IETF Logo Mail Archive

Re: [Sidrops] request to consider draft-spaghetti-sidrops-rpki-prefixlist for WG adoption

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Thu, 10 August 2023 00:04 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A78EC15270E for <sidrops@ietfa.amsl.com>; Wed, 9 Aug 2023 17:04:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.109
X-Spam-Level:
X-Spam-Status: No, score=-3.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.999, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KJF9gykoSQfV for <sidrops@ietfa.amsl.com>; Wed, 9 Aug 2023 17:04:37 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on2093.outbound.protection.outlook.com [40.107.89.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79504C15106E for <sidrops@ietf.org>; Wed, 9 Aug 2023 17:04:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KoW9qtcfsBPDs0kv3/lm9rBGORD5ZeOcHfmTQp7df433PYUCFpFI7LAx8CLHDuXpaO/r9PiObTbA47m08Uz6hcZRJXTc/CiZs4HhpINYmkShUJnXvrhmtBKVv7qspcvHfnfz/1fhAhjfqCPT7efDDndj8tREBBg7D0CmrgvoJX5V6lxoHLXOUll0aBJ6B8geu9XKxSokAQnwB2B/90Pz+CbUi3hwfONT+JXQmh5t1m8dm6ey9JM2WpZimR1ZuXuKO3m+tjkv9xgOKeaqR4QwXKCUmtVAqcOPjTAorCn7AXVwfKIRp1j075TdGAa1Z/5i/UouHgcRfJvsbL1WLdfewQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7oJ9qqqGc/g0nEvNF1zfrfzjX0ZogcJr73MFadwaeGE=; b=Sn09gmO+caIdFhP0KNA20HcZw+eK7psA5xkeLufdD5klKT2tbgsBCgrYKmBXlgGFHDLBijJQdSyj5WcTpd8b5agJvxEc+x8/XW/irvU4e42uJ1hFUNfbo870tNWCZOJHEg8JbfSO3k3nMg5O8zrchyZcmzWNlXBvGGkE5GTCuLj7sKbEZh/6WfJw3rpV2tHIhMNLCHar+x6CS3uIIPy3Ct+zgBhupFaCsvaO+OyZgICoXAwm0KaexpkXW6nOSoFwvfJJIXCJZBZs3JuwTZItJdJj6wY6ol8mmb6YVzjri4ZyRBqmbXnXb2TNsPk1k0Qa99PySClbGOLrVHXDdgUZbw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7oJ9qqqGc/g0nEvNF1zfrfzjX0ZogcJr73MFadwaeGE=; b=YnN0Fn4K8g5yXVaCUXwCSu0P88+G6U3gBXM/c4el2AJB0ys2LsAFuUGzRxu4R34o9tnPiHTSo+Jv8bQKqPsKgaQap9yD+WBb1OyuBsnho4PFchpSkBHevOEPpU3GLodnAHeUF/3jmf/UF0wa4nzu47E+ayU1j8lkIFpHrmiJ1pj/4jYIbzU6q5W1zi80wGz+AAjvln3r2UDMS0mDwyjpClFOaUIO4uvAkj0KJFL5+8bjACD3KApOH/aoFqHt0/Zj6S39oMj+yRp2+3Qxu9vABKrFCNZ3yh25bu0PUQ5hodxu7sF0vZsosT7pA4QBpQ8Qfpi6gOy0rWHaQPc7RFUcFg==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by BLAPR09MB6228.namprd09.prod.outlook.com (2603:10b6:208:28b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6652.30; Thu, 10 Aug 2023 00:04:32 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::e94c:25d9:4f59:7846]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::e94c:25d9:4f59:7846%6]) with mapi id 15.20.6652.029; Thu, 10 Aug 2023 00:04:31 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "gih902@gmail.com" <gih902@gmail.com>, Yangyang Wang <wangyy@cernet.edu.cn>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "\"Dale W. Carder\"" <dwcarder@es.net>
Thread-Topic: [Sidrops] request to consider draft-spaghetti-sidrops-rpki-prefixlist for WG adoption
Thread-Index: AQHZvx/6R7sNwzqkVEOM3yogtr3t86/QllUAgAHucmCAAEjXAIABoaYwgACFggCAAvp6AIAADlSAgAo7tyCAAE+1IA==
Date: Thu, 10 Aug 2023 00:04:31 +0000
Message-ID: <SA1PR09MB8142AB3638F9A737706B89358413A@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB8142D5B0AFE288F6494E27E68403A@SA1PR09MB8142.namprd09.prod.outlook.com> <ZMAKd1F8MnnkNowl@snel> <000001d9c20a$4b63bf30$e22b3d90$@cernet.edu.cn> <SA1PR09MB814241FCE402C998B8B5CB028404A@SA1PR09MB8142.namprd09.prod.outlook.com> <70F6B97C-55FB-4F76-93B8-59CCA681294B@gmail.com> <SA1PR09MB81421C3E226CA3ED52D874D9840AA@SA1PR09MB8142.namprd09.prod.outlook.com> <96923A47-FDCC-4F03-A5F3-8C655B7CE98B@gmail.com> <004b01d9c5b6$c08c24f0$41a46ed0$@cernet.edu.cn> <52ECA8DC-A412-4D8B-B12C-9E763BCB5840@gmail.com> <SA1PR09MB814284E05F7CB79FC369B5F98412A@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB814284E05F7CB79FC369B5F98412A@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|BLAPR09MB6228:EE_
