Re: [Sidrops] WG Adoption call draft-azimov-sidrops-aspa-verification

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Wed, 06 March 2019 00:27 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A8F1131127; Tue, 5 Mar 2019 16:27:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Zl8xEnNbHZh; Tue, 5 Mar 2019 16:27:52 -0800 (PST)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-eopbgr830138.outbound.protection.outlook.com [40.107.83.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B86D13113A; Tue, 5 Mar 2019 16:27:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OqFYdY4fvNckLuVjKwilnBY/NnV8HiIFBJU2zmSiZDw=; b=1NGMXLXbDOD7GR3fr5xZbn9yAHcpFRc2akamE05Rf3gGb8T/1UvB/ryNsM3/7Njp8SGflRO/jPMVQ87MgM4WinBtpvT41toM3m7SILMqTYbSGXb39X3/aTBEKTibhQ3/VAk9AKT3pAjsuZSobFWz1cq50ALrRn3GZh3HzUYjV9w=
Received: from SN6PR0901MB2366.namprd09.prod.outlook.com (52.132.115.159) by SN6PR0901MB2365.namprd09.prod.outlook.com (52.132.115.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.16; Wed, 6 Mar 2019 00:27:49 +0000
Received: from SN6PR0901MB2366.namprd09.prod.outlook.com ([fe80::5c3a:f8a5:80dd:2d85]) by SN6PR0901MB2366.namprd09.prod.outlook.com ([fe80::5c3a:f8a5:80dd:2d85%5]) with mapi id 15.20.1665.020; Wed, 6 Mar 2019 00:27:49 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Alexander Azimov <a.e.azimov@gmail.com>
CC: "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] WG Adoption call draft-azimov-sidrops-aspa-verification
Thread-Index: AQHUz46GzEO4+XNrd0q8gcAsK5oxyqX2kuYAgAKHMLCABDsgAIAAbffw
Date: Wed, 6 Mar 2019 00:27:49 +0000
Message-ID: <SN6PR0901MB2366EEEA3E1B00695EBF81EF84730@SN6PR0901MB2366.namprd09.prod.outlook.com>
References: <SN6PR0901MB236620AD0F6209170C9BD9A384750@SN6PR0901MB2366.namprd09.prod.outlook.com> <CAEGSd=AF=1Tf0-fL5Cy6uRx71nA0sCuSYbtKCUKQEoNvw=8B3w@mail.gmail.com> <CAEGSd=CEUKDbuabEaqPznBvVa1kJ+9GgBD8y_YumoUDK=cdAQA@mail.gmail.com> <SN6PR0901MB2366F6BAAB2E8E1B3DDD5E2084700@SN6PR0901MB2366.namprd09.prod.outlook.com> <CAEGSd=AGN_mJCF6tkxd+G3zRCqAPNJg7Tj2jGqbRaJ4GviGeuA@mail.gmail.com>
In-Reply-To: <CAEGSd=AGN_mJCF6tkxd+G3zRCqAPNJg7Tj2jGqbRaJ4GviGeuA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.140.161]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 75c859e2-a696-4574-991e-08d6a1ca9063
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:SN6PR0901MB2365;
x-ms-traffictypediagnostic: SN6PR0901MB2365:
x-microsoft-exchange-diagnostics: =?utf-8?B?MTtTTjZQUjA5MDFNQjIzNjU7MjM6THpSNXBmVDdSS1NyRVRBVDZ2WENCcnRR?= =?utf-8?B?alFwaTI5Sjl5bWlkWWs5a1FGaFVmaGk2QjAyUUhaTzVvRFR1SHhHT0dWd0px?= =?utf-8?B?NjA0aHFaL2dhbndMVnByR0x4RFhNOUdoOUlPbUduTjNocXd2bk1ST3VhZTc4?= =?utf-8?B?c0QvcWN0V3Z3Z24valRJRk55Sk1DSFV1Z2xuSnBHbm9sMk9iZGN2ZTVsWEZo?= =?utf-8?B?dXVXekVCaGUwNVc5OVo5WHkzQjFXRE1kM2ZLcjF2aFFyeVJaVFB4Y0lkL0dn?= =?utf-8?B?RGo2NEppU0tpWmxLcW9lekljQjV6WFpMNno4a3I4NTFXS3pzTm5uVVB2Ynpr?= =?utf-8?B?eHkwdHphK2ZpZGppZFRhK1pWSVFoRFdxSmR0NUlKeW9obTViY1dwSi9qVTVq?= =?utf-8?B?bGxxQ1UrNGRkTVgzaFlLdDYraitOb21ERjFnZkJwOEo4ODl1aXovV1RIdWk4?= =?utf-8?B?VXI5YnZRQVF3QVZJSGZWV2xqL1RlTkJMalFWczI3NTU0dTd6SGoxbVgzY2xR?= =?utf-8?B?bmZzTlpZUHI0R0ZLalRrUTJ3Nkd5c2ZGNnN2WVBWQ2ZDN2lsRm1hbGNmUG1o?= =?utf-8?B?NVlIV0xCMnpaelpmcWIwMVMvU0IxZHIxdU9BT2p4R2R5V0RrdEc3QTdHT0Fy?= =?utf-8?B?enh5eVlYRTNrMzluUjhvc2N3VjlSZjkxYUlCSzZGeXUybllSN2JpK2hGM3dD?= =?utf-8?B?enkwenR3OXVRWTlKTTgwZkRQbU9HZzFCMVUvd2RKbC80Y0VRdG5iUFBpYWQ5?