Re: [Sidrops] WG Adoption call draft-azimov-sidrops-aspa-verification

Alexander Azimov <a.e.azimov@gmail.com> Fri, 01 March 2019 10:25 UTC

Return-Path: <a.e.azimov@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBBAB130DE4; Fri, 1 Mar 2019 02:25:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o0vqQQhMuD2D; Fri, 1 Mar 2019 02:25:05 -0800 (PST)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39464130E2F; Fri, 1 Mar 2019 02:25:05 -0800 (PST)
Received: by mail-ot1-x32c.google.com with SMTP id t7so20477520otk.8; Fri, 01 Mar 2019 02:25:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MBHkpMRhUifqXIHzzd1cHjKifPM/PJ4H0ohSH4/EJv0=; b=PQ4Wj6FTHh76iwJJJvX1dsuB8r+ad3Bez/Jkx6j6/YHS5/9MQOsKqzt30Ge3GmTNzq NQaH+owEiP9Ve7sTgSSRYvY1imLqOJohjaTGm+2ebCeCpIByUBiSOGmUkURSzjDQx6lX +c9MU5IxkUzO6D763gg+L+yuf5uxR9zBw/Q9cXwpjpHf8HrjCGKlIgPohE3O0PsMGvH/ 7IdUSf3TAmg84Vu4RIe/d2mks3gCO7TNFMHqMMtdGn8RpZNywMQX9Dm7oBU/Jkp9i+Hb fxIGi1idQU607COPzKqQDoJcQa79QhQ6NAmr3ADwTQxg/xxBRc5OILYCZ7lU1YVj0V/b i87Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MBHkpMRhUifqXIHzzd1cHjKifPM/PJ4H0ohSH4/EJv0=; b=KNa/jjNkLvWKmMeEGT7T1OH7VuJDN64s/KRlKrFpRtBg3e664BL97uiG7iJlDJasaQ uVkHLFb21tIsh7/T/XwcHIBqxIU05aJAbj25cHDLS8Eskatg6UAcQiZCW7NRFYNEYb4Q iiQtqJr5GpfWdAj55jikKJD9MCuUBJWoU2CBxfK/lNCz3XMnctn0Q1UQSh1m0PJCGLAV f04ecRgMCkjx6YurLuFfxab9yGbOp3R1GzWZ2I8HSPQdZZFZaFjZrYZEixvu5Tq2fzNq ykuBp2fxnM30mh+yseyvI5itD06A3dL3cBrfwTq8sOj3NGLWZU2sgQt7Wkig0bQN7rOx LKZw==
X-Gm-Message-State: APjAAAVVB4F5q+UZddn1Ab0b2kOT/+LhyDRgVAEoqw32lVmF8FTDoTWw NqbpQZGndZfKs4gu0H/YtWewMduE/R/izhXpO9M=
X-Google-Smtp-Source: APXvYqxzYpAdUI2zt+VtD3UfuDR+LMw6ePu1ywY3nhVKQxuyHiwg9B0ygQXR0r0SxIylB4cOZ/RLy5n9aXdbRKOOdWk=
X-Received: by 2002:a9d:2c01:: with SMTP id f1mr2642517otb.311.1551435904047; Fri, 01 Mar 2019 02:25:04 -0800 (PST)
MIME-Version: 1.0
References: <SN6PR0901MB236620AD0F6209170C9BD9A384750@SN6PR0901MB2366.namprd09.prod.outlook.com> <CAEGSd=AF=1Tf0-fL5Cy6uRx71nA0sCuSYbtKCUKQEoNvw=8B3w@mail.gmail.com>
In-Reply-To: <CAEGSd=AF=1Tf0-fL5Cy6uRx71nA0sCuSYbtKCUKQEoNvw=8B3w@mail.gmail.com>
From: Alexander Azimov <a.e.azimov@gmail.com>
Date: Fri, 1 Mar 2019 13:24:52 +0300
Message-ID: <CAEGSd=CEUKDbuabEaqPznBvVa1kJ+9GgBD8y_YumoUDK=cdAQA@mail.gmail.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
Cc: "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f3e05d058305d157"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/q0zyIHIfWYYx4b9jLt0jXCYNiZY>
Subject: Re: [Sidrops] WG Adoption call draft-azimov-sidrops-aspa-verification
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 10:25:09 -0000