x-ms-office365-filtering-correlation-id: b0187267-acf3-41cc-4de6-08db99355f89
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0+DuTdVYDJUI31qlTcJ6TX4o83zzS697iD54jmXJNHg1MnfH/WFgphKksePQFc2XcItPTDgjjvJoks4c84t/h2vBtIHzDmXB699WvUiMMjsxuIH1PPcBzgvVVVLCTdN17qo2VhNx04BKAogZsd6osQdNhIA+k0EtHNN5xS17cemX2iXMcCixfrns21i47o6COZFErqCqA7ta8TqRMb+1SttuHnWbCy9K9zGHYMGAMCN7sHa7z0V6gLFlkdlTs39kfUS2WRRV3HbMIxV5Ov0kS/eO6TWz13UXKB1vKQFykwpkOl4cOfH6HGyN7rutDxa0JpFkGSaSkvUYauzeei70GEEkmHqPdiLKlVFNCPufUZNbiI5mD90d+shqlvukd1FOAnr7/FVUwxm2wL/AzCPwQ2jueHT360ZgB3+/OpNgQ31NbgY5BG6nkXHIBXXKd6blixQTAbnBUKWlK2tCkeK2Hj08SmHD6MBc12FS4NJtETPXn22n/ayX95RiR1cbTFp7LFB91F3QeXI6ql8vhuD0/rfcQmjechEDU3CEsbiyrVwGjpQ0JJooQncTTjo7fo6dI6wp/IHeUsPdC+DdWM/waHlARMEn6Qj2+KJOn3w2NUkrQag6Ti9RcB7VynTcKZ9v
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(366004)(451199021)(186006)(1800799006)(55016003)(66446008)(66946007)(64756008)(76116006)(66476007)(66556008)(53546011)(6506007)(54906003)(26005)(498600001)(71200400001)(110136005)(83380400001)(33656002)(9686003)(4326008)(7696005)(2906002)(38070700005)(8936002)(86362001)(82960400001)(8676002)(122000001)(5660300002)(52536014)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4VzPWS6epJkrNBmmyJOpyXzVvaJuhEosdKb2Tzr53bLdM68dGJM6y7V08yZVBQ9BJIE6N6YMYfXZUh6JvxRouERZWR5A+EJvOpriTNOECAo1f5cInTvanhGkvLnmMXfRbwpYaHr0fUO852ukXxK+TGKJuwpRFcO6Ctqs/IJlBxKqdvmpJMBs9RKVvkyzgn6WlTwGAERmNRFKu7rhLfxpEfDWcLRmKi3Qq5qqQ7doo3aFjv8dWHADR2GYCJFZ2don1+oJmm/XDj5CPfth9YuK/CUd3H8R8+yXsZWiWzQcOznOM7mIDxnuS699xYLtvmEzYJzxhq9Dao213faQ3T38zdOvU+0T3IOQErfHrq2NX3Qoz4LSjMiiEVFoimgy8Nsg8o/vzFmH1zawjVvF/9fAEBZADFdPlr4C1qCbf7e+HKajySLmSVddWWqlfrdRx+my4I1mjLts6rbrQRiQEGDC5SQEsFTTkRHe7h8T4WTM6BTcBsLNc3P8Oqw3YZJZBV7IIkC6u66Ku7zOUcD5F5xT29cvz+5VZAxVZ0Z++uPEGqofB3U1bkKgGsVA5wIkAY6kdcJZz592S08n1GR1GmNNjv7oPekzvI8Pyfl6BkB0WSlOPK9cazah2ZdUfChAFP8xi3CtjZhmrwssUxf2U6le4MRgFognj28rD0nXZwAqQjVXCV4JvudlsZcXMXxphMHYDI49XdIOTV7fOR7D8eVdBGN/7Jhg4v1zxdKE0U8cT2GmCflzGsffsfRF94fzz2Ril6SKTAVh/yV4LPHyxm3JnDxyK+sba/vVu6uNMWbtSP2aAwBuAvQ67DBxbo1S4Kko6rbLyfwuKEwlZ8d4uot1/k0hawzILjA2O7ri6PCmjoXY/dS50zLbDNymA5WfS/FKo0N9q2AIVyE8JkHaVisCw5FjrrkuRQ/9RE63oiQ/FSliR8R7bL+1wFdPRMaSMWUoxH3kYmQQJkO9ovew3tgix1Y6ij7dSmqcE8guVXvs5sfawiZmga62miRlkc1jnL0wpDt4RPvFnpvqSo6SZUF8YQdWs7aU3mY77nYhqPtBZ+rrhur9R48FzJEKPb6H3oRcb/gOVZOXakI9sRB5pNo85MoGon8hJKf04DP0P24K5KxhS56Crq7eqIU/uyLvUaMa93zRjzmesVAVMnqrOYlz6G+KfOTmSwdrZlZriiDbm3ovbg7oEYA0t9g46kBXa1LP3b6r4RyjWyWG+A6RZjYdLIQmbaJ7288Har25L9kzWXuX9F0imeA9v4GAbVxaslni0CzmmuczFCqJzRWuH+oT4qHHiFmntpROJzjGEYUzmeKGehSG2GYYER0DMVdRpwuxdeLWx04PfGaP6Iq8VgjMRLRTig1MBmdeJCHgmm64ibgIDMwgEyymi0yMjoN4igyzvyYAxuV2s+qvODWY+niFI+VjpsfYmOFFxPQV2MkOnVkxa4u3X7jhGrMVlNKRn64E52d7x0G9xBHMvs8vYLzKEt77LmWUOxZQd6X+RFZuPOkRe0w1HO2bjPsTZrddgGAZFS8zyR03WLCfwkI8yBqwACYyN5MufZOkGN5mZH6Re9A=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b0187267-acf3-41cc-4de6-08db99355f89
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Aug 2023 00:04:31.7613 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR09MB6228
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/jlKj8qUTkRLaNHD20jgW1LnFQdw>
Subject: Re: [Sidrops] request to consider draft-spaghetti-sidrops-rpki-prefixlist for WG adoption
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2023 00:04:41 -0000

