IETF Logo Mail Archive

Re: [Sidrops] ASPA false leak

Ben Maddison <benm@workonline.africa> Thu, 17 October 2019 06:59 UTC

Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23D9A120059 for <sidrops@ietfa.amsl.com>; Wed, 16 Oct 2019 23:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5D11ZLCv0oFH for <sidrops@ietfa.amsl.com>; Wed, 16 Oct 2019 23:59:49 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40048.outbound.protection.outlook.com [40.107.4.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F099A120018 for <sidrops@ietf.org>; Wed, 16 Oct 2019 23:59:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=glQWGYipsCVp4AlWHfpFVclKvOFluxsDdevdIqTKsCpUrMx+xEx1J6FdgYzQ2cOoFpiuxwmitNeVO1vYt3OPkH2QvQ21Z2Xt4G3gEtbefa/U2/WZjyR9A5ljRTh7oZGShOZW+/TFlxYu3vefczjF+csoevSImkJ+FGcL2Miip6bGCcwAKDr01Cv0DZy6DmGIozBl09ENtWyNP7AuzGy2eEB6Asr8fc45San+88uDR/STPihVZUVUvUp6s1FPRw4Y/tsQGKBwi3RH9vlMqjwDZE9nuwZALP3I20BN+zpIyWI9hgB3QGESeovpk1PQvvoORJsHzkgMZfFftY7Vi+CB7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+s/eM+1v5cbsLxSENJD0JYaApFM8TBI+MIZ5UOfdSeM=; b=UzGg+U0TUasbitE6jZfK8p7F6t4o1DrmVsBqkw44cmv091MxNDWEKkTxLad4Ly7jD+aZktI6eOoJg0++4GFM+x8Tirm6SNK+bj3AsQhDmVnSJci7mfRTSQ1dqmXJ2yUOIIf+PGgJPMG5b49L8UULal1g/fFbX+wWBXeuvXYap4J+eP9p+8UVjXocwkdzAvEThV7FC3LaC4lBRaK4AJ9F0sj3/se6tJmcijWsPcvFojPRnLvF0d4DnlF/viHbXIVZ93VbDXcg71yNHLvnC5Y/Ag7YMwMCu3mYLTcrlD1rDoEt+ldxgLldjELst6Kj5fAGrJ/Fef7An3x+XjIVH1ruKQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+s/eM+1v5cbsLxSENJD0JYaApFM8TBI+MIZ5UOfdSeM=; b=QzZ4VxfHY/HY1+ofI630YrQY37eFla0kk55UpTnSjwOLzY27gzRSeUe2FbGVNOvCAXq4/XuTHSknLCRWQ6zrzSugpzc8JwTEV6p0foBgMvLFTfsQRDGsdwYz9xDVtug2EzF0BNvGp/s+KLsVUe+Pj0zPnzT5D6uDg4J76eKvz0o=
Received: from AM0P190MB0756.EURP190.PROD.OUTLOOK.COM (10.186.131.142) by AM0P190MB0692.EURP190.PROD.OUTLOOK.COM (10.186.129.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16; Thu, 17 Oct 2019 06:59:45 +0000
Received: from AM0P190MB0756.EURP190.PROD.OUTLOOK.COM ([fe80::6df9:89d5:e427:3a4]) by AM0P190MB0756.EURP190.PROD.OUTLOOK.COM ([fe80::6df9:89d5:e427:3a4%4]) with mapi id 15.20.2347.023; Thu, 17 Oct 2019 06:59:44 +0000
From: Ben Maddison <benm@workonline.africa>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>, Alexander Azimov <a.e.azimov@gmail.com>, Randy Bush <randy@psg.com>
CC: SIDR Operations WG <sidrops@ietf.org>
Thread-Topic: [Sidrops] ASPA false leak
Thread-Index: AdWDr4IJUqd9dgFSRaS/zGHcilvp8QAE+p8AAAOVAtAABiPTrAAApAaAAB1LwYAAAZbA8AAT/Q/E
Date: Thu, 17 Oct 2019 06:59:44 +0000
Message-ID: <AM0P190MB0756A616DC740EF70E749BF0C06D0@AM0P190MB0756.EURP190.PROD.OUTLOOK.COM>
References: <BN8PR11MB37463090DCE5AF62C9D8B9E5C0930@BN8PR11MB3746.namprd11.prod.outlook.com> <m2y2xlsbsn.wl-randy@psg.com> <AM0P190MB0756169E6093C2C101BAF4EBC0920@AM0P190MB0756.EURP190.PROD.OUTLOOK.COM> <m2wod5ry24.wl-randy@psg.com> <CAEGSd=AtJP+_OSua=VONnw2peNmCtd9Wgiy_wRgZTBGxW2qbRA@mail.gmail.com>, <DM6PR11MB375560CF6609B2006C52196CC0920@DM6PR11MB3755.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB375560CF6609B2006C52196CC0920@DM6PR11MB3755.namprd11.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=benm@workonline.africa;
x-originating-ip: [197.157.89.213]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ae26940c-d7af-40d4-4ca9-08d752cf9777
x-ms-traffictypediagnostic: AM0P190MB0692:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <AM0P190MB0692E01B3A5108D380A39CC8C06D0@AM0P190MB0692.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-forefront-prvs: 01930B2BA8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39840400004)(366004)(136003)(346002)(376002)(189003)(199004)(11346002)(508600001)(5660300002)(45080400002)(186003)(486006)(9686003)(236005)(4326008)(966005)(102836004)(66066001)(6306002)(6436002)(3846002)(2906002)(33656002)(476003)(55016002)(54896002)(52536014)(25786009)(446003)(26005)(229853002)(790700001)(6246003)(71200400001)(71190400001)(316002)(10916006)(6116002)(76176011)(256004)(74316002)(14444005)(14454004)(66946007)(66446008)(64756008)(66476007)(66556008)(53546011)(8676002)(7736002)(81156014)(86362001)(76116006)(91956017)(7696005)(606006)(81166006)(6506007)(8936002)(110136005)(99286004)(46492003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0P190MB0692; H:AM0P190MB0756.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: workonline.africa does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qR5j0B07hAJKJGazGdvxRjyHYo3ybUpCb2ODDsxEG1qmVes2dxQVrIi5u58ZQZo4LwFFNHepzStIAfffd9J35LzRfPiBPUlZ5R/5X4mRydMrQyxzDxuqL1qESo49VtYjIHfSas/bqZnL6E1PlOzR6Qx2jWkjwElLGJ3ZDZPVKahlZZ+lS3/SvLjmWHh/WKZMhkALX6RosLBdgw4Uq4aEbFM2/gNqn4Xy/gUB4+NYB+fY2bRul+DOmrC4KZBIzMB8pqa2nMYN4M06DAVbOIZOIz87mrZuSQfnVvwGHQQQDT1lsd6/TcutZVWhMuBjL9x4kZR8Ie4ejQzplrJ6usC1HOgQv5UhA8R3EhAWJyYc6z1Pt2xZIPN/9AoU+VFMJI99uzbh1Sd3DyBocQNvpr6RNGdtzIx3gx/D6Rv6Rq/Z4A9bYOvUY9SocMojmx/DyEuMoxj+aQ5/k7jGfFTkpGdBsQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0P190MB0756A616DC740EF70E749BF0C06D0AM0P190MB0756EURP_"
MIME-Version: 1.0
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: ae26940c-d7af-40d4-4ca9-08d752cf9777
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Oct 2019 06:59:44.7626 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BXCLtNKNR5aGohGz8IKjRKMHO+CAa5G6iCTXxqD4PpTnd2/xUZcUIt4oB8BcdeJOgVyG1zjzn49telvgNGTx5w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0P190MB0692
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/e7flwYBAzn9M6gyPafAtRQSntvs>
Subject: Re: [Sidrops] ASPA false leak
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 06:59:53 -0000

