IETF Logo Mail Archive

Re: [Sidrops] ASPA: Is this really a leak?

Ben Maddison <benm@workonline.africa> Tue, 15 December 2020 12:50 UTC

Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3D763A10D9 for <sidrops@ietfa.amsl.com>; Tue, 15 Dec 2020 04:50:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KwuEqlhugohc for <sidrops@ietfa.amsl.com>; Tue, 15 Dec 2020 04:50:15 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70079.outbound.protection.outlook.com [40.107.7.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86C3B3A10D4 for <sidrops@ietf.org>; Tue, 15 Dec 2020 04:50:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CCt7a/VlO5ThCGOI8h3x6xPGcHyPScR1bDFE+XfVvdPo+RswKNM1VdGz+OEarJiUrYgsUCzDmZvYUZQPCZOaPES5DletlMND8kh4xJ6pk6RSHAbW64rQkWdCBvC+Pu9eb7pXeImoOuEz7kySi7VTZjdF0hi/QZcy0+yUcUt0vaiWGDuh/b30CzISMbggX9O78f7Ec+4e1siCgDplxnl4oTtu34Q2oOvIz+MVl6GUk5jP9b6xR29DvS66GkynkVRaiLZtVpstzQ2aRI1+RqHG7z8I28B+uiSOyHbNOuFmptTJpJi/OFXsBwbKCllhkqcU6fb3u8y5m8czWOc8gFuzLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W5nEw3BWVkt3R/AuXs76DONFCHder33Sq85kqSLDgEo=; b=NaDIEKJIN3X6JgXPc0l9xI2g5NttCbZylLgaZdFIJFvwGWxEAER802Gxfi0UqB6lSs8TGCgLen6NDLl9h+wJMdCMtkZYte0m1z7MYJrb7pe37F34gpAZQJcg7jlvNtjXcu4N7A46XDNICWk8oHpYoTSLNhEVe/rIp1BTMZZG4clquhIRXcXoI6t6NbTSxpNZyp76zP/gpfq9KqqMpos5av4KeayiDrF+EnxmgB6q0UD0I9ZvJqxfgmTJW5lRE9NdUXGJ/LLe65DGfbHd8GJ7nwM0SEBIq8Pcx7pnenqtPuG60/kJ3F79zH9GVtIBLiCJPPe4crHNM2bWWOgnPyakOw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W5nEw3BWVkt3R/AuXs76DONFCHder33Sq85kqSLDgEo=; b=e8AOhrG5ZHrW7Ce2ZLBfGgnJC12ipmHG82ML93xufATqB9g7CmPe67kk34A5pdmyBEZj5PQvq05a4Ay2LGiKX3wc+BuCfXisHRTDh20xFZFaDhK0FUHMcR8WNBjhPrH8EXayw++M3f/R6r8RMkO3Y0HRNOoNrKckEsL9ZZys4r8=
Authentication-Results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=workonline.africa;
Received: from DB8P190MB0746.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:12a::24) by DBAP190MB1000.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:1a1::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.20; Tue, 15 Dec 2020 12:50:10 +0000
Received: from DB8P190MB0746.EURP190.PROD.OUTLOOK.COM ([fe80::cdc3:7ba:4bf7:dcda]) by DB8P190MB0746.EURP190.PROD.OUTLOOK.COM ([fe80::cdc3:7ba:4bf7:dcda%3]) with mapi id 15.20.3654.026; Tue, 15 Dec 2020 12:50:10 +0000
Date: Tue, 15 Dec 2020 14:50:03 +0200
From: Ben Maddison <benm@workonline.africa>
To: "Jakob Heitz (jheitz)" <jheitz=40cisco.com@dmarc.ietf.org>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Message-ID: <20201215125003.k4mnemxkmi2372rj@benm-laptop>
References: <BYAPR11MB3207E12FA868D4ECCF064161C0C60@BYAPR11MB3207.namprd11.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="7fgej7vxsnk4t7ib"
Content-Disposition: inline
In-Reply-To: <BYAPR11MB3207E12FA868D4ECCF064161C0C60@BYAPR11MB3207.namprd11.prod.outlook.com>
X-Originating-IP: [165.0.73.66]
