IETF Logo Mail Archive

Re: [Sidrops] ASPA false leak

"Jakob Heitz (jheitz)" <jheitz@cisco.com> Wed, 16 October 2019 21:31 UTC

Return-Path: <jheitz@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D936512083B for <sidrops@ietfa.amsl.com>; Wed, 16 Oct 2019 14:31:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=CpWL3xNe; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Ctgh3dlO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pmwfkXa5RYij for <sidrops@ietfa.amsl.com>; Wed, 16 Oct 2019 14:31:50 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B86C1201EF for <sidrops@ietf.org>; Wed, 16 Oct 2019 14:31:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11792; q=dns/txt; s=iport; t=1571261510; x=1572471110; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=W9kXVVXEpsP+C65udq4Z5m6R7qP60ky6xwxNyrw9V/Q=; b=CpWL3xNeuGkr/EjRiyQEdLd26yoj6X2JteL65mNHM9OJ2nJVsXCiYcnP JGUayJyX6XbRuh1igTFsqgJZJe87l8F5D/0k2F5BQMjG0hXpovyCCd1Tx PZWxUpCowWXVw6B8NJqSFKFlZEFl0GK66otfXf7xWTvwkeDNTTnHi160e Y=;
IronPort-PHdr: 9a23:MMOXmRMLlb5VIFNfi40l6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEuKQ/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBj5LPPrcz4SF8VZX1gj9Ha+YgBY
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AwAADqiqdd/4sNJK1mGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYFqAgEBAQELAYEbL1AFbFcgBAsqCoQbg0cDilCCXH6IbIkzhGGCUgNUCQEBAQwBARgBCgoCAQGDe0UCF4JkJDcGDgIDCQEBBAEBAQIBBQRthS0MhUsBAQEBAgEBARARChMBASwLAQ8CAQYCDgMEAQEoAwICAh8GCxQJCAIEAQ0FCBqDAYF5TQMOIAECDJJUkGICgTiIYXWBMoJ9AQEFhQINC4IXAwaBNAGMDRiBQD+BEUaCFzU+ghpHAQECgWErCYJYMoIsjTyCN4U5iS+ONUEKgiKRE4QjmUKOMIozjwkCBAIEBQIOAQEFgWgjgVhwFTuCbFAQFIFQg3OFFIU/dAGBKI58AYEiAQE
X-IronPort-AV: E=Sophos;i="5.67,305,1566864000"; d="scan'208,217";a="646342719"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Oct 2019 21:31:48 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x9GLVmFk003475 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 16 Oct 2019 21:31:48 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 16 Oct 2019 16:31:48 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 16 Oct 2019 17:31:46 -0400
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 16 Oct 2019 16:31:46 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l/k0qYlTnRX7+CfcvyLov2iW5Lqpu0TR/llXoyKOjOZIJuGvMbh+6SXT2kFCPCRn+mwVGdbYIa/r9HvK0fzHM/IpA+GUtu+yIMEBoJshEtNvboUiFVhRVT4Hc+5K6fomUtUE+uw7qJ8I0pkBARUyMacKW4CRlqD/T6VWm6cNpkhtniYGgN91YEvnS92ieb/qsyQbc7AOyW2MT9xbxJvArNcUShfL0fiZ+JUPOgs4cuJe2A9caSYMAyqfWgV2mZDsSeVl40BsShp7HzSyU5CO0pe3Kl0zZ/uT4oZXMnJffRXODZywG+JaSPk7kwP03zqHjH5DfmkBZjMVDc0u8v7h9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W9kXVVXEpsP+C65udq4Z5m6R7qP60ky6xwxNyrw9V/Q=; b=GzmuW0MvGWzZSHy3H491w942IUZz6DLgvfaraTn/hwARtw2GJJ1AYwALCYiwWACYE9K4Qr4lLH1XqzSgH3aOlqiYFzbqWTZ9xFzeRe+cuVbSaoQ0xyFs/hdp2JF2VfY8HnYqn4SqaYbYXThpacx/ef4E7srf+oQo+64MSv19WgE6z88rCp92ddw8qBeh91P38Z0wrKb/f7K3DD7JJhys26OfbGy0SEVUgIR8ArdrLKpW3Psdq7+PDSFcaS0mKTtXwt3D8h6vtNtNqSZb45h3QxHim9P543tsfCZo9aYcA4tpXNNt6d25fCfiM5Eg06a6x/uLGyw7Sq2TGIL5TCeQfg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W9kXVVXEpsP+C65udq4Z5m6R7qP60ky6xwxNyrw9V/Q=; b=Ctgh3dlO8B2mpXuRLZL4eNxzF2Bi3ds4zBsmtt4loK9vxBfbXmW7gkOlnLSkO4ph4dTL+WpGVL/Otku+KVR4EClRMv2alXXNV32aoJMX6iHx5J+/kqSUaB2kv+Ns+ioEXMk4V9rm/zeFj8reTY1zOMgtg+LQGcBW6+8jYGB4MNs=
Received: from DM6PR11MB3755.namprd11.prod.outlook.com (20.179.16.81) by DM6PR11MB3915.namprd11.prod.outlook.com (10.255.61.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16; Wed, 16 Oct 2019 21:31:46 +0000
