Re: [Sidrops] Path validation with RPKI

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Mon, 01 July 2019 16:48 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C2851206A7; Mon, 1 Jul 2019 09:48:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAu6A5XxndUN; Mon, 1 Jul 2019 09:48:07 -0700 (PDT)
Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-eopbgr840130.outbound.protection.outlook.com [40.107.84.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00E5B1206A3; Mon, 1 Jul 2019 09:47:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nqeP+W1yVAJpfL0loqlmwoFA8sIhFjwPyGX7T/FJLZ8=; b=tbs8J1lFRGnwROb+8HxVHYw/yp5dPrIdwwGOcQn9l3yBZIPp+GONJaCQENDeqGNM/TZua9MrcGWC54I8MSh6Tvmt2ZP9o3AlT9w4d8OncbxbE/trnBHfgUw4sqDSn7VbpE0n/eA3/1/qLGI6/8PqPc/SUgYRyyv5+wICTDo9mhc=
Received: from DM6PR09MB3019.namprd09.prod.outlook.com (20.178.2.203) by DM6PR09MB2763.namprd09.prod.outlook.com (20.176.97.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.20; Mon, 1 Jul 2019 16:47:54 +0000
Received: from DM6PR09MB3019.namprd09.prod.outlook.com ([fe80::146b:72d7:952f:2424]) by DM6PR09MB3019.namprd09.prod.outlook.com ([fe80::146b:72d7:952f:2424%7]) with mapi id 15.20.2032.019; Mon, 1 Jul 2019 16:47:54 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Iljitsch van Beijnum <iljitsch@muada.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "grow@ietf.org" <grow@ietf.org>
Thread-Topic: [Sidrops] Path validation with RPKI
Thread-Index: AQHVMBrl1W3p3kqzpUmY8Mpnbpsql6a16dbg
Date: Mon, 1 Jul 2019 16:47:54 +0000
Message-ID: <DM6PR09MB30198B5B356A7FB5838F3C6584F90@DM6PR09MB3019.namprd09.prod.outlook.com>
References: <DM6PR09MB3019C087BDBE27633C6641F584FD0@DM6PR09MB3019.namprd09.prod.outlook.com> <E8CEC9C2-8C7C-4AAA-B307-97F7D77C3EAA@muada.com>
In-Reply-To: <E8CEC9C2-8C7C-4AAA-B307-97F7D77C3EAA@muada.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.140.161]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ec9e7bb6-c90a-4cf0-e5bf-08d6fe43dd0e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DM6PR09MB2763;
x-ms-traffictypediagnostic: DM6PR09MB2763:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DM6PR09MB2763D56E2978D1207ABACD7E84F90@DM6PR09MB2763.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00851CA28B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(366004)(376002)(136003)(396003)(189003)(31014005)(199004)(51444003)(6916009)(8676002)(81166006)(81156014)(66946007)(6506007)(229853002)(6436002)(73956011)(66446008)(66556008)(66476007)(7736002)(2906002)(64756008)(52536014)(74316002)(66066001)(3846002)(6116002)(102836004)(76116006)(478600001)(8936002)(86362001)(966005)(76176011)(446003)(476003)(55016002)(7696005)(316002)(6246003)(33656002)(71200400001)(14454004)(9686003)(486006)(71190400001)(186003)(68736007)(305945005)(25786009)(5660300002)(6306002)(256004)(14444005)(4326008)(99286004)(26005)(11346002)(54906003)(53936002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR09MB2763; H:DM6PR09MB3019.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: bN9jsp1DWoyU5cRKboOdtp+AHQ1sZVjtNtjfCl977dbupO3ozkdqU6+CHSdXOt2cApRSBJ1I+ltYtQWViLw3sJG+6Id1t4dviBmzBhP1I8hSmOYYj0kjeWTh6YmSFmmEjt2K9/jbwjlyVCsrfQ6VSiu4++Ip17tlNRk8CF4NH2r7qyWZv+erAbS4uR6nDIUQuWSDBv7f7nlVcyG1HDuc5irkHN09HknslZ8OgHluwf7npmLXFoj1fKfaYqZqKKLd7dj26fPHhj+Ur11eIRcuDV6O6hHSHlKGDg6lMeVqTIUyiCaXSIJMC0/98Gv//UwHQq3gpz0wEv4Gb/XXphSeAeV6a49+hvzA+O46hDWJmm0byNgiMuzf9cXFUJ7N7rb6TeqzuPvKqdpwlC5piJNb+MwuLGf8Tq/5H+K/hGIs6Xk=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: ec9e7bb6-c90a-4cf0-e5bf-08d6fe43dd0e
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jul 2019 16:47:54.2769 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ksriram@nist.gov
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB2763
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/REgiOlEOY28bIgKFSUEYh-25ES4>
Subject: Re: [Sidrops] Path validation with RPKI
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2019 16:48:11 -0000

