Dear colleagues,
In the attachment, you can find a candidate to become the next version of
the route-leak-detection draft. It has changed that much, that authors
decided to discuss it in the WG before publishing it in the tracker.
The most important question that was reconsidered - what we should be done
with route leaks?
Previously we had hypotheses that certain circumstances we can't drop it
but should set pref to 0. The main reason was the next scenario:
- The prefix must have a single path to Tier1;
- The prefix must not have a less specific prefix with multiple paths
Tier1;
- The leak must affect this single path, so it must be inside single
path to Tier1;
- The prefix must be marked with leak detection signal;
- Immediate ISP that accepts leak must learn it from its customer;
- Immediate ISP that accepts leak must prefer leaked prefix;
- Immediate ISP that accepts leak should not use leak detection;
- Immediate ISP must keep detection signal;
- The upper provider must use leak detection.
In this specific case, the leaked prefix may experience DoS. To fight this
theoretical scenario we suggested to use pref = 0 for leaks that are
learned from customers + additional signal to distribute information.
But such an approach has a tradeoff - if leak affects prefixes that are not
globally visible pref = 0 policy will not stop its propagation. It quite
realistic TE - a common control community is to restrict announcements of
prefixes to selected/all peers, more specifics that are sent only to IXes
etc.
The pref = 0 is also incompatible with future security solutions such as
ASPA and BGPSec - both will require to reject route leaks (pref = 0 can be
abused by mimicking more specific hijacks to route leaks).
So, taking this highly unlikely motivation for pref = 0 and quite a
realistic side effects, it is suggested setting quite simple default
policy: all route leaks must be rejected. With this, we can also drop the
second signal. It also gave us the opportunity to integrate leak detection
and prevention into one community. So, to summarize major changes:
- A single community is used for both route leak prevention, and
detection;
- All route leaks MUST be rejected;
- L is removed since we don't need it in this case.
We haven't reached consensus among the editors yet, that's why it is quite
important to collect broader feedback from the community. I have also
already asked WG chairs to reserve a slot for this discussion during the
next meeting.
PS: It 3.5 pages long, please read it!
--
Best regards,
Alexander Azimov
IDR and SIDR K. Sriram, Ed.
Internet-Draft USA NIST
Intended status: Standards Track A. Azimov, Ed.
Expires: January 9, 2020 Yandex
July 8, 2019
Methods for Detection and Mitigation of BGP Route Leaks
draft-ietf-grow-route-leak-detection-mitigation-02
Abstract
Problem definition for route leaks and enumeration of types of route
leaks are provided in [RFC7908]. This document describes a new well
known large community that gives a way for both route leak prevention
and detection. The configuration process for these community can be
automated with BGP roles that are defined in ietf-idr-bgp-open-policy
draft.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Sriram & Azimov Expires January 9, 2020 [Page 1]
�
Internet-Draft Route Leak Detection and Mitigation July 2019
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Peering Relationships . . . . . . . . . . . . . . . . . . . . 2
3. Community vs Attribute . . . . . . . . . . . . . . . . . . . 3
4. Down Only Community . . . . . . . . . . . . . . . . . . . . . 4
5. Implementation Considerations . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 5
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
8. Informative References . . . . . . . . . . . . . . . . . . . 6
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 6
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
[RFC7908] provides a definition of the route leak problem and
enumerates several types of route leaks. For this document, the
definition that is applied is that a route leak occurs when a route
received from a transit provider or a lateral peer is forwarded
(against commonly used policy) to another transit provider or a
lateral peer. The commonly used policy is that a route received from
a transit provider or a lateral peer MAY be forwarded only to
customers.
This document describes a solution for prevention, detection and
mitigation route leaks which is based on conveying route-leak
detection information in a well known large community. Its
configuration policies MUST be defined according to peering relations
between ISPs. If BGP Roles described in
[I-D.ietf-idr-bgp-open-policy] are configured, community
configuration SHOULD be implemented in code of the routing software.