Received: from DM6PR11MB3755.namprd11.prod.outlook.com ([fe80::f190:c680:b58b:946b]) by DM6PR11MB3755.namprd11.prod.outlook.com ([fe80::f190:c680:b58b:946b%7]) with mapi id 15.20.2347.023; Wed, 16 Oct 2019 21:31:46 +0000
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: Alexander Azimov <a.e.azimov@gmail.com>, Randy Bush <randy@psg.com>
CC: Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>, SIDR Operations WG <sidrops@ietf.org>
Thread-Topic: [Sidrops] ASPA false leak
Thread-Index: AdWDr4IJUqd9dgFSRaS/zGHcilvp8QAE+p8AAAOVAtAABiPTrAAApAaAAB1LwYAAAZbA8A==
Date: Wed, 16 Oct 2019 21:31:46 +0000
Message-ID: <DM6PR11MB375560CF6609B2006C52196CC0920@DM6PR11MB3755.namprd11.prod.outlook.com>
References: <BN8PR11MB37463090DCE5AF62C9D8B9E5C0930@BN8PR11MB3746.namprd11.prod.outlook.com> <m2y2xlsbsn.wl-randy@psg.com> <AM0P190MB0756169E6093C2C101BAF4EBC0920@AM0P190MB0756.EURP190.PROD.OUTLOOK.COM> <m2wod5ry24.wl-randy@psg.com> <CAEGSd=AtJP+_OSua=VONnw2peNmCtd9Wgiy_wRgZTBGxW2qbRA@mail.gmail.com>
In-Reply-To: <CAEGSd=AtJP+_OSua=VONnw2peNmCtd9Wgiy_wRgZTBGxW2qbRA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jheitz@cisco.com;
x-originating-ip: [128.107.241.164]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 376a5311-0ba5-4859-14f7-08d752803ef6
x-ms-traffictypediagnostic: DM6PR11MB3915:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DM6PR11MB39152A741127913FDCD564B8C0920@DM6PR11MB3915.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0192E812EC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(136003)(346002)(396003)(366004)(376002)(199004)(189003)(9686003)(446003)(2906002)(6436002)(74316002)(606006)(4326008)(3846002)(790700001)(6116002)(33656002)(102836004)(7736002)(14444005)(86362001)(66446008)(11346002)(229853002)(256004)(236005)(71190400001)(71200400001)(6306002)(54896002)(52536014)(8936002)(7696005)(966005)(6506007)(53546011)(66476007)(66556008)(186003)(26005)(14454004)(55016002)(8676002)(81156014)(64756008)(76176011)(5660300002)(316002)(476003)(81166006)(99286004)(66946007)(76116006)(486006)(110136005)(6246003)(54906003)(66066001)(25786009)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB3915; H:DM6PR11MB3755.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AMrFa7RID3xIp5mw/9BDEhERJUcso/ca+jZaiFFqWfGgY6+P+3h+tglXuwz8waLXZ7n6BuYMzoh7Q0jCaK1g2ruIroaonV71YvLDO8v1qI5p0wDFA5tgc7lP9UMSQv8JXzd5G49BTZjlzTGrq11ofTySYUgtU1I/QklalKd4JxmpfzEdoJ9XPjyVYYslTjDTgiL1qIxyHQbnZYVhXxK/rVi3Ht8/dX/GWwrqZbusst3GE01i2/T9YPa9bk7pK9YdLTLkK2+uONEQVlqf9tCOLToDqmlBXe9sVnFJtbeBA4DEMiSkkL99xIaLnoborigUr9nq+8Fu7QliIyw93QArJcC0WyNk41kDocE2F4sTq/RgSG8WsUe8NfbXSUINl9mIqXsjhAfvN3WREAPXAlTNpryxagSUsTPGBFscps56p5rV5b8Cdhv7GwDcy6/J1YERTVrqjXRfORyhI7O15ACzDA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR11MB375560CF6609B2006C52196CC0920DM6PR11MB3755namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 376a5311-0ba5-4859-14f7-08d752803ef6
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Oct 2019 21:31:46.1161 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6SpApIEEmyKAsvjlHCgXBGIHIQqzuzx6KKXCWHptxnMnhcoFqReMNpie6n04pTNCBZBfRmTTEqfVf5kp2I61Tw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3915
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/V3tR0nQuwqKEt2rfWY7SkeP9pgM>
Subject: Re: [Sidrops] ASPA false leak
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 21:31:53 -0000