In #1 I meant to say 'victim':

Can you please clarify to me next scenario with three ISPs:

   - Victim advertises /23 to Upstream, does use BGPSec, has ROA record
   with maxlength 24
   - Upstream, does use BGPSec
   - Attacker, advertises /24 that belongs to *Victim*, adds its ASN at the
   beginning of ASPath, doesn't use BGPSec

Will Upstream, according to RFC8205, accept the hijacked route from
Attacker?
Anyway, I'm open for discussion about proper wording here.

чт, 28 февр. 2019 г. в 20:53, Alexander Azimov <a.e.azimov@gmail.com>om>:

> Sriram,
>
> I'm glad to see your comments! Please see my answers below.
>
> Comment #1:
>>
>> I would strongly suggest deletion of the last two sentences of
>>
>> the second paragraph in the Intro section.
>>
>> You talk about downgrade attacks with BGPsec there.
>>
>> The two sentences in question are inconsistent with how
>>
>> incremental deployment of BGPsec really works.
>>
>> Please read RFC 8205 Section 7.9 -- the idea of contiguous BGPsec ASes.
>>
>> Regarding your attacker downgrading BGPsec comments,
>>
>> John Scudder also suggested to you in IETF 102,
>>
>> “It is not necessary to make that extreme claim for your proposal,
>>
>> if I were you, I wouldn’t.”  See video at ~48 minute mark:
>>
>> https://www.youtube.com/watch?v=LnXLB_MlpAs
>>
> Can you please clarify to me next scenario with three ISPs:
>
>    - Victim advertises /23 to Upstream, does use BGPSec, has ROA record
>    with maxlength 24
>    - Upstream, does use BGPSec
>    - Attacker, advertises /24 that belongs to Upstream, adds its ASN in
>    the beginning of ASPath, doesn't use BGPSec
>
> Will Upsream, according to RFC8205, accept hijacked route from Attacker?
> Anyway, I'm open for discussion about proper wording here.
>
>
>> Comment #2: Improvement of the algorithm for detection
>>
>> Consider this topology example:
>>
>>
>>
>>          AS3              AS5
>>
>>          /       \        /
>>
>>     AS2         AS4
>>
>>    /
>>
>> AS1
>>
>>
>>
>> The peering relations are C2P going up and P2C going down (in the pic).
>>
>> AS1, AS2 and AS4 have created ASPAs. AS3 has not created ASPA.
>>
>> Let us say AS4 accidentally leaks to AS5 the route received from AS3.
>>
>> The route’s AS_PATH is AS4 AS3 AS2 AS1.
>>
>> I think your algorithm (section 5) would fail to detect the leak.
>>
>> But I would suggest a modified algorithm which is as follows:
>>
>> At AS5, when it sees that AS3 does not have ASPA, it then considers
>>
>> the ASPA of the next more recent AS in the path which is AS4 here.
>>
>> From AS4’s ASPA, AS5 determines that AS3 is a provider of AS4,
>>
>> and hence successfully detects that the update is a route leak.
>>
>> So, I think the algorithm in section 5 needs to be modified per
>> suggestion above.
>>
> This suggestion sounds great but it has an issue. Imagine that AS3 and AS4
> have what is commonly named 'complex' relation. So they are both
> customer-provider to one another. And in your scenario, where only AS4
> creates ASPA it may result in rejection of valid routes, which will make
> AS4 quite unhappy...
>
>
>> Comment #3:
>>
>> In the figure below, AS1 originates p1 and AS2 originates p2.
>>
>> AS1 is a provider of AS2 for p1 and AS1 is a customer of AS2 for p2.
>>
>> AS1 announces p1 to AS2 as P2C. AS2 announces p2 to AS1 as P2C.
>>
>> AS3 is provider of AS2.
>>
>>
>>
>>                    ---------P2C------->
>>
>>                            p1 AS1
>> --->                                      -----p1 AS2 AS1--->