= =?utf-8?B?dWVGSGpxR0RDaktPUTlyclNVNCsrQWZUSGNtK0l1OXVzY0tMLzRVOG52SjJE?= =?utf-8?B?UVVwelpUdllFOUlqUVJ5SjVrbzI3R2RFNkpjMXhOc09HSDlZOHh3YndCdFNv?= =?utf-8?B?WEZuZk1CbHRHUDY4WjZVVkhFVkNoY3dxekdKSHpEWjg1UFVid3RHc1lKV0to?= =?utf-8?B?VkJBS2JpdlRwMi8yYWNDY3RpYURrdnAyV25PTjhMeU5zb0d2dDVwK1ZQYUM5?= =?utf-8?B?aVB3dVpKbWMySWozSmppU21rcVpBSzNTdW9YeXgrZ2RDSENKSU1wU2JCTGtD?= =?utf-8?B?dnZPM1Y5dHpBM3U4b1V5bmMzNEw0QVJvYk1acm0rZzlCa2pYREtlKzJIamxh?= =?utf-8?B?aE05c2luRDFQVkRSSzVWTTQ0WFVvckZqOU1LNFFXcUY1aU5uWndUTGFiMExw?= =?utf-8?B?QmpTOENzamMxbE1kb1ZuV1FYRFlYdk5KZ1lLbEZIRzIwWVVUcnFWZ0ZURG50?= =?utf-8?B?emt1ZFhZbzFWWW5zN1VEN0Jzc1hBb3F6dlA4cHl6Q0orakt5ajQ0NDVOSFpG?= =?utf-8?B?QytDWm5icHc2S0FaM01IcjMzQk0yMWMzNWF0aXNwbm5rWE1mMG8xUVU5R214?= =?utf-8?B?OHBVeGhBTHMrdTRtSjVycHFzcVRQN2RPcnRta3EvQjlEand0VjdjTDZhYlZU?= =?utf-8?B?bFA3WitXMUJselE4NTlsNmhwdWVIaGZSYU1HczMrL09IQXpkVzZPTFhlbmlO?= =?utf-8?B?NDZFVE1wVGQ2Sk1vZ1dHL3lZY1pBcWRFUXcxQkZLc1lDNEh0aytYRWNyYkpE?= =?utf-8?B?Vnk1OHVuZG51Tlk2bVJFOFFOUjNJMmRmUmdXWGpqN2VrUW1xU2pRNWplaGhm?= =?utf-8?B?SnFUUFc3blU0SjAvQWlna3JidUV6QUVWd1JaSXdmTjREUXRWQi8zbWR6enNk?= =?utf-8?B?YlVCNExzL3FZUjdSd2hMRzdtSW5zVUY1c1Q4Mkhrd25wWVBJM1RPM0NucWRz?= =?utf-8?B?ZWsxNVY1MWdDWGRpRXFKNTlOWFhGNlNsSWZOY21XR29MbmdLcUNmeTJYTVB6?= =?utf-8?B?aXlMdm9pTktRbWE5bC9NQzY2cFFJdjhpL05SQnF4K3paWVgybnFnTlNNRFBu?= =?utf-8?B?OE1ZekcxQ3hoZVNWYXQ4NlJMdGhQaDZXa3NzWDNHVUwyem00RHRXMGNOVlU5?= =?utf-8?Q?hvp/tCRcHwk2xP7AzzcQK3tctAFMJQjc=3D?=
x-microsoft-antispam-prvs: <SN6PR0901MB2365F6995EE8B1845FC6201C84730@SN6PR0901MB2365.namprd09.prod.outlook.com>
x-forefront-prvs: 0968D37274
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(136003)(376002)(39860400002)(346002)(396003)(52314003)(189003)(199004)(81156014)(81166006)(446003)(15650500001)(93886005)(14454004)(10710500007)(790700001)(3846002)(6246003)(2906002)(106356001)(11346002)(478600001)(86362001)(2420400007)(4326008)(256004)(99286004)(14444005)(6116002)(486006)(105586002)(476003)(9686003)(68736007)(229853002)(53546011)(236005)(7736002)(76176011)(25786009)(54896002)(186003)(6506007)(55016002)(26005)(6306002)(6916009)(71200400001)(52536013)(6436002)(8936002)(97736004)(71190400001)(316002)(66066001)(53936002)(54906003)(74316002)(8676002)(102836004)(33656002)(5660300002)(7696005); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR0901MB2365; H:SN6PR0901MB2366.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: et7GRnwGHfIJhifPVqe+2uWBNhlL13T6xIhBxv+WYibCVmJQOC4KuTSa/ypsjJdrYk4ihSS4gOQz9MKCmHMZ5qEfKBlF7cxglAAZduPqdwHLo5Zhdp+2QXfszgURHY1RevRRaT12n9LnGXF/howL2dQq+WQSqlBz8uz2cLTNjSC2oomKrU0azvaDSdVrq6/ctjX43gvjRVksAO0pgh56b3VggN+D4eAx+vcFTU4iJ/26J7+VtdKWPOq0AELiBEIoVY2rcX4nOX1iT8xivLYJkzgy6UgS/ZQZYlcQIP/wZfsBw+hFHLqejzHSpHPVRdVFLJM8vBTsMChHSLK/y2Hm28+acsFS1JPcG9hlQTTNb1DgUmqwP6WAz2lcteAmoZ4OqdfxDyNU/JBgLCvdVeRqPfQw9huH+GdxxxtLKYmSV10=
Content-Type: multipart/alternative; boundary="_000_SN6PR0901MB2366EEEA3E1B00695EBF81EF84730SN6PR0901MB2366_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 75c859e2-a696-4574-991e-08d6a1ca9063
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2019 00:27:49.5734 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR0901MB2365
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Ppen7WJ3fG9DJe3DSV1KqIHEloo>
Subject: Re: [Sidrops] WG Adoption call draft-azimov-sidrops-aspa-verification
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 00:28:01 -0000