Described technique can be incrementally deployed. If a group of big
ISPs or/and IXes deploy proposed route marking, then they would be
helping each other by blocking route leaks that can happen between
them.
2. Peering Relationships
As described in [I-D.ietf-idr-bgp-open-policy] there are several
common peering relations between eBGP sessions:
o Provider - sender is a transit provider to neighbor;
Sriram & Azimov Expires January 9, 2020 [Page 2]
�
Internet-Draft Route Leak Detection and Mitigation July 2019
o Customer - sender is customer of neighbor;
o RS - sender is route server at internet exchange point (IX)
o RS-client - sender is client of RS at internet exchange point (IX)
o Peer - sender and neighbor are peers;
If a route is received from provider, peer or RS-client is MUST
follow 'only down' rule - it MAY be advertised only to customers. If
a route is sent to customer, peer or RS-client it also MUST follow
'only down' rule.
The common technique to implement internal 'only down' rule is to use
BGP communities, but these communities differ from network to network
and can be removed at the receipt. So, we need a standardized
transit signal that will prevent networks from leaking and tell a
remote ISP that receiving prefix violates 'only down' policy, thus
providing a way to stop the propagation of leaked prefixes.
To improve reliability such signal should be set on both sender and
receiver side.
3. Community vs Attribute
In this section will be discussed the advantages and disadvantages of
communities and BGP path attributes for the purpose of route leak
detection.
The transit path attribute seems to be a native way to implement
route leak detection signal. The way BGP process unknown transit
attributes guarantees that such a signal will pass through outdated
BGP implementations without any change. The main disadvantage lays
on a fact that deployment of new BGP attribute requires a software
update which may postpone wide adoption for years.
In opposite, communities don't require a software update. The main
disadvantage of communities is that its usage is highly overloaded.
They already have numerous applications: different types of route
marking, route policy control, blackholing and etc. That's why a
significant number of networks with purpose or accidentally are
removing communities on receipt, even well-known ones.
With the knowledge that route leaks can disrupt Internet connectivity
in the region or even globally the authors believe that it's better
to move forward with route leak detection using communities. The
harm that is done by route leaks isn't a theory - it's constantly
happening events.
Sriram & Azimov Expires January 9, 2020 [Page 3]
�
Internet-Draft Route Leak Detection and Mitigation July 2019
To nevilate listed disadvantages of community usage, we suggest using
large communities, which have much higher capacity, so it should be
less overloaded. We suggest reserving 4200000000 class for the
purpose of transit well-known communities that MUST not be stripped
on both ingress and egress filters. Also, policy violation is itself
result of absent or improper community configuration. So, the chance
that route-leak-detection community will pass through ISP that
already has configuration mistakes is increased.
While it's not part of this document the described below signal can
be easily translated into BGP path attribute.
4. Down Only Community
This section specifies exact semantics of route-leak-detection
community and its usage. The Down Only (DO) community MUST follow
next semantics:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 4200000000 (suggested global administrator) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1 (suggested subclass for DO) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ASN who set the community |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Format of the DO Community using a Large Community
[RFC8092].
This community MUST have route policy configuration on both egress
and ingress filters.
The ingress policy MUST follow next procedure:
1. If a route with DO community set is received from Customer or RS-
client - it's a route leak and MUST be rejected. The procedure
halts.
2. If a route with DO community set is received from Peer and DO
value isn't equal to neighbor ASN - it's a route leak and MUST be
rejected. The procedure halts.
Sriram & Azimov Expires January 9, 2020 [Page 4]
�
Internet-Draft Route Leak Detection and Mitigation July 2019
3. If a route is received from Provider, Peer or RS the DO community
MUST be added with value equal to global administrator ID of the
neighbor (sender).
The egress policy MUST follow next procedure:
1. A route with DO community set MUST not be sent to providers,
peers and RS.
2. If route is sent to customer or peer DO community MUST be added
with value equal to global administrator ID of the sender.
These rules provide support for both route leak prevention and
detection.