Hi Geoff:

My comments are marked with [KS]:

[GH] wrote (responding to Yangyang's scenario where it is shown that a hijacker owning AS3 can create a false PrefixList and take advantage):
"Not wrong, but not all that relevant either. If there is no ROA for a prefix then _any_ AS can originate a route to that prefix, and there is no ROA that can be used to say whether such an origination is authentic or not. That’s always been the case."

[KS]: The question is: Does the draft propose giving a higher authenticity to an ROV-unknown route if the apparent origin AS has the prefix included in its PrefixList versus another route for the same prefix with a different origin AS that does not have a PrefixList?

[KS]: If you give equal status to the two competing routes (one with an origin AS that has a PrefixList including the prefix and another with an origin AS that has no PrefixList; both routes are ROV-unknown), then the PrefixList is irrelevant (lacks a use case) for this scenario. However, only then the said hijacker does not gain any advantage over the legitimate announcement. 

[GH] wrote: "However, the prefix list can prevent others from accepting some forms of synthetic routes that would otherwise pass undetected. If a third party synthesised a route for 10.0.5.0/24, originated by AS1, then the valid prefix list signed by AS 1 would inform a relying party that 10.0.5.0/24 is not a route that AS 1 has acknowledged that it will originate, and the relying party may choose not to accept the route on that basis." 

[KS]: This is the classic case of AS hijacking as defined in the REAP draft. AS1 is being hijacked. It is being made to appear like it is hijacking a ROV-unknown prefix. ASPA-based path verification solves this problem only in the upstream path (Update received from a customer or lateral peer). REAP solves it more generally in any direction without side effects. PrefixList seems to solve it but not really... as explained below with examples.