Honorable Chairs: You may count me in as ‘support’.

Hi Alex,

Thanks for clarifying ASPA0 use for Tier1. I overlooked before. I am good now.

For the BGPsec downgrade vulnerability (or lack thereof),
let discuss that in Prague with white board/paper.
If I were you, I would remove negative statements concerning this in the draft.
I am sure I can clarify and help with this.

We can further discuss/clarify some of the other points also when we meet.

Thanks.

Sriram

From: Alexander Azimov <a.e.azimov@gmail.com>
Sent: Tuesday, March 5, 2019 12:38 PM
To: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov>
Cc: sidrops-chairs@ietf.org; sidrops@ietf.org
Subject: Re: [Sidrops] WG Adoption call draft-azimov-sidrops-aspa-verification

Dear Sriram,

Please see my inline comments.

вс, 3 мар. 2019 г. в 04:36, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov<mailto:kotikalapudi.sriram@nist.gov>>:
Hi Alex,

So, yes there are things we need to careful about in the design.
Also, got to be careful about claiming, “this mechanism
guarantees detection of both malicious and accidental route leaks”.

There is a new Comment #0 that I have added here.
And I have other comments inline below.

Comment#0:
One more thing occurred to me. This is very basic.
Consider these frequently occurring examples of route leaks:

AS1 (Tier 1)----P2C---->AS2 (customer)----C2P-----> AS3
AS1 (Tier 1)----p2p---->AS2 (Tier 1)----p2p-----> AS3 (Tier 1)

AS2 leaks the route learned from AS1 in both cases above.
AS1 being a Tier 1, never has to create an ASPA (has no providers).
Regardless of whether AS2 created an ASPA or not,
AS3 is not able to detect the leaks in both cases above
(per algorithm in the draft).
This same issue arises even in the example of Comment #2
if AS3 in that example were a Tier 1.
You seem to be misreading in section 6. Quote:

   An ASPA with a provider AS of 0 is a statement by the customer AS

   that the its routes should not be received by any relying party AS

   from any of its customers or peers.
So, Tier1/IXes should create only ASPA0 - and it will be enough to detect anomalies with its prefixes by any other ISP in the world.

