IETF Logo Mail Archive

Re: [Sidrops] ASPA false leak

Ben Maddison <benm@workonline.africa> Wed, 16 October 2019 06:36 UTC

Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0DF2120048 for <sidrops@ietfa.amsl.com>; Tue, 15 Oct 2019 23:36:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9cESwOT7qkFh for <sidrops@ietfa.amsl.com>; Tue, 15 Oct 2019 23:36:00 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70082.outbound.protection.outlook.com [40.107.7.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F9F5120018 for <sidrops@ietf.org>; Tue, 15 Oct 2019 23:35:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kV2HKTiDQGAZG6zxsGSMkfdsmwcyaLrNkScyN/M8j+yK8gblj+pJawVfdwTNC1ECHHzOnpJvjl05j9//UaTAyURsiPPOUdr9ixE6CwebS7A56xY1XxkGPMScGsANX4rVOWdAKZrA3rQmuiEn6sGwUa7A1vC+KcMi9TGZ52AKRmlvvtQjVgqut5WK7XnA+522rvHCLjdRHV2871GN6N0MGYC+Yrdb1t0FCR454HlrNyLVimbjjpjCnr4dZT+A4uQkGj43eEj1lljqPYXKVmL0ogcGDzd5+waFVvnnC0QYajsCCvnQatcHoHXOUCV6i7J844H/pk6+73+y79TG6xqCyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BhlA8BAvJ8TNMdlkwCfte3DL0BH0vk6JF/KwbGHDY1A=; b=ePuo9niNICZzosPUmp/lZx1vWEGBtftg6EyPPpzYzaMi70TxjC2AmaQgO5s8oJNESQt1DiZZfstwmu9UbHr6e3GNP1P4peDAMHQTnoO5RZqvhvgfkR7VPpc3McJ0svWjlknqKtfrewBcExLwY5L23JbXQs21Dv/slZKGYLoK9QnCABEHaVt4ZJn11VrjP6tK3suKtxah0kyxDj5yBMwhkZuFbL57nidsfFkTOu3VEX6JknPsppi47y7HL9qLot4aT1pXBdaqPRsWgYBDa5a5cQbakqfPySqWJeonUwdsrM8tiDo6q5guGY1MnPUhDYU4PyvIG+Xx4DcHzJrrzkodBw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BhlA8BAvJ8TNMdlkwCfte3DL0BH0vk6JF/KwbGHDY1A=; b=Gwq0rminUDtzObxZZ3wdu4XIY220Jx8sewAUFPTbkVF7yAQS1x8ORY45QoNs9BEaI6fFHSUCdpNDbkokMrGb4rfApu1DLVr8HKoZiOXbVg+bLvfe6nmIL/44vbP96t9CKMvaThLENiIOnQQ2MkRhMlWETs0j5ZVM3JE0j352d40=
Received: from AM0P190MB0756.EURP190.PROD.OUTLOOK.COM (10.186.131.142) by AM0P190MB0787.EURP190.PROD.OUTLOOK.COM (10.186.128.79) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16; Wed, 16 Oct 2019 06:35:55 +0000
Received: from AM0P190MB0756.EURP190.PROD.OUTLOOK.COM ([fe80::6df9:89d5:e427:3a4]) by AM0P190MB0756.EURP190.PROD.OUTLOOK.COM ([fe80::6df9:89d5:e427:3a4%4]) with mapi id 15.20.2347.023; Wed, 16 Oct 2019 06:35:55 +0000
From: Ben Maddison <benm@workonline.africa>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>, Randy Bush <randy@psg.com>
CC: SIDR Operations WG <sidrops@ietf.org>
Thread-Topic: [Sidrops] ASPA false leak
Thread-Index: AdWDr4IJUqd9dgFSRaS/zGHcilvp8QAE+p8AAAOVAtAABiPTrA==
Date: Wed, 16 Oct 2019 06:35:55 +0000
Message-ID: <AM0P190MB0756169E6093C2C101BAF4EBC0920@AM0P190MB0756.EURP190.PROD.OUTLOOK.COM>
References: <BN8PR11MB37463090DCE5AF62C9D8B9E5C0930@BN8PR11MB3746.namprd11.prod.outlook.com> <m2y2xlsbsn.wl-randy@psg.com>, <BN8PR11MB3746EFDFEBACCE9A0D66AABCC0920@BN8PR11MB3746.namprd11.prod.outlook.com>
In-Reply-To: <BN8PR11MB3746EFDFEBACCE9A0D66AABCC0920@BN8PR11MB3746.namprd11.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=benm@workonline.africa;
x-originating-ip: [197.157.89.213]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 67352285-191c-422f-0ff4-08d752031908
x-ms-traffictypediagnostic: AM0P190MB0787:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <AM0P190MB0787331D8780E53553980F97C0920@AM0P190MB0787.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:4502;
x-forefront-prvs: 0192E812EC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(136003)(39840400004)(376002)(396003)(346002)(13464003)(199004)(189003)(6436002)(229853002)(55016002)(316002)(8936002)(54896002)(6306002)(2906002)(9686003)(446003)(14454004)(4326008)(606006)(25786009)(476003)(486006)(966005)(8676002)(508600001)(11346002)(45080400002)(236005)(6246003)(52536014)(81156014)(81166006)(7736002)(66946007)(5660300002)(66066001)(186003)(76116006)(91956017)(33656002)(86362001)(71200400001)(26005)(71190400001)(10916006)(74316002)(102836004)(99286004)(6116002)(3846002)(110136005)(66476007)(14444005)(64756008)(76176011)(7696005)(256004)(66446008)(66556008)(6506007)(53546011)(46492003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0P190MB0787; H:AM0P190MB0756.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:3;
received-spf: None (protection.outlook.com: workonline.africa does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PuqeS63XkwdEACZe+6RarDCNDr1XqbX3suhHrKy4muaLVuNZ12UF9xnF16Ei9jHq4sG7MHC4jUqI5bfdXX0U04uRlhwuWdQ0ByuEt+I8neWu8uayW1tRhFwbdjWmy2Zkn3Nd8EI8gWutJqYdLy+kAk3eTYORYrFLfERKbYzlfP7Zjmk7L2r1CIF2R08m6ix0C9ZXUyToqcLLyO+PUE5w382CtWTX3+0Uof2/HknHSpwhUIkSy9uUS7Ur7tvRy2q//G8YZdCmbrDiE4e1wT1zxMlpo1Yw1cNflQsf8quqkdTixWepx+yIltVORxZ+5uAoYcsZcPl+WRD48yacZ9mErGcYr0ONiwYc3EXNCozHodhrNW3eFSgSnjTY0yFfBXTtmbl2z4MlB50JTBP1xDNIDVEx0iyexWoPUfRZJkQ8h4Ck9JyQM/poHbwrDVyVGsmk5Lc9/CFNX4NC0nOBgY01MQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0P190MB0756169E6093C2C101BAF4EBC0920AM0P190MB0756EURP_"
MIME-Version: 1.0
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: 67352285-191c-422f-0ff4-08d752031908
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Oct 2019 06:35:55.3019 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 89Xfe7ijN0n/tyEcXj8ECyhGSU7wLGiJayHGuOpSUsRDEa6nO6gQMH36yeDMzEFryHMcnbmroQ1VYu80OmgfyA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0P190MB0787
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/iP5e9xvfl8rKEYz4UhK0bsuuSuE>
Subject: Re: [Sidrops] ASPA false leak
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 06:36:03 -0000