X-ClientProxiedBy: CTXP275CA0017.ZAFP275.PROD.OUTLOOK.COM (2603:1086:100::29) To DB8P190MB0746.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:12a::24)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (165.0.73.66) by CTXP275CA0017.ZAFP275.PROD.OUTLOOK.COM (2603:1086:100::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12 via Frontend Transport; Tue, 15 Dec 2020 12:50:09 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f453658b-3733-4094-114d-08d8a0f7f523
X-MS-TrafficTypeDiagnostic: DBAP190MB1000:
X-Microsoft-Antispam-PRVS: <DBAP190MB100060D24A90B8A6A541101DC0C60@DBAP190MB1000.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +/I64rQutAF+5Lqwpz9C2f+hbtakEyiAz9TXhzZthhz0QKzX7RKMNTXyDSxNqpdDUrO9c/STDNNE6dJaBF5MTxEADYGx8PBjsPaGLEuvyn1xclSzI8H6w7doT/MBCcIAPVp4qe0yNsBU2a1KySqMowXyvQP7xxdKN77DfUWQ7Uhf/BrDQn61QI2w/wBjHuBsYznFcCrCFjQ+Pd0updHN8Cbh0rn0vn6TPsDLxDwfocDJoOzx41+TL41u0q/YYAwl8FKYwiUUFygMCAiTo8WcU92KRRyUPL/k7+En1/YQzyo9r3kcqM+8VoXnO9llE4cCTtMRvClJlADfyAL2EDilInQb/K0xFaKSay5Oj1/FwWkZ9ANuqBztB//TZMyfkVyVZs1+y5fs98mvp9aavcYFGfmE1oelYmBR+ymvszkH6luHvRSG8KkDLhjwun8eCAVxIrGzRV32txxlJwyzAQXPifUR+gbpdN4SqQfo/FPuFe8=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P190MB0746.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(7916004)(346002)(366004)(6666004)(4326008)(26005)(508600001)(1076003)(86362001)(6486002)(52116002)(66574015)(16526019)(966005)(2906002)(8676002)(44144004)(6496006)(186003)(66476007)(66556008)(66946007)(83380400001)(33716001)(5660300002)(21480400003)(956004)(9686003)(8936002)(46492008)(2700100001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: N878YkAfaszPXk5EPO2w7c5/uZumhTr691PvGjt5eN0IOTs0MkRxIv6pmvzoCzI2LUy6sv/+8dd3i3vehJED52nG41BYzx3rD7eY7DTbFFpMW2n9/hh+mYWEoeNfRBnK0SC5z+KWqvAK1zxlhbIdzgS8l51aBA9zhpZcMDIfO1drZACnTbP3moYHO17p76YN/G9toE2Alc1NcY7Cs1+JK4MkzaWQzGvlO15LaqJqJDdeqWhP2LLJcZm64FERti0fQt29ZU3ys+ElWOJYrHPagf5nhiYkBZV+4VonAl+PvhaSinm6SjVqLDJj8kdnnSfpbHnV08FuRBKJRxFMhkEfulVB+EzmoH6nqdVF9qCZlr94fCu+blLymULxx5pxVaqrtyETk2la2IeM2OodI8Kcc1TBgP2tWSIGpQqvm635NQI0MHcRnG+a3wCVpXmVSh91R+qi6+t9IzxQfJzNlUlelrJ0G49otGe1/vyL3Cin0yLuGYGBilQRTP1HggcawUXUFfzf7su18wu41krobwM052Qn3y8M19EpUkw3zbOrWre90bU3ZDDpQZj0SfIBUcuw6jlTt83BrY2ID8Xt9ulfZ4xjXtRyPlUJqiSxy9+SbzPvYHfWO8U4rxmlI9irRp11NsZexlvtxTBQGoowlunEEn94Qr3ilaXEBJhjaz/xt8TLT+jTqOBcei4s6nuxF1B1VrV3ZzVUNE8BxZKO71dC3RJs4HlX3iQWnM2RPu7TvHl1Rn1DICl64m22gzr3wn+mlQIatdwwJCKp9WNvZ6vqsySO4zxB0UO9uXC1CJBFM9tCnMTFygod6xJJpyjticthwEAa5hnU+5dyXQOjLPCJq3cecLW6z1feBSAHW08bbTYuJrLUBwjfmBMPCcG6YUOaWximnJCMRvNSz6D8MzCgv+jK1CtSe0J006i5KAJcyK9Tj4oYdXoX3MrEsne4HPssWXoIPqlOV/ekmem4qUdqm1F3HYU9UlP6VDXmv/9YUEI=
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-AuthSource: DB8P190MB0746.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Dec 2020 12:50:10.2529 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-Network-Message-Id: f453658b-3733-4094-114d-08d8a0f7f523
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: CcVpp1KR108gm3gGOXX+pBWNHcGADj1wFJQWcTHCuRHeOq2tbEp1Q2g00tud7dZ7VLcdYgFKtzEaMNYBYxi/3w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAP190MB1000
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/W2bSOONXQyTdw8g8ReycE6KTzCM>
Subject: Re: [Sidrops] ASPA: Is this really a leak?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2020 12:50:18 -0000