Yes. Right on the floor.

Get Outlook for Android<https://aka.ms/ghei36>
________________________________
From: Jakob Heitz (jheitz) <jheitz@cisco.com>
Sent: Wednesday, October 16, 2019 11:31:46 PM
To: Alexander Azimov <a.e.azimov@gmail.com>; Randy Bush <randy@psg.com>
Cc: Ben Maddison <benm@workonline.africa>; SIDR Operations WG <sidrops@ietf.org>
Subject: RE: [Sidrops] ASPA false leak

So, should AS5 just drop the traffic?

Regards,
Jakob.

From: Alexander Azimov <a.e.azimov@gmail.com>
Sent: Wednesday, October 16, 2019 1:41 PM
To: Randy Bush <randy@psg.com>
Cc: Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>; Jakob Heitz (jheitz) <jheitz@cisco.com>; SIDR Operations WG <sidrops@ietf.org>
Subject: Re: [Sidrops] ASPA false leak

And another real-world scenario.

The significant number of route leaks today happens when an ISP is using the prefix-list of their customers as the only egress filter (no ingress filters/no communities).
In this case, just like in your scenario, it starts to leak customer's prefixes when it gets them from providers/peers, thus spoiling TE of their customers. More then, the customer even can't redirect traffic from such misconfigured upstream provider even if it experiences a service degradation.

I don't believe we should legitimize such behavior.

ср, 16 окт. 2019 г. в 09:42, Randy Bush <randy@psg.com<mailto:randy@psg.com>>:
>> Consider the topology:
>>
>>    AS5      AS3
>>      \     /   \
>>       \   /     \
>>        AS4     AS2
>>          \     /
>>           \   /
>>            AS1
>>
>> AS1 has providers AS2 and AS4.
>> AS2 has provider  AS3.
>> AS4 has providers AS3 and AS5.
>>
>> AS5 receives a route with AS-path (4 3 2 1).
>> ASPA would declare that AS4 leaked the route from AS3 to AS5.
>> However, AS4 is an authorized provider for AS1.
>> Even though AS4 has a path to AS1, it chose to use an alternative
>> valid path to reach AS1.
>
> and that alternate path sure looks a lot like a route leak.

lemme try a different way

the attacker A3 wishes tio siphon jelly beans from A5's traffic to A1.
so she convinces A4 to prefer the A4 A3 A2 A1 path, which A4 then
announces to A5 as her best path.  profit.

randy

_______________________________________________
Sidrops mailing list
Sidrops@ietf.org<mailto:Sidrops@ietf.org>
https://www.ietf.org/mailman/listinfo/sidrops


--
Best regards,
Alexander Azimov

v2.23.0 | Report a Bug | By Email