Re: [Sidrops] ASPA: Is this really a leak?

"Jakob Heitz (jheitz)" <jheitz@cisco.com> Wed, 16 December 2020 19:57 UTC

Return-Path: <jheitz@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C32E73A0E93 for <sidrops@ietfa.amsl.com>; Wed, 16 Dec 2020 11:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=FvTBYLtL; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=xUBi7yhD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORgodBnoHSeG for <sidrops@ietfa.amsl.com>; Wed, 16 Dec 2020 11:57:58 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 036C83A0E94 for <sidrops@ietf.org>; Wed, 16 Dec 2020 11:57:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1866; q=dns/txt; s=iport; t=1608148677; x=1609358277; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=RBNiMMQJ1LmQBwGDg4n4iMgdGrq+Td4+Tss9DbJxQHg=; b=FvTBYLtL3Me1nnZD1kMlYP1Tgy/b1TlvyW4KsGQHCL9rfDWr0UfkKrUy 6p/gpEyCrxj+JejHVQT2U7vRd1FJfmudBMSim/Btqpwu3y9PUy+SBFNzc XyB+7v53rW0Tm4jfM7ZO4QDY7uZuTh4DCnuzvLV5VeDJvlGtgEVmrPGIq w=;
IronPort-PHdr: =?us-ascii?q?9a23=3Ab+nsxx+JrCyQLv9uRHGN82YQeigqvan1NQcJ65?= =?us-ascii?q?0hzqhDabmn44+7ZhSN7+9kgVXUR4Od7OhL2KLasKHlDGoH55vJ8HUPa4dFWB?= =?us-ascii?q?JNj8IK1xchD8iIBQyeTrbqYiU2Ed4EWApj+He2YkJPEcv0ekfU5Hqo4m1aFh?= =?us-ascii?q?D2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw?= =?us-ascii?q?=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DfAQBjZtpf/5xdJa1iGwEBAQEBAQE?= =?us-ascii?q?BBQEBARIBAQEDAwEBAUCBT4FSUQd1Wy8uiAcDjVsDmQqCUwNUCwEBAQ0BARg?= =?us-ascii?q?LCgIEAQGEBkQCgXACJTgTAgMBAQsBAQUBAQECAQYEcYVhDIVyAQEBBAEBEBU?= =?us-ascii?q?TBgEBLAQHAQsEAgEIEQQBAR8QJwsdCAEBBA4FCBqDBYJVAy4BDqIiAoE8iGl?= =?us-ascii?q?0gQEzgwQBAQWBNwKDexiCEAMGgTiCdYowJhuBQT+BEUOCVj6CXQEBAgGBXoN?= =?us-ascii?q?IgiyCEoEZDUQCExssPAciKl+mWZE2CoJ0iSOSSqI9nxKWGwIEAgQFAg4BAQW?= =?us-ascii?q?BbSOBV3AVO4JpUBcCDY4hg3GFFIVEdAI1AgYKAQEDCXyGfS2BO1wBAQ?=
X-IronPort-AV: E=Sophos;i="5.78,425,1599523200"; d="scan'208";a="571782053"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Dec 2020 19:57:54 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 0BGJvsxX021601 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 16 Dec 2020 19:57:54 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 16 Dec 2020 13:57:54 -0600
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 16 Dec 2020 13:57:53 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 16 Dec 2020 14:57:53 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ox1NQY+6oVu5VOHwWDvLgFN7V3uJKKVk4S8J7ljWf6enG/vLmo/M9Jqitq5v1yTK/U3iszN3GCplvPkcZ84GGleopI4JgsRO6YkFHxLLrg8xTf9mf1Oq92YqFZu0FS0AiqhJG8FUm83Di2WfP3/9VQDqFR98TBAVXSTiPiSUBI96V3N5wdsLdo8BOPdUpht5XNHr8out7mGG1TLYZ23VJ25Ff5qAigydNb2EhAwMwrFwGqUahPdPQ5qd0UlrOxENAKLw+EWkySOdDz3f/6Ajzuflr0jftzLZwq1Zq/fApElMD1KuPf09IUVyplb8WINYHXeEk3/3ghZOCG6eJDhz6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ynn68dFr0Dc8+NjPw4XxiM2U6Ran1I4Ocx7wqZ+g2wc=; b=icHRhq0orR3nZBKghRkoFgh5UIKMyahZeIhK2FAgX2/NY7b6yk3sbOXd8WciNXfcPAzjBkuIrrSI1J7rdILC5hd3Ekyki53QkE2GFo2Aipz2r/vFjrYDM6blIcuLzvPz3ene6DGz0wouoUbqveQt3AN5mzE+iUzWWxQ12IYhJumOxpU8hfKPicvoAEDPfmuHqDrbuery6IdaOtqVy8wWhAWvynBnvTej7z/5bfTxlGHfZkS/GTApRhoaVhc3bEUZuICqrSuXgp3ccd33HwkLbApxDH9tR2WTGz1Bw9qnCc8aYZakLEdvBZM02hLolSiH2FDsOKMe96X/94KTpbmjCg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ynn68dFr0Dc8+NjPw4XxiM2U6Ran1I4Ocx7wqZ+g2wc=; b=xUBi7yhDKzbifoa+21PTVupOkMCIYQEagcje1enyOprXbb/OMHNE+DeEqU/GrcumvY7sJeibphCcdzaFMLZt2qFoPYzDJUwvp2E623YR1Lv8oNLsdphQkLeantCjXODOK1ZI4N8hBlx6z/w1h5d4AC8JVfEIuo+XdModciVU8tM=
Received: from BYAPR11MB3207.namprd11.prod.outlook.com (2603:10b6:a03:7c::14) by SJ0PR11MB5149.namprd11.prod.outlook.com (2603:10b6:a03:2d1::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.13; Wed, 16 Dec 2020 19:57:52 +0000
Received: from BYAPR11MB3207.namprd11.prod.outlook.com ([fe80::2581:444d:50af:1701]) by BYAPR11MB3207.namprd11.prod.outlook.com ([fe80::2581:444d:50af:1701%4]) with mapi id 15.20.3654.025; Wed, 16 Dec 2020 19:57:52 +0000