[Including GROW list because some members there would be interested
given the RLP draft has home in GROW] 

Iljitsch,

>> Just in case you are not aware, there is another effort in the GROW WG 
>> for route leaks solution:
>> https://tools.ietf.org/html/draft-ietf-grow-route-leak-detection-mitigation-00   

>Indeed, I wasn't aware of this one.
-- snip --
> 
> I think that could work well. But: I have two issues:
> 
> The first issue: this uses the large communities feature. I'm not sure how this is
> implemented, but with regular communities, routers must sometimes be
> configured to propagate them, and can be configured to _not_ propagate
> them. If this is the same for large communities, then the feature won't be as
> robust as it could be, as the community may not be propagated over eBGP
> sessions. And less than well meaning networks have plausible deniability "oh
> no we turn off large communities because of ...".

The current feeling in GROW is that it is possible to make transitivity work for 
Large Communities. Ruediger talks about providing strong policy
guidance for operators about this.  

> 
> So it would be better to make this its own transitive path attribute. The BGP
> spec is very clear on how these need to be propagated.
> 
> Second, this is makes the whole thing not work:
> 
>    2.  Else, when propagating a route that already includes a DO (i.e.,
>        was received with a DO) to a customer or lateral peer, replace
>        the DO value with the local ASN.
> 
> So assume the following path:
> 
> 5 4 3 2 1
> 
> With 5 being the validating AS (which would normally not show up in the AS
> path) and 1 being the origin AS. Now suppose the relationships are:
> 
> 5 ^ 4 \ 3 ^ 2 \ 1
> 
> AS 2 includes DO=2. So if AS 5 has access to that information, it can determine
> that this is an invalid path. However, AS 4 replaces DO=2 with DO=4. However,
> now AS 5 only gets to see that the prefixes it gets from AS 4 are from peering,
> which is not news to AS 5. The actionable fact that AS 2 was sending the prefix
> in question over peering and that prefix is now leaked by AS 4 is now hidden
> from AS 5, so AS 5 is not in the position to take any action.
> 

AS5 can take action. No issue there. I'll explain.
Is 3 not doing RLP? If 3 is doing RLP, it would not propagate the update to 4.
But to try to get to your point, let us say 3 is not participating in RLP
and leaked the update to 4. Now, 4 detects the update to be a route leak
because it does not expect a DO set in a route received on a customer link.
If 4 has an alternate path for the prefix that is clean (not route leak),
it would prefer that. Else, 4 accepts and propagates the leaked route from 
3 (customer) in order to avoid unreachability. Yes, 4 replaces DO=2 with DO=4,
but there is something more that 4 does. The draft specifies (p. 5):

   2.  Leak detected (L) indication: ASN of the first RLP-aware AS in
       the path to assert that it forwarded the route from a customer or
       lateral peer despite detecting a leak (to avoid unreachability).

So 4 also adds L = 4. This L informs 5 that the route is tainted (Leaked).
5 would prefer an alternate route that is clean, if available.
So, yes, 5 can take action.

This will become even more clear if you take look at slide 14, scenario 2
in our scenario analyses slide deck:
https://www.nist.gov/sites/default/files/documents/2018/10/22/rlp_using_bgp_community-v4.pdf 

> What needs to happen is that the community or attribute is ONLY added when
> it's not present and a prefix is sent over a ^ or / relationships, and then
> subsequently never touched.

We did consider this. But it is not necessary because L 
prevents what you apprehended. 
It was felt that DO should convey the latest AS that needs to assert down only.
In general, that AS is in closer proximity to the receiver in question
than the very first AS that initially set DO.

> 
> > You mention, "We implement this by extending RPKI ROAs so that
> > in addition to the origin AS, they also list all possible transit ASes."
> > The idea of "extended ROA" was considered during BGPsec
> > design discussions. See Section 6.5.2, list item #3 in RFC 8374:
> > https://datatracker.ietf.org/doc/rfc8374/ 
-- snip --
> > The extended ROA was proposed to include the transit AS of the origin AS.
> > The purpose was to make it easier for resource-constrained stub ASes
> > to participate in BGPsec without incurring the upgrade costs.
> 
> It says:
> 
>        This approach was rejected due to possible complications with the
>        creation and use of a new RPKI object, namely, the extended ROA.
> 
> What would be the possible complications with creating such extended ROAs?
> Obviously there is some extra work, but I can't imagine any show stoppers.

It was many years ago (the design phase). 
I think it was just the extra work that concerned us.

>  -- snip --
> Iljitsch

Thanks,

Sriram