[KS]: The prefix owner of 10.1.0.0/16 does not register any ROA. They originate the route from AS1. AS1 includes the /16 in its PrefixList. But if the prefix owner senses a hijack situation with the /16, they should have the liberty to deaggregate and announce two more specific prefixes: 10.1.0.0/17 and 10.1.128.0/17. At another time, the prefix owner may announce a more specific 10.1.1.0/24 (subsumed under the /16) for traffic engineering purposes. But according to your scheme above, AS1 (or any other RP along the AS path) will find these more specific prefixes not included in AS1's PrefixList. This seems to point to a design flaw. Does AS1 try to learn what more specific prefixes (subsumed under the /16)  may be announced in the future by the prefix owner? How can that information be collected by AS1 so it may include all possible more specific prefixes (in routes announced) out of the /16 into its PrefixList?

[GH] wrote (in the IETF 117 presentation slides): "Any route originated by this AS not contained in a validated RPKI Prefix List SHOULD be regarded as invalid". 

[KS]: This is similar to your earlier quoted statement and poses a problem as discussed below.

[KS]: When creating the PrefixList, is any attention paid by the AS owner to the ROAs of the prefixes being included? The following are examples of real ROAs using maxLength:

   AS2518, 2001:260::/32-48, apnic

   AS24560, 223.235.0.0/16-24, apnic
   AS9785, 223.164.0.0/16-24, apnic 

[KS]: If the ASes that originate the above prefixes include only the prefixes but not all the more-specific prefixes that are allowed due to the maxLength, then when the prefix owner choses to announce some of the more specific prefixes, they will be found to be Invalid by the PrefixList verification process and will be erroneously rejected. When the maxLength is much bigger than the prefix length in the ROA (though that is discouraged by RFC 9319), it is a very difficult task of enumerating and including the huge number of allowed more specific prefixes in the PrefixList! 

[KS]: A problem also arises when a prefix is actually originated by an AS but that AS's network engineer made a minor typo while typing in that prefix into the PrefixList. There may be other inconsistency issues between the PrefixList and the ROAs that are relevant to it. 

[KS]: No other comments below.

Sriram


-----Original Message-----
From: Geoff Huston <gih902@gmail.com> 
Sent: Wednesday, August 2, 2023 11:52 PM
To: Yangyang Wang <wangyy@cernet.edu.cn>
Cc: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov>; sidrops@ietf.org
Subject: Re: [Sidrops] request to consider draft-spaghetti-sidrops-rpki-prefixlist for WG adoption

> On 2 Aug 2023, at 8:01 pm, Yangyang Wang <wangyy=40cernet.edu.cn@dmarc.ietf.org> wrote:
> 
> Dear Geoff and Sriram,
> 
> 
>> So lets say that:
>> 
>> 10.0.1.0/24 has a valid ROA authorising AS 1,
>> 10.0.2.0/24 has NO ROA at all,
>> 10.0.3.0/24 has a valid ROA authorising AS 2 (but NOT AS 1)
>> 10.0.4.0/24 has a valid ROA authorising AS 1,
>> 
>> and AS 1 has a valid prefix list with:
>>   10.0.1.0/24
>>   10.0.2.0.24
>>   10.0.3.0.24
> 
> And if AS 3 has a prefix list with:
>    10.0.2.0/24
>    10.0.5.0/24
> 
> For 10.0.5.0/24, no ROA and other Prefix List covers them due to partial deployment of ROA and Prefix List.
> 
> If a BGP speaker receives a route 10.0.2.0/24 originated by AS3, it can accept 10.0.2.0/24 because AS 3's Prefix List includes it and the validation of ROA is 'unknown'. Thus, AS 3 successfully creates a hijack if  AS 2 is the true originator for 10.0.2.0/24.  The same is true for 10.0.5.0/24.
> 
> pls correct me if I'm wrong.

Not wrong, but not all that relevant either. If there is no ROA for a prefix then _any_ AS can originate a route to that prefix, and there is no ROA that can be used to say whether such an origination is authentic or not. That’s always been the case.

However, the prefix list can prevent others from accepting some forms of synthetic routes that would otherwise pass undetected. If a third party synthesised a route for 10.0.5.0/24, originated by AS1, then the valid prefix list signed by AS 1 would inform a relying party that 10.0.5.0/24 is not a route that AS 1 has acknowledged that it will originate, and the relying party may choose not to accept the route on that basis.

v2.23.0 | Report a Bug | By Email