>>
>> AS1------------------(hybrid/complex)----------AS2---------- C2P
>> ----------->AS3
>>
>>                          <--- p2 AS2
>>
>>                    <---------P2C-------
>>
>> AS1 creates an ASPA: {AS1, AS2, IPv4}
>>
>> AS2 creates an ASPA: {AS2, AS1, IPv4}
>>
>>
>>
>> Now consider AS2 leaks route for p1 to AS3. Then AS3 is unable to detect
>> the leak.
>>
>> AS3 looks at the ASPA: {AS1, AS2, IPv4} and determines that AS1 is a
>> customer of AS2,
>>
>> and hence determines incorrectly that the Update: p1 AS2 AS1 is not a
>> leak.
>>
>> The ASPA scheme fails to work in this case for leak detection.
>>
>> This is a limitation of the ASPA scheme because ASPAs are per AFI and not
>> per prefix.
>>
> Fully agreed. Simplicity comes with its own cost.
> And that's why we still need community-based leak detection that can work
> per-prefix. And it's our duty as-coauthors (and my debt, which I need to
> admit) to finally push it forward.
> I'm going to add an explicit statement in the next version of the draft.
>
>
>> Comment #4: Not all malicious leaks / hijacks are detected
>>
>> In the topology below, AS2 leaks the path it learned from its peer AS4 to
>>
>> its provider AS3 with path modification to avoid route leak detection,
>>
>> or one may think of it as a hijack with feasible path insertion.
>>
>> In either case, the Update: p2 AS2 AS1 from AS2 to AS3 is
>>
>> illegitimate but defies detection despite all ASes participating in
>> ASPA.
>>
>>
>>
>>          AS3
>> AS5
>>
>>               \  p1 AS2 AS1                                     /
>>
>>                 \ p2 AS2 AS1                                 /
>>
>>                    \                                                 /
>>
>>                      \         <----p2 AS4 AS1--    /
>>
>>                        AS2 -------p2p----------AS4
>>
>>                           \                             /
>>
>>                              \ p1 AS1          /p2 AS1
>>
>>                                  \               /
>>
>>                                      AS1
>>
>>                                    (p1, p2)
>>
>>
>>
> Thinking about it as hijack adds simplicity to the picture. Customers may
> still be hijacked by its direct or indirect providers. While it
> significantly limits the attacker vector and highly unlikely to happen in
> the real world, it must be clearly stated in the draft. Pushed to stack.
>
>>
>> Comment #5: Path verification vs. path feasibility
>>
>> Based on the above examples, in the draft, perhaps it is better to say
>>
>> that the path is assessed feasible rather than say that the path is
>> verified.
>>
> I'm not a native speaker but for me 'feasibility' sounds a bit odd. I
> would be glad to learn other opinions from the wg members. Anyway, this
> question should not become a showstopper.
>
> Comment #6:
>>
>> In paragraph #1 in the Intro section, [I-D.ymbk-idr-bgp-eotr-policy] is
>> referenced.
>>
>> Based on WG consensus, we merged [I-D.ymbk-idr-bgp-eotr-policy] and
>>
>> [I-D.idr-route-leak-detection-mitigation] and the latter is the WG
>> document
>>
>> that we are working on together since April 2018.
>>
>> So, [I-D.idr-route-leak-detection-mitigation] is the more appropriate
>>
>> document to cite for the ongoing WG effort.
>>
> I don't think there was a need in such a detailed history of the question.
> :)
> Valid point. I'll change the link with the next update.
>
>
> --
> Best regards,
> Alexander Azimov
>


-- 
Best regards,
Alexander Azimov