsDAvi5JTdRUWnsys2xO5dVFyQjXoR1viSC1AahHdM800aeYuZ4oE57MlGMDJXwmVJ5pmnJgQ8DWYJdSd9AkXlsGsCr2p3oBH7Zp7brMe5yFWbewb0hKlgSOU4BAV98GhKHL6toPm0rFAS93C6vpmZ2j6yKYRAt+CaFpdZo77rL42H0JOcK9Ltw2PvIxyIgUQoYwcfMcjoY80mIgW7iXUDcvCez3HGY2ckMsQsphuC4AOSWsbbeI0K9VgL6IQrkPdZ34lTReS1X3pwnIRXJxZJpgKgKq7TaQWzEvqbxsMvJS3z6A3uUmtmX14Lyttn4/Fksu+r+DX5wmQqLtyNNlDSJ2eou8f09dTzXLYDiuKgrslU/v0vslRwisPw=
Content-Type: multipart/alternative; boundary="_000_BYAPR11MB3751F9334FDC8E598D004388C0C00BYAPR11MB3751namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7152e389-ad21-4971-3fa5-08d7118b877f
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2019 05:38:46.5825 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jheitz@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3015
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.30, xch-rcd-020.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Qcv-8c1m456LHlDQrB6eO7X3-PU>
Subject: Re: [Sidrops] draft-ietf-sidrops-aspa-verification-01: Handling unknowns
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2019 05:38:55 -0000

If you receive an AS-PATH of 2 ASes and neither of them make any attestation,
then your procedure calls it valid. It could be invalid,
so it must be considered unknown.

If an AS-PATH contains an AS-SET, then the segments on either side of
the AS-SET can still be verified. If any such segment turns out to be
invalid, then the whole path must be considered invalid, not unverifiable.

My procedure accounts for these cases and more.
For the cases where every AS makes an attestation, my procedure agrees with yours.

BTW, you have a copy/paste error in 5.2 Downstream paths:
If a route from ROUTE_AFI address family is received from a customer
should be:

If a route from ROUTE_AFI address family is received from a provider

s/ ot / or /


Regards,
Jakob.

From: Alexander Azimov <a.e.azimov@gmail.com>
Sent: Thursday, July 25, 2019 1:20 PM
To: Jakob Heitz (jheitz) <jheitz@cisco.com>
Cc: sidrops@ietf.org
Subject: Re: [Sidrops] draft-ietf-sidrops-aspa-verification-01: Handling unknowns

Jakob,

I believe your reading of the ASPA verification procedure is incorrect.

Section 4 defines pairs wise verification procedure (let's call pair_verification) which returns valid, invalid and unknown.
Sections 5.1 and 5.2 define verification procedure for upstream and downstream path respectively.

In these procedures, the 'valid' and 'unknown' outcome of pair_verification is the same. These procedures return 'valid', 'invalid' and 'unverifiable' (in case of valid AS_SEQ + presence of AS_SET). So, your assumption that the algorithm works when all ASes in the as-path make attestations is incorrect.

To perform verification you don't need to split ASPATH into triplets (or even bigger windows). I sent previously a linear function that makes verification for the downstream path, for the upstream path it even simpler. Since you are already working on the implementation I suggest to discuss it in person before the end of this meeting. It makes me really anxious if the specification is unclear for implementers.

чт, 25 июл. 2019 г. в 08:04, Jakob Heitz (jheitz) <jheitz@cisco.com<mailto:jheitz@cisco.com>>:
I believe the path verification algorithm works when all ASes in the as-path
make attestations. If some of the ASes make no attestations, then a more complete
algorithm is as follows:

For every sequence (A, B, C) of consecutive ASes in an AS-path:
If A attests that B is not a provider and C attests that B is not a provider,
then B leaked the route: B is transiting for free. The segment is invalid.
If either A or C attests that B is a provider, then the AS-path segment  (A, B, C) is valid.
If neither A nor C make an attestation, then the leak state is unknown. Even if B lists both A and C as providers, it is not necessarily a leak, because either A or C could consider B as a provider for some of their routes, even though they don't attest to it.

If all the path segments are valid, then the whole path is valid.
If any of the path segments is invalid, then the whole path is invalid.
Else, at least one path segment is unknown and one more rule must be applied: for any sequence of ASes (A, B1, ..., Bn, C), if A attests that B1 is not a provider and C attests that Bn is not a provider, then the AS-path is invalid. This is for any number of Bx greater than 1.

This algorithm breaks the AS-PATH into triples instead of pairs.
For example, the AS_PATH (A,B,C,D,E) is broken into the triples:
(A,B,C), (B,C,D), (C,D,E).
I find it easier to reason about it like that.
It can probably be re-worded into pairs.

An additional point:
If AS-SETs exist then complete sequences between the AS-SETs can be checked for invalidity.
The best such an AS-PATH can get is unknown, but it can also be verified invalid.

Regards,
Jakob.

-----Original Message-----
From: Sidrops <sidrops-bounces@ietf.org<mailto:sidrops-bounces@ietf.org>> On Behalf Of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Sent: Monday, July 8, 2019 1:24 PM
To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>
Cc: sidrops@ietf.org<mailto:sidrops@ietf.org>
Subject: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-verification-01.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the SIDR Operations WG of the IETF.

        Title           : Verification of AS_PATH Using the Resource Certificate Public Key Infrastructure and Autonomous System Provider Authorization
        Authors         : Alexander Azimov
                          Eugene Bogomazov
                          Keyur Patel
                          Job Snijders
        Filename        : draft-ietf-sidrops-aspa-verification-01.txt
        Pages           : 10
        Date            : 2019-07-08

Abstract:
   This document defines the semantics of an Autonomous System Provider
   Authorization object in the Resource Public Key Infrastructure to
   verify the AS_PATH attribute of routes advertised in the Border
   Gateway Protocol.



The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-sidrops-aspa-verification-01
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-sidrops-aspa-verification-01


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
Sidrops mailing list
Sidrops@ietf.org<mailto:Sidrops@ietf.org>
https://www.ietf.org/mailman/listinfo/sidrops

_______________________________________________
Sidrops mailing list
Sidrops@ietf.org<mailto:Sidrops@ietf.org>
https://www.ietf.org/mailman/listinfo/sidrops


--
Best regards,
Alexander Azimov