>Can you please clarify to me next scenario with three ISPs:
> - Victim advertises /23 to Upstream, does use BGPSec,
>    has ROA record with maxlength 24
> - Upstream, does use BGPSec
> - Attacker, advertises /24 that belongs to Victim, adds its ASN at
>    the beginning of ASPath, doesn't use BGPSec
>Will Upstream, according to RFC8205, accept the hijacked route from Attacker?
>Anyway, I'm open for discussion about proper wording here.

The idea of a BGPsec cloud (some call it island) needs to be understood.
I hope you had chance to read RFC 8205 Section 7.9 –
the idea of contiguous BGPsec ASes.
A group of contiguous BGPsec ASes decides that they
require signed updates (i.e., BGPsec) from Day X *within their cloud*.
What that means is that they have knowledge that they are
contiguous (all connected to each other by some # of hops),
and they all do BGPsec. And they decide that BGPsec must be done
end-to-end within their BGPsec cloud.
Then from Day X, they require signed/valid paths for prefixes
that *originate within their BGPsec cloud*.
(Prefixes originated from outside the cloud may be unsigned
and may possibly be subject to signature stripping.)
Then in your example, the attack is not possible within the cloud
(i.e., if attacker strips the signatures for any prefix that originated
in that BGPsec cloud, his unsigned update is Invalid and not accepted;
it would be the same as the attacker himself suppressing the update.)
I've read 7.9 section multiple times, and there wasn't able to find anything related to 'clouds' or conditional acceptance of unsigned routes if there are signed less specifics.
May be you would like to write another document that will clearly describe this procedure?

  >>Comment #2: Improvement of the algorithm for detection
---- snip -----

> This suggestion sounds great but it has an issue. Imagine that AS3 and AS4
> have what is commonly named 'complex' relation. So they are both
> customer-provider to one another. And in your scenario, where only AS4
> creates ASPA it may result in rejection of valid routes, which will make
> AS4 quite unhappy...

Yes, agree. ASPA has a shortcoming nevertheless.
You have suggested an improvement and I explained why it is not applicable. I've never heard that careful design is a shortcoming.

>> Comment #4: Not all malicious leaks / hijacks are detected
>>
>> In the topology below, AS2 leaks the path it learned from its peer AS4 to
>> its provider AS3 with path modification to avoid route leak detection,
>> or one may think of it as a hijack with feasible path insertion.
>> In either case, the Update: p2 AS2 AS1 from AS2 to AS3 is
>> illegitimate but defies detection despite all ASes participating in ASPA.
>>
>>          AS3                                                              AS5
>>               \  p1 AS2 AS1                                     /
>>                 \ p2 AS2 AS1                                 /
>>                    \                                                 /
>>                      \         <----p2 AS4 AS1--    /
>>                        AS2 -------p2p----------AS4
>>                           \                              /
>>                              \ p1 AS1           /p2 AS1
>>                                  \                 /
>>                                       AS1
>>                                    (p1, p2)
>>

> Thinking about it as hijack adds simplicity to the picture. Customers may
> still be hijacked by its direct or indirect providers. While it
> significantly limits the attacker vector and highly unlikely to happen in
> the real world, it must be clearly stated in the draft. Pushed to stack.

It is both. Hard to rule out malicious leak with path modification.
When considering malicious scenarios, the above would not be unlikely.
I think this is typically what the determined attacker (AS2) might do to
maliciously increase their revenue.
Do you think that malicious attack from the provider, that has contracted agreement with its customer (and already propagates customer's prefixes) is likely to happen?
From what I know from real hijack issues - it's not.

>> Comment #5: Path verification vs. path feasibility
>>
>> Based on the above examples, in the draft, perhaps it is better to say
>>
>> that the path is assessed feasible rather than say that the path is
>> verified.
>>

> I'm not a native speaker but for me 'feasibility' sounds a bit odd. I
> would be glad to learn other opinions from the wg members. Anyway, this
> question should not become a showstopper.

BGPsec provides hard assurance that path seen in the update is correct.
ASPA can provide confirmation that the path is possible/feasible.
It cannot assure that path seen in the update is the actual path
that the update traversed. This is clear from the above example (Comm. #4).

We can meet in Prague. I'll be happy to discuss
and we can try to help resolve these (to the extent possible).
Arguing about BGPSec isn't my goal at this point in time, nor it is the purpose of the draft.
I can't say you convinced me about naming, but as you know, I'm always open to constructive discussions.

--
Best regards,
Alexander Azimov