[Sidrops] 'tagging' in draft-ietf-sidrops-validating-bgp-speaker
Job Snijders <job@instituut.net> Wed, 24 July 2019 18:49 UTC
Return-Path: <job@instituut.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56C6C120346 for <sidrops@ietfa.amsl.com>; Wed, 24 Jul 2019 11:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=instituut-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQvZ7O7g6q-U for <sidrops@ietfa.amsl.com>; Wed, 24 Jul 2019 11:49:25 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59CAB120338 for <sidrops@ietf.org>; Wed, 24 Jul 2019 11:49:25 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id m14so8862244qka.10 for <sidrops@ietf.org>; Wed, 24 Jul 2019 11:49:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=instituut-net.20150623.gappssmtp.com; s=20150623; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=dn1aZlmoyACalEUbiyM/zkDQPJQhPc6ZnoEurKYTiXw=; b=BpeqVzSl1fxnJtlJHOl9KsGjRPvRaqliPpJf6LXm6qSphneashxq46BofDmjwg7aOb Ga/op6SAEOL+aeM4/L59HdNAPRE1AR3MzWzkSkw6OvFk3I0D4bU+zsD/TkDazDENepSR k4bCmuvG+pqMZtrIgYBx0wbBBgF65sw0pPkSSEARLoNfNW/X60a8Tv7X7Um2gZ8oz3Vj blFhdLfePt+CHCzsKC63KXWL+r8D0DgPmrt+lC6HjbUH5Jhw+CWBao2+dKq8WGpqjduN 4R2OQ1xMdTAnxaBeBM/dSV3ko2RRItyAFMEVGZEe4ZArl8fUg62s7sJUgJqTBW4DCpbh zMjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=dn1aZlmoyACalEUbiyM/zkDQPJQhPc6ZnoEurKYTiXw=; b=Npsio+UN8FVo6bkgyqxv+30fu9gIeOwipGfs7ZMnwsUAAV+Sixoz+n2Ke4vf+rtB47 7RZwozrJb+ZB/gYNtg1GeBGjs7uUWGbWSxAWVSO6nhJM3el0QkaRh6I4Xf6lKLMy3WvK 85tunsz0McTN3shxdFEufSoXGcn9rAKROjg8xrZCReJqyyMuMZ+keVDzsXKoPLgOFIyq gDV54wzwYihzr+zGcyPeM4hvgM+HyV0jR6F+N1I8bIyzdGDvV78ujrdv63ZH+cIeVZOf Pav8cR/Kb9nSJ89sdFf1mNtMArrE8UwznBGg5PcmClK1TO/L9BMVFRN8NYIEkyLcvs22 JMWQ==
X-Gm-Message-State: APjAAAVQqnCsf63Q2BNtR2TY9wBviN0oj2ZUCGQn1hchDtivribsC/WZ xrlFkQEJFDaklwYnKMWDGZer+4a6zyY=
X-Google-Smtp-Source: APXvYqyRj8FVgyqdmkFeg3yJfn2G/C9xSNehWyESoSN5Eh5yO1uAYEDpoEwJi2hjZ3IrlEry1MYIhg==
X-Received: by 2002:a05:620a:16c6:: with SMTP id a6mr19826464qkn.413.1563994164060; Wed, 24 Jul 2019 11:49:24 -0700 (PDT)
Received: from vurt.meerval.net (dhcp-9df9.meeting.ietf.org. [31.133.157.249]) by smtp.gmail.com with ESMTPSA id r4sm17864758qtt.51.2019.07.24.11.49.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 24 Jul 2019 11:49:23 -0700 (PDT)
Received: from localhost (vurt.meerval.net [local]) by vurt.meerval.net (OpenSMTPD) with ESMTPA id 987d43a8; Wed, 24 Jul 2019 18:48:29 +0000 (UTC)
Date: Wed, 24 Jul 2019 18:48:28 +0000
From: Job Snijders <job@instituut.net>
To: sidrops@ietf.org
Message-ID: <20190724184828.GD81521@vurt.meerval.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/WUM8-1swy2XJ7S1GYIdWIg8mk3s>
Subject: [Sidrops] 'tagging' in draft-ietf-sidrops-validating-bgp-speaker
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 18:49:28 -0000
Hi all, Today there was yet another incident related to a BGP hijack of an IXP Peering LAN Prefix: an ASN originated 80.249.208.0/24, which is part of 80.249.208.0/21. This /24 route was an RPKI invalid announcement. This misconfiguration negatively affected the AMS-IX platform, and some of the authors are associated with this organisation. It is my hope that a real world example of what I at the IETF 104 SIDROPS meeting predicted, will help the authors better understand the negative security implications of the current draft. To better understand the severity of an event like this, one can consider the publicly published statistics, here is a screenshot: http://instituut.net/~job/amsix-rpki-disruption.png You can see an arrow pointing to a low point in the graph, the graph should've been a smoother sine-like shape. The issue is that some BGP implementations will send the BGP packets destined for 80.249.208.0/24 via the hijacked route rather than via the directly connected interface with the less-specific route. For a period of time a few hunderd gigabit/sec was dropped on the floor; this is of course problematic. Now, imagine this 80.249.208.0/24 route announcement passed through a BGP speaker that adheres to the 'tagging' option in draft-ietf-sidrops-validating-bgp-speaker, and instead of rejecting the route announcement only a BGP Large Community is added to this RPKI invalid announcement. I can assure everyone that the presence or absense of that BGP Large Community will do *nothing* to reduce the negative consequences of the existence of such a invalid more-specific /24. It is my hope that the authors now recognize that knowingly propagating RPKI Invalid announcements, even with a specific BGP community attached; makes no sense from a routing security perspective. I propose the "tagging" option is removed from the draft document entirely, or that the "invalid" community is removed and only the 'valid' and 'not-found' communities are specified. A BGP validating speaker should not propagate RPKI invalid announcements, instead such invalid announcements should be rejected; this document can state that. Kind regards, Job
- [Sidrops] 'tagging' in draft-ietf-sidrops-validat… Job Snijders