IETF Logo Mail Archive

Re: [Sidrops] Call for SIDROPS WG Agenda Items

Alexander Azimov <aa@qrator.net> Wed, 11 July 2018 14:36 UTC

Return-Path: <aa@highloadlab.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C56DC130EB5 for <sidrops@ietfa.amsl.com>; Wed, 11 Jul 2018 07:36:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.66
X-Spam-Level:
X-Spam-Status: No, score=-1.66 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=highloadlab-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TXYUvJCYMnS2 for <sidrops@ietfa.amsl.com>; Wed, 11 Jul 2018 07:36:12 -0700 (PDT)
Received: from mail-pl0-x242.google.com (mail-pl0-x242.google.com [IPv6:2607:f8b0:400e:c01::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30045130F66 for <sidrops@ietf.org>; Wed, 11 Jul 2018 07:36:07 -0700 (PDT)
Received: by mail-pl0-x242.google.com with SMTP id f4-v6so5056987plb.9 for <sidrops@ietf.org>; Wed, 11 Jul 2018 07:36:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=highloadlab-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=tLDZN8N7x/y6fNxlv2nQDOz36DqYNw1Oaf2Ivlt42Ao=; b=N6pph92g4HV7JWqw/p3aU2bXlg0xwLMI7zBQ6YQqzARDI/6LGmTduQWIUVsWoYRBVX xUajqOkCBhpGwfLIasBIz/XzpCmUcRq0C2durrJGoQdQP/EPtq0doPeQjXxbpOJP7bEC xPlsvZb+YaXpyVDONdwmXjxvlzamQtDeIL5LzR58u+rOYupynt5v2KSl4DNavPQCTt5D 3IYQd/4Dn75KMnglIH0PyDlaUti8hxz0y1CVoNRPP+8Gf+rfyvEf3I6bLIHYQkf/zDjX RkJvrb+lVjPaxoCowGmaJ7gAvES40JkmUwJWhamD2R56poIA5MQJQr++1618GhAcD4hx Lo/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=tLDZN8N7x/y6fNxlv2nQDOz36DqYNw1Oaf2Ivlt42Ao=; b=ZnLykzu63OROQpPpL2ZdrSqjhScCLCrP+50/usuKlU08lSTEvAO4dLwFXitON+nkB9 fIk0T8meaBCTuwQ2m+vZTOxTfF/SkfMBZ++ZNIHHsRSdxloPModJWEscxVPxmll92MP6 wikDZlI7CKrHPi626MqmnkwU1tpOuyItvJwi0lACQszwscF9NS8GQBqrxZxIhfj3lTve nF5CzjFfX7wW3fAaQsjn6b7cz0JdBTAlcl6ceUSc++8gprb3CqxZhHUTqxuCsfnX7R/R 8ySIc9ixdHau5LPKgdBSalFltxnE19BW6VOZfHrN6+oXSiQUjgnR8q2/sao3vLb0ezwc 3dQg==
X-Gm-Message-State: APt69E2UOlEiUFPwKab9OVLeMt+C63r4A3yyofWCP3uIIi4sbI0uwBeO WNxlrh3bbKuBfw+5bU13XhdFX6rYYj0/164ncwJhYg==
X-Google-Smtp-Source: AAOMgpeO1gTpN0K6iArQGMnbqGqXUe+3Q+ph0FbNgSQbfITrvUncdKYCsNRjiyDYcCggSN96dleaIm1ktb9e/FT5GS0=
X-Received: by 2002:a17:902:3c5:: with SMTP id d63-v6mr29642480pld.163.1531319766583; Wed, 11 Jul 2018 07:36:06 -0700 (PDT)
MIME-Version: 1.0
Sender: aa@highloadlab.com
Received: by 2002:a17:90a:7e1:0:0:0:0 with HTTP; Wed, 11 Jul 2018 07:36:05 -0700 (PDT)
X-Originating-IP: [95.143.124.62]
In-Reply-To: <5ee309ea-a772-df45-96cc-152726e303a0@gmail.com>
References: <C0205A63-E2D5-4CD5-A109-08C61A1AEA6D@arrcus.com> <m21scsq8b8.wl-randy@psg.com> <6065B77B-9981-4273-82CD-A13C3151EA24@arrcus.com> <CAKr6gn1expF0syu69zpWhyERjvp72r169NhvudMNUSMd0A5D2A@mail.gmail.com> <D1A6D74E-ECEA-4080-90D3-0E19F1B9EE8E@arrcus.com> <CAHgCvCMcV15dMjUtGeDbzsz3eTJkvLNig7+9RV59Ch6+8c9YgA@mail.gmail.com> <D0933B81-699C-4AAD-ABA4-CCB33BA6317B@nlnetlabs.nl> <CAHgCvCOHrtEUSPwXt1JS9Wj0Aa76x_57aUzxsvY3Tb8CwZo1pQ@mail.gmail.com> <5ee309ea-a772-df45-96cc-152726e303a0@gmail.com>
From: Alexander Azimov <aa@qrator.net>
Date: Wed, 11 Jul 2018 17:36:05 +0300
X-Google-Sender-Auth: UtKinADWfXbNm8Q29sXVDcKxr3o
Message-ID: <CAHgCvCN-5K3FsaHx1OoyNL-zF5VAw6XvTT5T6OL1puGZfwXZhQ@mail.gmail.com>
To: Andrei Robachevsky <andrei.robachevsky@gmail.com>
Cc: Tim Bruijnzeels <tim@nlnetlabs.nl>, Keyur Patel <keyur@arrcus.com>, "sidrops@ietf.org" <sidrops@ietf.org>, George Michaelson <ggm@algebras.org>
Content-Type: multipart/alternative; boundary="000000000000b9a5160570ba2aee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/cYyBGhJV32i6o2Gwjxg3rV_DcH0>
Subject: Re: [Sidrops] Call for SIDROPS WG Agenda Items
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 14:36:22 -0000