5. Implementation Considerations
It was observed that the majority of BGP implementations doesn't
support negative match for communities like a:b:!c. In this case it
is suggested to replace second rule from ingress policy with next
one:
If a route with DO community set is received from Peer and DO value
is equal to neighbor ASN - it's a valid route, otherwise it is a
route leak. The procedure halts.
This rule is based on a weaker assumption that a peer that is doing
marking is also doing filtering. But in return, such rule can be
easily implemented with two consecutive matching rules.
6. Security Considerations
In specific circumstances at the state of partial adoption, route
leak detection mechanism can result in DoS for the victim prefix.
Such a scenario may happen only for prefixes that have a single path
from the originator to Tier1 and which is not covered with less
specific prefixes with multiple paths to Tier1. If, in such
unreliable topology, route leak is injected inside this single path
it may be rejected by upper providers, thus limiting prefix
visibility. While such anomaly is unlikely to happen, such an issue
should be easy to debug, since it directly affects the sequence of
originator's providers.
With the use of BGP community, there is often a concern that the
community propagates beyond its intended perimeter and causes harm
[streibelt]. However, that concern does not apply to the DO
community because it is a transitive community that must propagate as
far as the update goes.
Sriram & Azimov Expires January 9, 2020 [Page 5]
�
Internet-Draft Route Leak Detection and Mitigation July 2019
7. IANA Considerations
The draft suggests to reserve Global Administrator ID 4200000000 for
transit well-known large community registry. IANA is requested to
register DO community in the well-known large community [RFC8092]
registry.
8. Informative References
[I-D.ietf-idr-bgp-open-policy]
Azimov, A., Bogomazov, E., Bush, R., Patel, K., and K.
Sriram, "Route Leak Prevention using Roles in Update and
Open messages", draft-ietf-idr-bgp-open-policy-05 (work in
progress), February 2019.
[RFC7908] Sriram, K., Montgomery, D., McPherson, D., Osterweil, E.,
and B. Dickson, "Problem Definition and Classification of
BGP Route Leaks", RFC 7908, DOI 10.17487/RFC7908, June
2016, <https://www.rfc-editor.org/info/rfc7908>.
[RFC8092] Heitz, J., Ed., Snijders, J., Ed., Patel, K., Bagdonas,
I., and N. Hilliard, "BGP Large Communities Attribute",
RFC 8092, DOI 10.17487/RFC8092, February 2017,
<https://www.rfc-editor.org/info/rfc8092>.
[streibelt]
Streibelt et al., F., "BGP Communities: Even more Worms in
the Routing Can", ACM IMC, October 2018,
<https://archive.psg.com//181101.imc-communities.pdf>.
Acknowledgements
The authors wish to thank John Scudder, Susan Hares, Ruediger Volk,
Mat Ford, Greg Skinner for their review and comments.
Contributors
The following people made significant contributions to this document
and should be considered co-authors:
Sriram & Azimov Expires January 9, 2020 [Page 6]
�
Internet-Draft Route Leak Detection and Mitigation July 2019
Brian Dickson
Independent
Email: brian.peter.dick...@gmail.com
Doug Montgomery
USA National Institute of Standards and Technology
Email: do...@nist.gov
Keyur Patel
Arrcus
Email: ke...@arrcus.com
Andrei Robachevsky
Internet Society
Email: robachev...@isoc.org
Eugene Bogomazov
Qrator Labs
Email: e...@qrator.net
Randy Bush
Internet Initiative Japan
Email: ra...@psg.com
Authors' Addresses
Kotikalapudi Sriram (editor)
USA National Institute of Standards and Technology
100 Bureau Drive
Gaithersburg, MD 20899
United States of America
Email: ksri...@nist.gov
Alexander Azimov (editor)
Yandex
Ulitsa Lva Tolstogo 16
Moscow 119021
Russia
Email: a.e.azi...@gmail.com
Sriram & Azimov Expires January 9, 2020 [Page 7]
_______________________________________________
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow
