[Sidrops] Improvements in RPKI ensuring backward compatibility - Would be possible?

Douglas Fischer <fischerdouglas@gmail.com> Mon, 01 March 2021 11:51 UTC

Return-Path: <fischerdouglas@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 778693A1AAF for <sidrops@ietfa.amsl.com>; Mon, 1 Mar 2021 03:51:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.195
X-Spam-Level:
X-Spam-Status: No, score=-0.195 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1th9HXuluLII for <sidrops@ietfa.amsl.com>; Mon, 1 Mar 2021 03:51:20 -0800 (PST)
Received: from mail-oo1-xc2d.google.com (mail-oo1-xc2d.google.com [IPv6:2607:f8b0:4864:20::c2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7773A3A1A93 for <sidrops@ietf.org>; Mon, 1 Mar 2021 03:51:20 -0800 (PST)
Received: by mail-oo1-xc2d.google.com with SMTP id f26so3879905oog.5 for <sidrops@ietf.org>; Mon, 01 Mar 2021 03:51:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=bKI9ktzS3ulal1+LmMZ56yg5jGFbMxS/ovvGijbSheY=; b=I0O9C5UepelSEcabe8fuigyryo4kJ/0PHiddbJdH58y/EDqoRL3/mB0ktRpk60QiU1 +9X+wXm8oTnQ5C459igBUmJd/Yc/T5oWQMigXAW3mBAnH+tUv1/GFshpmk7YR4DNctyR YtqBzkLLdCkc7z/Yb7lBaz4vtLhlsfqbkqp0DRGWy6lJVJ9p6W3Q2unvzvAqKIhFxXoU s3+gDaq5/gG7+kG3q5qaRQw3RtLI3P5ZjyB7GHvcTvXoh/tgRgCKkPltyD0nFpaJimb3 7SKmcIyYR5p/ifeVRS2pdQpusD9XgdEeFh/RP9SbcDiXqfnFJz7thQ9zXS+JzFcVLt4+ DcBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=bKI9ktzS3ulal1+LmMZ56yg5jGFbMxS/ovvGijbSheY=; b=hV5IxtjZI/mSxrMyA6TuqZuuXAEf4TD/vYx6/Kr08CH5G7K9MECh3Pp6mNycjzuX7X BNTdSJNu1jty29Z+SplMoBOlguz/vFGvgFL2bDFNXmfddPF6wNYBLYKnaXDf3bE7U6K5 ezqcWKDkj3Fu6IkxjviWuMvmfDK9wue0PgsE3+U1/4DE/4heOMJ7vzjQn8foliBoFVHh yp6Jyqxqup7ekjg8g0ofXml2HklqjICKCf5DTqFI6gYhTvUPFpkNiltaeC/r5XyCp0uj Ne4AVddUw3WRv8SrQF1+wJ9gWiPu27pznqJsNPF+Qsmh3CGJCCPZYo1cIY1hNXw0qwmr JONA==
X-Gm-Message-State: AOAM531fCRfVpnogrepSv9D0CFNk81hrspS7odMMRDkYXcW6rEYj/xMh YjsV7hVE+ZRyF5P/mRPls6Hcwxwp+YVc+IlhIV8IoIDiDu8=
X-Google-Smtp-Source: ABdhPJx0CfIjBaYFEzfzVG/ZMvrzL7fE8qJpb9xmZuvXuigC4WLYyag8RPOKAZfFa6+KghGLmzRAMYF3o+7qC3wIk8g=
X-Received: by 2002:a4a:6c19:: with SMTP id q25mr12326739ooc.42.1614599478352; Mon, 01 Mar 2021 03:51:18 -0800 (PST)
MIME-Version: 1.0
References: <CAKEr4RQ-qb1yffNJahjVH-bRQ1+uAp+LfX+CasF5ZCa0yqSMyQ@mail.gmail.com> <20210223114202.uvfpmtz7jf52jvao@benm-laptop>
In-Reply-To: <20210223114202.uvfpmtz7jf52jvao@benm-laptop>
From: Douglas Fischer <fischerdouglas@gmail.com>
Date: Mon, 1 Mar 2021 08:51:10 -0300
Message-ID: <CAKEr4RRkiJfvS=8tAqJfQOuV6D1_C6An1323PzOx=bDv8MTJ8A@mail.gmail.com>
To: sidrops@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005c9f7705bc783c2b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/vbfKT9yduwAtTNQVBoc5KCRPkmM>
Subject: [Sidrops] Improvements in RPKI ensuring backward compatibility - Would be possible?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 11:03:35 -0000

I recently sent this email(below) to the NLNetLabs RPKI list.
https://lists.nlnetlabs.nl/pipermail/rpki/2021-February/000261.html

And I was recommended to bring this topic to sidrops.


I am not yet familiar with the M.O. of this community, so I apologize and
accept guidance for any inappropriate behavior.

I am concerned to keep the healthy use of RTBH viable...
I know that this is not the best mechanism to solve problems with DDoS and
similar.
But in practice, it ends up being the most cost-effective tool for the
operator of the ASN itself that is being targeted by what I call "silly
attacks" to react and evade those attacks.

The purpose of this email is to present two possibilities that I have been
imagining for some time as good measures for RPKI.

Note: As I know that I am locked in the point of view of those who only see
the positive side of an idea ... I am open to seeing the negative side of
these ideas.

-----
1 - Increase the levels, officially in the protocol, the status of a route
based on the RPKI, Specially of Invalid Status.
-----
In the email below, this concept is reasonably well described.
I kindly ask you to read this detail below.

This is already possible to implement today if the protocol is "sliced" a
little, but it needs to be done using specific ROA validator engines, and
it needs to be done on a host that allows you to execute specific code,
which prevents this from being natively implemented and standard routers on
the market.

The idea is to give the ASN operator the autonomy to decide (on
routing-filter policies) what to do with some route, based on the detailed
RPKI status of that route.


P.S .: I have observed that other initiatives are inclined to go the same
way of further analyzing the status of the Route based on ROA. Unless
mistaken, there are discussions about this in projects involving some
Route-Server used by several IXPs to improve Police-Filtering of RTBH.

-----
2 - Add the possibility of using the "minimum prefix length" attribute in
RPKI ROAs.
-----
With that, I believe that the reality of the routes generated by the ASNs
would be better represented. In addition to allowing ROAs exclusively
created for RTBH and the like to be created.

Ex.1: An organization with an IPv4 / 16 block will rarely advertise this
block only with a single route. Whether for geographic reasons or for
routing strategy, it will probably advertise this in / 18-20 block.
Ex.2 .: This same organization may want to tell the world that Routes
originated by its own ASN, or by ASNs of scrubing companies, of the prefix
of this / 16 with the mask "LE 32" "GE 32" are valid.



Thanks in advance for your patience and comprehension.

--
Douglas Fernando Fischer
Engº de Controle e Automação


Em ter., 23 de fev. de 2021 às 08:42, Ben Maddison <benm@workonline.africa>
escreveu:

> Hi Douglas,
>
> On 02/23, Douglas Fischer via RPKI wrote:
> > I don't know if this is the best forum to discuss this ...
> > If not, I apologize.
> >
> The SIDROPS WG list would probably be a better bet, but we can start
> here!
>
> > So far I was not aware of this draft, which already has 6 versions, and
> is
> > heading towards the final version.
> >
> > https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-06
> >
> > As far as I could understand, the main reason for proposing this draft is
> > to enable a safe and fast way to make the security of the RPKI origin
> > validation also include the cases of RTBH ads that are generally of
> unique
> > IPs (/ 32 or / 128 ).
> >
> I think that you have misunderstood the intention of the draft, and in
> particular the latest version (which made substantial changes to the
> section that deals with RTBH).
>
> The point of the draft is to call attention to that fact that creating
> ROAs which permit the origination of more-specific prefixes than are
> usually present in the DFZ creates an attack vector that can be
> exploited by hijackers.
>
> E.g. if I create a ROA:
>     41.78.188.0/22, maxLength: 24, asID: 37271
> But then only originate:
>     41.78.188.0/22, AS_PATH 37271
>
> Then an attacker can announce:
>     41.78.191.0/24, AS_PATH 666_37271
>
> And will likely succeed in becoming the best path.
>
> It was observed that this issue is particularly present in ROAs where
> the issuer had made use of the maxLength field - hence the title of the
> draft.
>
> The draft also points out that because RTBH routes are typically for
> much longer prefixes, operators might be tempted to use maxLength to
> allow those routes to be ROV valid, and that doing so is a bad idea,
> because it creates the above attack vector.
>
> It doesn't try to propose any solution to the real issue of how ROV/RTBH
> should co-exist beyond that.
>
> If you think that any of the above could be made clearer in the current
> text, please feel free to propose changes.
>
> > Honestly, so far I am undecided as to whether this is the best
> methodology
> > for such a solution.
> >
> > Until now I was adopting (especially for route-servers) the methodology
> of
> > further analyzing the possible status of RPKI.
> > - Valid -> complements do not fit
> > - Unknown -> complements do not fit
> > - Invalid -> by previous ROA Date
> > - Invalid -> by Later ROA Date
> > - Invalid -> by ASN of Origin
> > - Invalid -> for less specific mask
> > - Invalid -> by more specific mask
> >
> > Thus, in the route filtering tests received against Blackhole I was using
> > the following logic:
> >
> > If (is into AS-SET My-Customer) and \
> >    (has Black-Hole-Community) and \
> >    ((is IPv4 and is /32) or (is IPv6 and is /128)) and \
> >    ((is RPKI Valid) or (is RPKI unknow) or (is RPKI invalid by mas more
> > specific)) then \
> >    accept as Blackhole...
> >
> > P.S.: This is a very summarized way to express the logic... I had to do
> > some gymnastics to implement it... Converting RPKI JSONs belonging to
> each
> > AS-SET to Prefix-lists.
> >
> That algorithm looks mostly sensible, and roughly similar to how we
> (AS37271) are planning to implement this in the next couple of months.
>
> However, I'd like to stress that is *not* proposed in
> draft-ietf-sidrops-rpkimaxlen.
> Doing that would require an update to RFC6811, and I would argue
> strongly against it!
>
> Cheers,
>
> Ben
>


-- 
Douglas Fernando Fischer
Engº de Controle e Automação