Hi Jakob,

The distinction here is between path selection and announcing transit. AS4 in this example is entirely entitled to select the path via AS3, but unless authorized to do so, is not entitled to announce it to non-customer peers.
I think the operation of the model is correct in this example.

In fact, today, if AS4 is replaced by AS37271 in this example (us), and AS1 were to set 37271:120* on their direct session with us, the result would be that we select the path via peering with AS3, but not announce it to non-customers: exactly as expected in the ASPA model.

Cheers,

Ben

* set LP below default value for routes from peers

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Sidrops <sidrops-bounces@ietf.org> on behalf of Jakob Heitz (jheitz) <jheitz@cisco.com>
Sent: Wednesday, October 16, 2019 5:31:57 AM
To: Randy Bush <randy@psg.com>
Cc: SIDR Operations WG <sidrops@ietf.org>
Subject: Re: [Sidrops] ASPA false leak

The actual path is (5 4 3 2 1). Technically a leak.
However, all transited ASes are authorized, therefore it should be allowed.
The alternative is (5 4 1). Not a leak.

Regards,
Jakob.

-----Original Message-----
From: Sidrops <sidrops-bounces@ietf.org> On Behalf Of Randy Bush
Sent: Tuesday, October 15, 2019 6:46 PM
To: Jakob Heitz (jheitz) <jheitz@cisco.com>
Cc: SIDR Operations WG <sidrops@ietf.org>
Subject: Re: [Sidrops] ASPA false leak

> Consider the topology:
>
>    AS5      AS3
>      \     /   \
>       \   /     \
>        AS4     AS2
>          \     /
>           \   /
>            AS1
>
> AS1 has providers AS2 and AS4.
> AS2 has provider  AS3.
> AS4 has providers AS3 and AS5.
>
> AS5 receives a route with AS-path (4 3 2 1).
> ASPA would declare that AS4 leaked the route from AS3 to AS5.
> However, AS4 is an authorized provider for AS1.
> Even though AS4 has a path to AS1, it chose to use an alternative
> valid path to reach AS1.

and that alternate path sure looks a lot like a route leak.

randy

_______________________________________________
Sidrops mailing list
Sidrops@ietf.org
https://www.ietf.org/mailman/listinfo/sidrops

_______________________________________________
Sidrops mailing list
Sidrops@ietf.org
https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email