So, should AS5 just drop the traffic?

Regards,
Jakob.

From: Alexander Azimov <a.e.azimov@gmail.com>
Sent: Wednesday, October 16, 2019 1:41 PM
To: Randy Bush <randy@psg.com>
Cc: Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>; Jakob Heitz (jheitz) <jheitz@cisco.com>; SIDR Operations WG <sidrops@ietf.org>
Subject: Re: [Sidrops] ASPA false leak

And another real-world scenario.

The significant number of route leaks today happens when an ISP is using the prefix-list of their customers as the only egress filter (no ingress filters/no communities).
In this case, just like in your scenario, it starts to leak customer's prefixes when it gets them from providers/peers, thus spoiling TE of their customers. More then, the customer even can't redirect traffic from such misconfigured upstream provider even if it experiences a service degradation.

I don't believe we should legitimize such behavior.

ср, 16 окт. 2019 г. в 09:42, Randy Bush <randy@psg.com<mailto:randy@psg.com>>:
>> Consider the topology:
>>
>>    AS5      AS3
>>      \     /   \
>>       \   /     \
>>        AS4     AS2
>>          \     /
>>           \   /
>>            AS1
>>
>> AS1 has providers AS2 and AS4.
>> AS2 has provider  AS3.
>> AS4 has providers AS3 and AS5.
>>
>> AS5 receives a route with AS-path (4 3 2 1).
>> ASPA would declare that AS4 leaked the route from AS3 to AS5.
>> However, AS4 is an authorized provider for AS1.
>> Even though AS4 has a path to AS1, it chose to use an alternative
>> valid path to reach AS1.
>
> and that alternate path sure looks a lot like a route leak.

lemme try a different way

the attacker A3 wishes tio siphon jelly beans from A5's traffic to A1.
so she convinces A4 to prefer the A4 A3 A2 A1 path, which A4 then
announces to A5 as her best path.  profit.

randy

_______________________________________________
Sidrops mailing list
Sidrops@ietf.org<mailto:Sidrops@ietf.org>
https://www.ietf.org/mailman/listinfo/sidrops


--
Best regards,
Alexander Azimov

v2.23.0 | Report a Bug | By Email