Hi Jakob,

On 12/15, Jakob Heitz (jheitz) wrote:
> https://tools.ietf.org/html/draft-ietf-sidrops-aspa-verification-06
> finds suspected leaky AS paths.
> However, not all routes with suspected leaky AS-PATHs should be automatically dropped,
> because some of them may not be unequivocal leaks.
> A BGP monitoring service should provide alerts to all suspected leaks.
> However, a router should automatically drop only unequivocal leaks.
> 
> https://bgpstream.com/event/258771 is listed as a leak.
> [cid:image001.jpg@01D6D269.84D10C20]
> The as-path is the red line.
> The black line is a customer-provider relationship that exists between
> 37545 and 33765 as can be seen at https://asrank.caida.org/asns?asn=33765.
> Therefore, 33756 is an authorized carrier of traffic for 37545 and
> ought to not be called out as a leaker.

No. This is about as clear cut and obvious a leak as you could hope to
find!

33765 is a customer of both 3491 and 37100. It is learning paths from
the former, and advertising it to the later. If ASPA won't drop that on
the floor then it's basically useless.

> The route may not have taken the black line because of a temporary
> failure of that link. An apparently leaky detour should be allowed
> for a temporary failure as long as all the ASes involved are in the
> provider cone of either the source AS or the destination AS.
> All ASes in the provider cone of an AS are either directly or indirectly
> authorized to carry traffic for that AS.
> 
I think this is a misunderstanding of the nature of the "authorisation" that
an ASPA object describes.
The question of whether an AS is authorized to carry traffic to a
particular destination is orthogonal to the question of whether a route
is being leaked.
The question is: when ASX advertises path P to ASY, does ASX authorise
ASY to propagate it to its non-customer peers.
In the above example, I'd expect that the answer is no (although, one
would need to get their hands on an ASPA signed by 3491 to be sure).

> This is just one example. It's easy to find more.
> 
> ASPA should add a section that defines an unequivocal leak, such that
> a BGP router can optionally drop only unequivocal leaks.
> 
> The definition of an unequivocal leak is based on the provider cone.
> The provider cone of an AS consists of all the providers of that AS and
> all the providers of those providers and so on.
> 
> All providers in the provider cone of either the originator or the receiver
> of the route are permitted (contracted, actually) to carry the traffic for the
> route between these two ASes. Therefore, the AS-path is only invalid if it
> contains any ASes not within these provider cones. If valleys exist in the
> AS-path, but these valleys are entirely within these provider cones, then
> all the ASes in the AS-path are still permitted to carry the traffic and the
> route should be declared valid.
> 
That would exclude some of the most common and harmful species of leaks.
We most often see these when an AS provides transit, but filter towards
their peers on based on prefix-lists (no community, as-path filters,
etc).
When (due to an outage, badly conceived traffic engineering, etc) they
select a route as best which is originated by a customer but learned
from a peer, the route matches their egress filters, resulting in a
leak.
These cause congestion in unexpected places, send traffic through
middleboxes that aren't configured for it, and generally cause hard to
troubleshoot pain and suffering. Usually with collateral damage
included.

Mitigating this kind of thing is right at the heart of what makes ASPA a
good idea. Let's not gut it please.

Cheers,

Ben

v2.23.0 | Report a Bug | By Email