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: Jay Borkenhagen <jayb@braeburn.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] ASPA: Is this really a leak?
Thread-Index: AdbSrCwFetkGBNO+QeG28ivY3Q354wBHfvcAAASgXmA=
Date: Wed, 16 Dec 2020 19:57:52 +0000
Message-ID: <BYAPR11MB32070C5D14ED8CF368D05785C0C50@BYAPR11MB3207.namprd11.prod.outlook.com>
References: <BYAPR11MB3207E12FA868D4ECCF064161C0C60@BYAPR11MB3207.namprd11.prod.outlook.com> <24538.14458.724169.315853@oz.mt.att.com>
In-Reply-To: <24538.14458.724169.315853@oz.mt.att.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: braeburn.org; dkim=none (message not signed) header.d=none;braeburn.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2601:647:5701:46e0:e82d:ab03:2132:19e4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7db092a5-7b0f-46eb-9a8c-08d8a1fcdf96
x-ms-traffictypediagnostic: SJ0PR11MB5149:
x-microsoft-antispam-prvs: <SJ0PR11MB5149F4E31FF4B181E9DF8717C0C50@SJ0PR11MB5149.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: reFwzqkBKRSD3LdT7kirIipuF+Mb4PLyxreiJEP+JvYMssPSWcYb0g1GIo7PY4Zg5pv/E5sDTIuKZGFNdfoe4YOSgHd/kbtD+ly8Wx0vOiSjnSkRfQKgO75LM+vG8TlZ19L98gugWeCowrWLijnIJFngMGs8ozkTQlo6qzw+/4OrcS9FyCKQSS9uzAUqBR2Aas7Do0CjKe4iXt606bbSbS1kzN31OypSo+Psk76Cc1CXuMheDePla6UFECmxQA6IlLY5JhbGiSNHlOUOLK+shSo2cFqbjMWelmzHFttBYG1+MNdItYT0rmlo2Q3BTMJirF4MencVrN5vqm+repHH2OCFoA+FARksx0SLSW9qKO5KYrTMfkazG6EFqCEeytIl1XDSRCj5FhqQSGp5EpG7pA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB3207.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(39860400002)(136003)(346002)(396003)(376002)(66946007)(64756008)(53546011)(66446008)(52536014)(66476007)(316002)(83380400001)(8936002)(66574015)(71200400001)(66556008)(86362001)(55016002)(8676002)(5660300002)(9686003)(966005)(7696005)(2906002)(478600001)(186003)(6506007)(4326008)(6916009)(33656002)(76116006); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?iWTL+vLO62SJMYJ6hsy56ZC5709A8xdwuylhYSqYaZiSFTGipHx9MKz45lMB?= =?us-ascii?Q?BE/boQwRpCEmYCAfH9rVUccAxHe0JInLDSJ2srK9I7spbfG85tuYC9BYj3cB?= =?us-ascii?Q?qlLwxjtnrcJmFdPI8W1rAnYcj3mXDthv9aOExDWIU2BS6O3JnAcbCBigP3iH?= =?us-ascii?Q?6Xk7kehpQH24+NSEoTVjrKsaJh3Yse4K/UYfhA7Dj3UP1w1YBmCHW8/t8wQw?= =?us-ascii?Q?mNMbEqnQB9HL3etvfHkDtmhE2/1LzzNl94CQeXoQypa+7VjypGk7RTRMdYqD?= =?us-ascii?Q?WoyceAxxBXWtigU/Aw7fwi+PErz7B40xFMArHZ059kwMTIEYs/08uI9/cfC4?= =?us-ascii?Q?AuT+qoUrmNX2aThOihZUMdl3XtFmHitufEdVZ64bV6f2ZqJzCF207TQuc+et?= =?us-ascii?Q?FuYBK6OqmEFdT2Bm3jXBJGpwd/J0EqXFRv+LeJqAbmBJIAbkjzNsbInXxzhz?= =?us-ascii?Q?TN0vZU3ydQK3slRyT49pK4L+lhDj3UPeh7+UTevKnkbpJENwksThRki13EEM?= =?us-ascii?Q?3nPQ8TkZP1mdv/c52sbNvWNeGbMh081EsbFsFuelsUTDR6CgXr7wYk8I6hED?= =?us-ascii?Q?+YLPxH9qZSVVE6Qh1sABkGS0MczEp+Yx7qFeMftiNlLFly9sLpfjtK8SyElb?= =?us-ascii?Q?vSNjIOoRm+4ZWxKzedCxGNRaimEEKrfXaLd9zgRUDQw+BNJwcAB8QcsrVmUj?= =?us-ascii?Q?eWDgmrOjVd/0uK0pEak8uKldG/HFjxzP24ZXmYWaLIVbThBSmT442yyBk2IU?= =?us-ascii?Q?saHnIj2ShuZjYm8egCJ2tfTjKb8sc+ZAij5Op9B3LLvhIL6dzOVC1J78/ceM?= =?us-ascii?Q?ghyMFKkqPi1zFxy7CMul7YpWUOjRbdr7zJ+g2M8rFYoYHxltmHlp/U4DMQWD?= =?us-ascii?Q?OkMrIgE9D2NtGuijxx8NSY64uYu1EtTAe4yn/n5qqlF7pxk+BOm925CvE4U5?= =?us-ascii?Q?YJ5m/1Dq7v+iZ1MHYIcK6cCQkiBKTNgoZnLuWJi9hvJJN6qxkspuXAJU1vWu?= =?us-ascii?Q?788fjCtAuY9OTmiBUIJFoTsKzRka9L1l1M9FDNPZeFo906A=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3207.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7db092a5-7b0f-46eb-9a8c-08d8a1fcdf96
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Dec 2020 19:57:52.5686 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lVSN74lB7YiSFkie5Dne21yg+vAZiKCx/pLj8CQzcDrE3FSsm4V9fWZzNi/BnAO8xumiAV//s2SAXwXldO+t+w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5149
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/eFcFEOotMFqt7m9__ofi8Y-PpCA>
Subject: Re: [Sidrops] ASPA: Is this really a leak?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2020 19:58:00 -0000