Andrei,

Thank you for the comments.

2018-07-10 13:55 GMT+03:00 Andrei Robachevsky <andrei.robachevsky@gmail.com>
:

> Alexander,
>
> Alexander Azimov wrote on 06/07/2018 22:07:
> > Yes, it seems that here is a misunderstanding. Behind section 5 there is
> > a simple idea:
> >
> >  1. If there is 'invalid' subpath - then the outcome is 'invalid';
> >  2. If the AS_PATH can't be fully verified even if all corresponding
> >     ASPAs exist (AS_SETs, AS_TRANS) - then the outcome is 'unverifiable';
>
> In case the speaker understands 32-bit ASNs a path may be reconstructed
> using the AS4_PATH attribute. Do you refer to AS_PATH in a sense of
> constructed AS path (where AS_TRANS may be replaced), rather then the
> AS_PATH received from a neighbor who doesn't support 32-bit ASNs?
>
I had in mind two scenarios:

   - Provide a limited opportunity to 'old' BGP software to verify routes
   using ASPA;
   - Provide solution for a case when AS_PATH wasn't properly reconstructed
   and there are AS_TRANS left.



> >  3. Otherwise - 'valid'.>
> > So, the procedure may return 'valid' also in case if part of AS_PATH
> > isn't fully covered by ASPAs.
>
> It doesn't make much sense to me to declare the path valid even if some
> of the segments cannot be verified. As opposed to BGPsec it is not all
> or nothing in this case, as I understand it. Valid ASPAs linking
> segments on both ends of the path provide value since an attacker cannot
> craft a shorter path, and will probably lose because of that. So in this
> sense every ASPA is an incremental improvement.
>
Yes, each ISP by signing ASPA will improve the level of its own security
and security of its customers - that's a really important motivation. If
there is a complete sequence of signed ASPAs from edge to Tier1 - then the
attacker will have no opportunity to create a valid AS_PATH in terms of the
verification procedure.

We can consider adding additional state 'unknown' or 'partial valid'. It
will have similar semantics to 'unknown' output of ROA validation
procedure. But as you know, the current practices are focussing on dropping
'invalid' routes, there is no difference in processing 'unknown' and
'valid' routes.

>
> > And to support detection of intentionally malformed AS_PATH for selected
> > ASN it's enough if all its upper providers create ASPAs. For
> > transit-free networks this rule is even more simplified - they just need
> > to create ASPA0. IMHO - it provides a quite powerful mechanism even at
> > the state of partial deployment.
>
> I like the simplicity of the approach, are different types of
> relationships between the two AS'es outside the scope?
>
For me it seems that we don't need any additional information to verify
routes received from customers and peers.
So, I've tried to make it as simple as possible.

-- 
| Alexander Azimov  | HLL l QRATOR
| tel.: +7 499 241 81 92
| mob.: +7 915 360 08 86
| skype: mitradir
| mailto: aa@qrator.net
| visit: www.qrator.net

v2.23.0 | Report a Bug | By Email