Re: [Sidrops] Improvements in RPKI ensuring backward compatibility - Would be possible?

Job Snijders <job@fastly.com> Tue, 02 March 2021 13:14 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A04383A17C4 for <sidrops@ietfa.amsl.com>; Tue, 2 Mar 2021 05:14:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W2975a-bWvb0 for <sidrops@ietfa.amsl.com>; Tue, 2 Mar 2021 05:14:55 -0800 (PST)
Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com [IPv6:2a00:1450:4864:20::542]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BEAF3A17C2 for <sidrops@ietf.org>; Tue, 2 Mar 2021 05:14:55 -0800 (PST)
Received: by mail-ed1-x542.google.com with SMTP id dm26so1525013edb.12 for <sidrops@ietf.org>; Tue, 02 Mar 2021 05:14:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=gMX0ow10PhEwHVyYgoIyehu2+9awkPUwZ5iCh5aflNE=; b=fLEHs+OjpVIiJ/UVl2pRytToNtxfwgaNI7ZzQ8hmTos6ToKYuMjKl97GY0ogVIMf6K LOVTdQYZXVEpLQ39Z071xkpXQh8LYC4Aw+OqNC5DUZOUPIom9MkC75GOJEhXrKqsTHi8 tfFAzfgHTHxXwJdplpIkavI8PG/dWxckZcbgA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=gMX0ow10PhEwHVyYgoIyehu2+9awkPUwZ5iCh5aflNE=; b=uiS8Dq2wW0q2XNsF+0lf74bun2RymzSN1kE53utWZ1NmcCClCSQMWsG9ZDmjidUsvt W5Rvpk9SWjUcW9LOfUOJ/fZgQrxuUprTq0+LmXgrergsrN/TghN92nLjCLroyWP8ngl2 lRFZzxpURsXPX4IG2Z5ktmCDlAHon12LhVuZgdXIYcPHDzS+uUBsV6zCrQX+LGpRK6X/ /tHJT4ofTd9jKsastZjgqG7BlYoXfExHiY4AWilwwnuEbRvk5peB6uMvTkhpinq5/Yq5 XDKxuObD/jfmobbWzVV/YldQ+h4xaY9/Uh7UuPFlXJvD5DivCVUkRETin+eTOAbiAQON EE/w==
X-Gm-Message-State: AOAM533fTN+brgNfnUevazH4IjXogx6Nt9NaHTPBiLLgx1qROrSSkF9R UepocXXJlS1dG74Stt6B2Ava6A==
X-Google-Smtp-Source: ABdhPJzxDrjT9iMGG4u1mWL3qTRCnk9CNmCOkfNKTHHHt/2f4ngGhkR1jObkgicL3JIzgonSwR9Png==
X-Received: by 2002:a05:6402:1517:: with SMTP id f23mr9100740edw.272.1614690890819; Tue, 02 Mar 2021 05:14:50 -0800 (PST)
Received: from snel (mieli.sobornost.net. [45.138.228.4]) by smtp.gmail.com with ESMTPSA id jj15sm13743522ejc.99.2021.03.02.05.14.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Mar 2021 05:14:50 -0800 (PST)
Date: Tue, 2 Mar 2021 14:14:48 +0100
From: Job Snijders <job@fastly.com>
To: Douglas Fischer <fischerdouglas@gmail.com>
Cc: sidrops@ietf.org
Message-ID: <YD46SBdVWihwahgU@snel>
References: <CAKEr4RQ-qb1yffNJahjVH-bRQ1+uAp+LfX+CasF5ZCa0yqSMyQ@mail.gmail.com> <20210223114202.uvfpmtz7jf52jvao@benm-laptop> <CAKEr4RRkiJfvS=8tAqJfQOuV6D1_C6An1323PzOx=bDv8MTJ8A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAKEr4RRkiJfvS=8tAqJfQOuV6D1_C6An1323PzOx=bDv8MTJ8A@mail.gmail.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/v0tVaVcT2WHe9vW2x_GKg52KX-E>
Subject: Re: [Sidrops] Improvements in RPKI ensuring backward compatibility - Would be possible?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 13:14:59 -0000

Dear Douglas,

The negative side: I suspect there will not be much interest in changing
the Route Origin Authorizations profile, because that profile is already
widely used and has a specific meaning which has been implemented in
many many software systems. It is not possible at this stage of the game
to change ROA data structure or the meaning of ROAs!

The GOOD news:

Work in under way to harmonize RPKI & BGP blackholing. The IETF's draft
submission window currently is closed, but as soon as it opens, I will
upload a document detailing a possible way forward. (1 or 2 weeks from
now)

The proposal envisions a mechanism which will be easy to deploy on BIRD
or OpenBGPD and other modern BGP implementations.

Stay tuned!