Jay,

I disagree that the algorithm in ASPA rejects routes whose AS_PATHs are
contra-indicated by the expressed wishes of the AS resource-holders,
as communicated by the set of validated ASPA records.

I posit that it rejects more than that.

Suppose AS1 has providers AS2 and AS20.
AS20 is also a provider for AS2.

What I am proposing is that AS2 should be allowed to divert traffic
that it received from the Internet through AS20 on its way to AS1.
Internet --> AS2 --> AS20 --> AS1.
The algorithm stated in ASPA prevents that.

Nobody is breaking any laws or contracts by doing that. Nobody is
seeing any traffic that they are not permitted to by doing that.
This kind of diversion happens frequently on the internet and
ASPA should not prevent it.

The big difference is that AS2 is a provider for AS1.
If it were not, then ASPA absolutely should reject the path.

Regards,
Jakob.

-----Original Message-----
From: Sidrops <sidrops-bounces@ietf.org> On Behalf Of Jay Borkenhagen
Sent: Wednesday, December 16, 2020 8:40 AM
To: Jakob Heitz (jheitz) <jheitz=40cisco.com@dmarc.ietf.org>
Cc: sidrops@ietf.org
Subject: Re: [Sidrops] ASPA: Is this really a leak?

Jakob Heitz \(jheitz\) writes:
 > https://tools.ietf.org/html/draft-ietf-sidrops-aspa-verification-06
 > finds suspected leaky AS paths.

No, not really.

draft-ietf-sidrops-aspa-verification rejects routes whose AS_PATHs are
contra-indicated by the expressed wishes of the AS resource-holders,
as communicated by the set of validated ASPA records.

It's thus up to each party publishing ASPA records to ensure that all
necessary upstream and mutual transit relationships are explicitly
authorized.

						Jay B.


_______________________________________________
Sidrops mailing list
Sidrops@ietf.org
https://www.ietf.org/mailman/listinfo/sidrops