IETF Logo Mail Archive

Re: [Sidrops] Which 8210-bis error code should be used?

Claudio Jeker <cjeker@diehard.n-r-g.com> Wed, 24 May 2023 04:42 UTC

Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 608FDC14CF12 for <sidrops@ietfa.amsl.com>; Tue, 23 May 2023 21:42:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6JJ6lseXimP for <sidrops@ietfa.amsl.com>; Tue, 23 May 2023 21:42:14 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF042C14F749 for <sidrops@ietf.org>; Tue, 23 May 2023 21:42:13 -0700 (PDT)
Received: (qmail 95803 invoked by uid 1000); 24 May 2023 04:42:09 -0000
Date: Wed, 24 May 2023 06:42:09 +0200
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: Jay Borkenhagen <jayb@braeburn.org>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-verification@ietf.org" <draft-ietf-sidrops-aspa-verification@ietf.org>
Message-ID: <ZG2Vobyxl/gPEfCU@diehard.n-r-g.com>
References: <SA1PR09MB8142523FA03AC4EA6E0E014E847C9@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814235BE0566A5C6935CF5B184439@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814231707524646D651B69B884439@SA1PR09MB8142.namprd09.prod.outlook.com> <ZGs5bFRjPLnyL2Jd@diehard.n-r-g.com> <25708.55138.924074.242182@hrabosky.cbbtier3.att.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <25708.55138.924074.242182@hrabosky.cbbtier3.att.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/c54epzTv2wO1r38wSJUgTljk7fY>
Subject: Re: [Sidrops] Which 8210-bis error code should be used?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 04:42:15 -0000

On Tue, May 23, 2023 at 03:10:26PM +0000, Jay Borkenhagen wrote:
> Hi Claudio,
> 
> Regarding the case where an ASPA exists for one AFI but not the other:
> 
> I acknowledge your preference to not require separate but nearly
> identical tables for ipv4 and ipv6, and I agree with you that an
> ASPA-verifying bgp implementation can deal with this situation in its
> hop-check function by inferring a table entry for that 'missing' AFI.
> 
> However, inferring an AS0 ASPA table entry is almost certainly not
> what the creator of the single-AFI ASPA had intended.  I do not know
> all the reasons why someone would create an ASPA for one AFI but not
> the other, but two that come to mind are:
> 
> - "All my INRs are ipv4, so I don't care about ipv6" -- in which case
>   it doesn't matter how ASPA-verification treats ipv6 for this ASN,
>   
> and:
> 
> - "I want to wade carefully into ASPA, so let me do only ipv6 first"
>    -- in which case they do not intend to imply that they are
>    default-free for ipv4. 

I think the creator of such an ASPA record did not do the necessary due
diligence before publishing an ASPA record. Publishing bad records and
hoping for the best is not a winning move.

Regarding your two scenarios:
In the first case you really want to block IPv6 else you open the door for
others to abuse your badly specified entry. ASnums resulting in an unknown
ASPA validation outcome are powerful gadgets to hijack traffic.

While I understand your second argument I do not agree that "lets wade
carefully" is a good aproach in this case. One thing to consider is that
any transit provider ASPA also affects its customers. In general
debugging ASPA issues is more complex than ROA since multiple ASPA records
play together and so having less options makes diagnosing issues easier.
The impact of an ASPA record does not only affect the ASPA record holder,
this is different from ROA.

Right now the publishing rule is very simple: If you publish an ASPA
record your AS is protected by it. There is no half in / half out, maybe
but just a bit mode.
This is a security enhancing element of BGP, it should be simple and easy
to reason about. This is why I argue that the rule of being either in or
out is right.

It is important that the rules on how to build ASPA objects must be
simple and easy to understand. Right now the rules are:

- If you publish a valid ASPA record then your AS is protected.
- The list of SPAs only needs to include real transit provider AS numbers.
  You don't need to add any RS or lateral peer (the only exception are
  sibling relations where the peering provides transit in both directions)
   -> In other words keep the list minimal
- Avoid the trap of specifying an AFI for an entry. It will bite you
  (maybe not now but later at the most inconvenient time). Consider the
  optional afi like the optional maxlen of ROA.
 
> Because an assertion of being default-free is not what any single-AFI
> ASPA creator would intend, this takes us down the path of whether
> ASPA-generating CAs should prohibit or warn operators that they're
> about to do something with more severe consequences than they may
> realize.  It would be good to avoid that mess.
 
I agree that ASPA-generating CAs (especially the RIR portals) need to stop
or warn operators when they create entries that only cover one AFI.
Actually the portals should discourage the operator to use AFI specific
entries in the first place.
 
> As an alternative, I would like to propose inferring a wildcard table
> entry for the missing AFI, as if the signer had created an ASPA
> indicating that every other ASN is one of its providers for the
> missing AFI.
> 
> 
> For the process of rejecting invalid AS_PATHs, a wildcard will have
> the same result as if no ASPA existed, which is the actual situation
> at hand for that 'other' AFI.
> 

I strongly disagre. There was no need to add "wildcard" entries into ROA.
If you cover an address block in RPKI ROA there is no way to uncover some
address space below. There is a good reason for this and that is security.
ASPA must behave the same.

Why do we need to add unnecessary bells and whistles to ASPA?
The only reason to do so is to allow a group of people to write up a
new RFC in the future to tell everyone that this or that feature should
not be used (like RFC9319). Do we really need to go through these loops?
Is it impossible for this group of engineers to learn from previous
mistakes?

Remember:
Rule number one to improve security is to remove options, not adding them.

-- 
:wq Claudio

v2.23.0 | Report a Bug | By Email