Kind regards,

Job


On Mon, Mar 01, 2021 at 08:51:10AM -0300, Douglas Fischer wrote:
> I recently sent this email(below) to the NLNetLabs RPKI list.
> https://lists.nlnetlabs.nl/pipermail/rpki/2021-February/000261.html
> 
> And I was recommended to bring this topic to sidrops.
> 
> 
> I am not yet familiar with the M.O. of this community, so I apologize and
> accept guidance for any inappropriate behavior.
> 
> I am concerned to keep the healthy use of RTBH viable...
> I know that this is not the best mechanism to solve problems with DDoS and
> similar.
> But in practice, it ends up being the most cost-effective tool for the
> operator of the ASN itself that is being targeted by what I call "silly
> attacks" to react and evade those attacks.
> 
> The purpose of this email is to present two possibilities that I have been
> imagining for some time as good measures for RPKI.
> 
> Note: As I know that I am locked in the point of view of those who only see
> the positive side of an idea ... I am open to seeing the negative side of
> these ideas.
> 
> -----
> 1 - Increase the levels, officially in the protocol, the status of a route
> based on the RPKI, Specially of Invalid Status.
> -----
> In the email below, this concept is reasonably well described.
> I kindly ask you to read this detail below.
> 
> This is already possible to implement today if the protocol is "sliced" a
> little, but it needs to be done using specific ROA validator engines, and
> it needs to be done on a host that allows you to execute specific code,
> which prevents this from being natively implemented and standard routers on
> the market.
> 
> The idea is to give the ASN operator the autonomy to decide (on
> routing-filter policies) what to do with some route, based on the detailed
> RPKI status of that route.
> 
> 
> P.S .: I have observed that other initiatives are inclined to go the same
> way of further analyzing the status of the Route based on ROA. Unless
> mistaken, there are discussions about this in projects involving some
> Route-Server used by several IXPs to improve Police-Filtering of RTBH.
> 
> -----
> 2 - Add the possibility of using the "minimum prefix length" attribute in
> RPKI ROAs.
> -----
> With that, I believe that the reality of the routes generated by the ASNs
> would be better represented. In addition to allowing ROAs exclusively
> created for RTBH and the like to be created.
> 
> Ex.1: An organization with an IPv4 / 16 block will rarely advertise this
> block only with a single route. Whether for geographic reasons or for
> routing strategy, it will probably advertise this in / 18-20 block.
> Ex.2 .: This same organization may want to tell the world that Routes
> originated by its own ASN, or by ASNs of scrubing companies, of the prefix
> of this / 16 with the mask "LE 32" "GE 32" are valid.
> 
> 
> 
> Thanks in advance for your patience and comprehension.
> 
> --
> Douglas Fernando Fischer
> Engº de Controle e Automação
> 
> 
> Em ter., 23 de fev. de 2021 às 08:42, Ben Maddison <benm@workonline.africa>
> escreveu:
> 
> > Hi Douglas,
> >
> > On 02/23, Douglas Fischer via RPKI wrote:
> > > I don't know if this is the best forum to discuss this ...
> > > If not, I apologize.
> > >
> > The SIDROPS WG list would probably be a better bet, but we can start
> > here!
> >
> > > So far I was not aware of this draft, which already has 6 versions, and
> > is
> > > heading towards the final version.
> > >
> > > https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-06
> > >
> > > As far as I could understand, the main reason for proposing this draft is
> > > to enable a safe and fast way to make the security of the RPKI origin
> > > validation also include the cases of RTBH ads that are generally of
> > unique
> > > IPs (/ 32 or / 128 ).
> > >
> > I think that you have misunderstood the intention of the draft, and in
> > particular the latest version (which made substantial changes to the
> > section that deals with RTBH).
> >
> > The point of the draft is to call attention to that fact that creating
> > ROAs which permit the origination of more-specific prefixes than are
> > usually present in the DFZ creates an attack vector that can be
> > exploited by hijackers.
> >
> > E.g. if I create a ROA:
> >     41.78.188.0/22, maxLength: 24, asID: 37271
> > But then only originate:
> >     41.78.188.0/22, AS_PATH 37271
> >
> > Then an attacker can announce:
> >     41.78.191.0/24, AS_PATH 666_37271
> >
> > And will likely succeed in becoming the best path.
> >
> > It was observed that this issue is particularly present in ROAs where
> > the issuer had made use of the maxLength field - hence the title of the
> > draft.
> >
> > The draft also points out that because RTBH routes are typically for
> > much longer prefixes, operators might be tempted to use maxLength to
> > allow those routes to be ROV valid, and that doing so is a bad idea,
> > because it creates the above attack vector.
> >
> > It doesn't try to propose any solution to the real issue of how ROV/RTBH
> > should co-exist beyond that.
> >
> > If you think that any of the above could be made clearer in the current
> > text, please feel free to propose changes.
> >
> > > Honestly, so far I am undecided as to whether this is the best
> > methodology
> > > for such a solution.
> > >
> > > Until now I was adopting (especially for route-servers) the methodology
> > of
> > > further analyzing the possible status of RPKI.
> > > - Valid -> complements do not fit
> > > - Unknown -> complements do not fit
> > > - Invalid -> by previous ROA Date
> > > - Invalid -> by Later ROA Date
> > > - Invalid -> by ASN of Origin
> > > - Invalid -> for less specific mask
> > > - Invalid -> by more specific mask
> > >
> > > Thus, in the route filtering tests received against Blackhole I was using
> > > the following logic:
> > >
> > > If (is into AS-SET My-Customer) and \
> > >    (has Black-Hole-Community) and \
> > >    ((is IPv4 and is /32) or (is IPv6 and is /128)) and \
> > >    ((is RPKI Valid) or (is RPKI unknow) or (is RPKI invalid by mas more
> > > specific)) then \
> > >    accept as Blackhole...
> > >
> > > P.S.: This is a very summarized way to express the logic... I had to do
> > > some gymnastics to implement it... Converting RPKI JSONs belonging to
> > each
> > > AS-SET to Prefix-lists.
> > >
> > That algorithm looks mostly sensible, and roughly similar to how we
> > (AS37271) are planning to implement this in the next couple of months.
> >
> > However, I'd like to stress that is *not* proposed in
> > draft-ietf-sidrops-rpkimaxlen.
> > Doing that would require an update to RFC6811, and I would argue
> > strongly against it!
> >
> > Cheers,
> >
> > Ben
> >
> 
> 
> -- 
> Douglas Fernando Fischer
> Engº de Controle e Automação

> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops