[Sidrops] About registering more in ASPA: RE: Call for adoption of draft-spaghetti-sidrops-rpki-prefixlist
gengnan <gengnan@huawei.com> Mon, 23 October 2023 09:24 UTC
Return-Path: <gengnan@huawei.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76921C1519B1 for <sidrops@ietfa.amsl.com>; Mon, 23 Oct 2023 02:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.205
X-Spam-Level:
X-Spam-Status: No, score=-4.205 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63rSVT_6Q_0i for <sidrops@ietfa.amsl.com>; Mon, 23 Oct 2023 02:24:24 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3569BC137381 for <sidrops@ietf.org>; Mon, 23 Oct 2023 02:24:24 -0700 (PDT)
Received: from lhrpeml500006.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4SDV7X1Wpbz67hpn for <sidrops@ietf.org>; Mon, 23 Oct 2023 17:21:44 +0800 (CST)
Received: from dggpemm500007.china.huawei.com (7.185.36.183) by lhrpeml500006.china.huawei.com (7.191.161.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Mon, 23 Oct 2023 10:24:21 +0100
Received: from kwepemm000009.china.huawei.com (7.193.23.227) by dggpemm500007.china.huawei.com (7.185.36.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Mon, 23 Oct 2023 17:24:19 +0800
Received: from kwepemm000009.china.huawei.com ([7.193.23.227]) by kwepemm000009.china.huawei.com ([7.193.23.227]) with mapi id 15.01.2507.031; Mon, 23 Oct 2023 17:24:19 +0800
From: gengnan <gengnan@huawei.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, Randy Bush <randy@psg.com>, Geoff Huston <gih@apnic.net>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: About registering more in ASPA: RE: [Sidrops] Call for adoption of draft-spaghetti-sidrops-rpki-prefixlist
Thread-Index: AdoFkOedUNh1aleYS/C9jv1YiB7Jng==
Date: Mon, 23 Oct 2023 09:24:19 +0000
Message-ID: <d873f0a9a67c46109b6d1c200ec0f43e@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.112.40.101]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/c7br4tTnDbKehgCly7zceJKSx8w>
Subject: [Sidrops] About registering more in ASPA: RE: Call for adoption of draft-spaghetti-sidrops-rpki-prefixlist
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2023 09:24:28 -0000
Hi, I think: besides the provider-set, registering more (such as neighbor-set, peer-set, customer-set, etc.) is useful though there will be some challenges. Sriram and I (and others) have been discussing this possible direction for improving ASPA. There are some benefits and also some concerns (one of them is as described by Sriram below). Possible benefits if an AS can register more: 1. Cross-check the correctness of registration 2. Identify fake links if we know all neighbors/adjacencies (similar benefit to Geoff and George's previous draft: draft-huston-sidr-aao-profile) 3. Hop-check(Y, X) for Hop-check(X, Y) under partial registration (The process described by Sriram below) 4. (Optional) Cope with complex scenarios such as complex relationships and legitimate valley-paths (see Fredrik's comment on ASPA: https://www.manrs.org/2023/10/coordination-key-to-largest-rpki-deployment/) Detailed analysis, simulation results, and deployment considerations can be found in the slides presented in APNIC56: https://conference.apnic.net/56/assets/files/APJS642/autonomous-system-re_1694481446.pdf About Sriram's concern, the risk may exist, but: 1. The attacker cannot repudiate the attack if the attacker register the bogus ASRA data in advance. 2. Without the usage of "Hop-check(Y, X) for Hop-check(X, Y)", there are also many other benefits (1,2, and 4 above). Best, Nan > -----Original Message----- > From: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov> > Sent: Monday, October 23, 2023 7:39 AM > To: Randy Bush <randy@psg.com> > Cc: sidrops@ietf.org > Subject: Re: [Sidrops] Call for adoption of draft-spaghetti-sidrops-rpki-prefixlist > > >if we like being able to check in both directions, why are we not also > >working on APSA, As Provider Southbound Attestation, where an AS > >declares it's downstreams? it would provide a check similar to > >prefixlist for mistakes in ASPAs. > > I have been discussing this kind of object (and variants) with several people > (Jeff Haas, Nan Geng, others). > > It is harmful. It gives a weapon to a malicious leaker to foil or confuse the ASPA > route leak detection. > > Example (initially consider only ASPA deployed): > > AS B is multihomed to transit providers AS A and AS C. > > AS A --- (P2C) ---> AS B --- (C2P) ---> AS C > > ASPA: AS A {AS F, AS G} > AS B has not registered any ASPA. > Route path at AS C: AS B AS A > > The route propagates from AS A and is received at AS C via AS B. > AS C knows from its configuration that AS B is a customer. > Presently, AS C can readily detect that the route is Invalid (a leak or infeasible > path). > Because AS A's ASPA attests that AS B is not a Provider (i.e., AS B is either a > customer or lateral peer of AS A). > > Now consider the *new* object. > > If the proposed *new* object is deployed, AS B can maliciously register one > attesting that AS A is a customer ☹. > AS B's *new* object contradicts AS A's ASPA. > In that case, which object is AS C supposed to trust for its path verification > (route leak detection)? > Suppose we (IETF) specify that if AS C determines there is a contradiction > between what AS A and AS B assert, then it will consider the AS A to AS B hop > to be "No Attestation". > That would mean that the attacker (AS B) wins. > The path will be determined "Unknow" at AS C rather than "Invalid". > > There is far more utility and no discernible harm (IMO) if only provider > attestations (ASPA) are deployed or used in the path verification algorithms. > If an AS includes a customer in its ASPA provider list, it only hurts its customer. > Route leak (or infeasible path) detection still works (unhampered). > The prefixes of the customer AS (and its CC) will experience denial of service > (unreachability) and they'll complain, and the AS will respond to correct its > ASPA. > > Sriram